From 05b7b99a7f857711991411a10bfc3abbbf8a943d Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Tue, 13 Apr 2021 10:31:20 -0400 Subject: [PATCH] removing stale content which was moved long ago --- ...baseline-resolved-profile_catalog-min.json | 1 - ...IGH-baseline-resolved-profile_catalog.json | 40922 ---------------- ...53_rev5-FPD_HIGH-baseline_profile-min.json | 1 - ...800-53_rev5-FPD_HIGH-baseline_profile.json | 1295 - ...baseline-resolved-profile_catalog-min.json | 1 - ...LOW-baseline-resolved-profile_catalog.json | 27293 ----------- ...-53_rev5-FPD_LOW-baseline_profile-min.json | 1 - ...-800-53_rev5-FPD_LOW-baseline_profile.json | 620 - ...baseline-resolved-profile_catalog-min.json | 1 - ...ATE-baseline-resolved-profile_catalog.json | 36638 -------------- ...ev5-FPD_MODERATE-baseline_profile-min.json | 1 - ...53_rev5-FPD_MODERATE-baseline_profile.json | 1037 - ...baseline-resolved-profile_catalog-min.json | 1 - ...ACY-baseline-resolved-profile_catalog.json | 12765 ----- ...rev5-FPD_PRIVACY-baseline_profile-min.json | 1 - ...-53_rev5-FPD_PRIVACY-baseline_profile.json | 326 - ...HIGH-baseline-resolved-profile_catalog.xml | 13348 ----- ...-800-53_rev5-FPD_HIGH-baseline_profile.xml | 451 - ..._LOW-baseline-resolved-profile_catalog.xml | 8727 ---- ...P-800-53_rev5-FPD_LOW-baseline_profile.xml | 226 - ...RATE-baseline-resolved-profile_catalog.xml | 11805 ----- ...-53_rev5-FPD_MODERATE-baseline_profile.xml | 365 - ...VACY-baseline-resolved-profile_catalog.xml | 4180 -- ...0-53_rev5-FPD_PRIVACY-baseline_profile.xml | 128 - ...IGH-baseline-resolved-profile_catalog.yaml | 30913 ------------ ...800-53_rev5-FPD_HIGH-baseline_profile.yaml | 856 - ...LOW-baseline-resolved-profile_catalog.yaml | 20756 -------- ...-800-53_rev5-FPD_LOW-baseline_profile.yaml | 406 - ...ATE-baseline-resolved-profile_catalog.yaml | 27753 ----------- ...53_rev5-FPD_MODERATE-baseline_profile.yaml | 684 - ...ACY-baseline-resolved-profile_catalog.yaml | 9692 ---- ...-53_rev5-FPD_PRIVACY-baseline_profile.yaml | 210 - 32 files changed, 251404 deletions(-) delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog-min.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile-min.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog-min.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile-min.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog-min.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile-min.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog-min.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile-min.json delete mode 100644 content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.json delete mode 100644 content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.xml delete mode 100644 content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml delete mode 100644 content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.xml delete mode 100644 content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml delete mode 100644 content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.xml delete mode 100644 content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml delete mode 100644 content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.xml delete mode 100644 content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml delete mode 100644 content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.yaml delete mode 100644 content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.yaml delete mode 100644 content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.yaml delete mode 100644 content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.yaml delete mode 100644 content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.yaml delete mode 100644 content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.yaml delete mode 100644 content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.yaml delete mode 100644 content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.yaml diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog-min.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog-min.json deleted file mode 100644 index dc611e9e72..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog-min.json +++ /dev/null @@ -1 +0,0 @@ -{"catalog":{"uuid":"5656c824-bd88-462c-b967-bb7cb01cdbbd","metadata":{"title":"SP800-53 HIGH IMPACT BASELINE","last-modified":"2020-08-26T16:28:38.111-04:00","version":"FPD","oscal-version":"1.0.0-milestone3","properties":[{"name":"resolution-timestamp","value":"2020-08-31T17:39:35.488827Z"}],"links":[{"href":"NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml","rel":"resolution-source","text":"SP800-53 HIGH IMPACT BASELINE"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"a90f4235-ab3c-4bf1-ba0a-865bbc833346","type":"organization","party-name":"Joint Task Force, Transformation Initiative","addresses":[{"postal-address":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}],"email-addresses":["sec-cert@nist.gov"]}],"responsible-parties":{"creator":{"party-uuids":["a90f4235-ab3c-4bf1-ba0a-865bbc833346"]},"contact":{"party-uuids":["a90f4235-ab3c-4bf1-ba0a-865bbc833346"]}}},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2"},{"id":"ac-1_prm_3","label":"organization-defined official"},{"id":"ac-1_prm_4","label":"organization-defined frequency"},{"id":"ac-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-1"},{"name":"sort-id","value":"AC-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ac-1_prm_2 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ac-1_prm_4 }}; and"},{"id":"ac-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ac-1_prm_5 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","parameters":[{"id":"ac-2_prm_1","label":"organization-defined attributes (as required)"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined policy, procedures, and conditions"},{"id":"ac-2_prm_4","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_5","label":"organization-defined time-period"},{"id":"ac-2_prm_6","label":"organization-defined time-period"},{"id":"ac-2_prm_7","label":"organization-defined time-period"},{"id":"ac-2_prm_8","label":"organization-defined attributes (as required)"},{"id":"ac-2_prm_9","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-2"},{"name":"sort-id","value":"AC-02"}],"links":[{"href":"#359f960c-2598-454c-ba3b-a30c553e498f","rel":"reference","text":"[SP 800-162]"},{"href":"#223b23a9-baea-4a50-8058-63cf7967b61f","rel":"reference","text":"[SP 800-178]"},{"href":"#06d3c11a-4a00-42d9-ad75-e6a777ffae5e","rel":"reference","text":"[SP 800-192]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ac-24","rel":"related","text":"AC-24"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-37","rel":"related","text":"SC-37"}],"parts":[{"id":"ac-2_smt","name":"statement","parts":[{"id":"ac-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Define and document the types of accounts allowed for use within the system;"},{"id":"ac-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assign account managers;"},{"id":"ac-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establish conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Specify:","parts":[{"id":"ac-2_smt.d.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Authorized users of the system;"},{"id":"ac-2_smt.d.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Group and role membership; and"},{"id":"ac-2_smt.d.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Access authorizations (i.e., privileges) and {{ ac-2_prm_1 }} for each account;"}]},{"id":"ac-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Require approvals by {{ ac-2_prm_2 }} for requests to create accounts;"},{"id":"ac-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Create, enable, modify, disable, and remove accounts in accordance with {{ ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Monitor the use of accounts;"},{"id":"ac-2_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Notify account managers and {{ ac-2_prm_4 }} within:","parts":[{"id":"ac-2_smt.h.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ac-2_prm_5 }} when accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n {{ ac-2_prm_6 }} when users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"\n {{ ac-2_prm_7 }} when system usage or need-to-know changes for an individual;"}]},{"id":"ac-2_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Authorize access to the system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"\n {{ ac-2_prm_8 }};"}]},{"id":"ac-2_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Review accounts for compliance with account management requirements {{ ac-2_prm_9 }};"},{"id":"ac-2_smt.k","name":"item","properties":[{"name":"label","value":"k."}],"prose":"Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and"},{"id":"ac-2_smt.l","name":"item","properties":[{"name":"label","value":"l."}],"prose":"Align account management processes with personnel termination and transfer processes."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy.\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training."}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","parameters":[{"id":"ac-2.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"AC-2(1)"},{"name":"sort-id","value":"AC-02(01)"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"Support the management of system accounts using {{ ac-2.1_prm_1 }}."},{"id":"ac-2.1_gdn","name":"guidance","prose":"Automated mechanisms include using email or text messaging to automatically notify account managers when users are terminated or transferred; using the system to monitor account usage; and using telephonic notification to report atypical system account usage."}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Automated Temporary and Emergency Account Management","parameters":[{"id":"ac-2.2_prm_1"},{"id":"ac-2.2_prm_2","label":"organization-defined time-period for each type of account"}],"properties":[{"name":"label","value":"AC-2(2)"},{"name":"sort-id","value":"AC-02(02)"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"Automatically {{ ac-2.2_prm_1 }} temporary and emergency accounts after {{ ac-2.2_prm_2 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time-period, rather than at the convenience of the systems administrator. Automatic removal or disabling of accounts provides a more consistent implementation."}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Accounts","parameters":[{"id":"ac-2.3_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"AC-2(3)"},{"name":"sort-id","value":"AC-02(03)"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"Disable accounts when the accounts:","parts":[{"id":"ac-2.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Have expired;"},{"id":"ac-2.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Are no longer associated with a user or individual;"},{"id":"ac-2.3_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Are in violation of organizational policy; or"},{"id":"ac-2.3_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Have been inactive for {{ ac-2.3_prm_1 }}."}]},{"id":"ac-2.3_gdn","name":"guidance","prose":"Disabling expired, inactive, or otherwise anomalous accounts supports the concept of least privilege and least functionality which reduces the attack surface of the system."}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","properties":[{"name":"label","value":"AC-2(4)"},{"name":"sort-id","value":"AC-02(04)"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"Automatically audit account creation, modification, enabling, disabling, and removal actions."},{"id":"ac-2.4_gdn","name":"guidance","prose":"Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6."}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","parameters":[{"id":"ac-2.5_prm_1","label":"organization-defined time-period of expected inactivity or description of when to log out"}],"properties":[{"name":"label","value":"AC-2(5)"},{"name":"sort-id","value":"AC-02(05)"}],"links":[{"href":"#ac-11","rel":"related","text":"AC-11"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"Require that users log out when {{ ac-2.5_prm_1 }}."},{"id":"ac-2.5_gdn","name":"guidance","prose":"Inactivity logout is behavior or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of this control enhancement is addressed by AC-11."}]},{"id":"ac-2.11","class":"SP800-53-enhancement","title":"Usage Conditions","parameters":[{"id":"ac-2.11_prm_1","label":"organization-defined circumstances and/or usage conditions"},{"id":"ac-2.11_prm_2","label":"organization-defined system accounts"}],"properties":[{"name":"label","value":"AC-2(11)"},{"name":"sort-id","value":"AC-02(11)"}],"parts":[{"id":"ac-2.11_smt","name":"statement","prose":"Enforce {{ ac-2.11_prm_1 }} for {{ ac-2.11_prm_2 }}."},{"id":"ac-2.11_gdn","name":"guidance","prose":"Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time."}]},{"id":"ac-2.12","class":"SP800-53-enhancement","title":"Account Monitoring for Atypical Usage","parameters":[{"id":"ac-2.12_prm_1","label":"organization-defined atypical usage"},{"id":"ac-2.12_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AC-2(12)"},{"name":"sort-id","value":"AC-02(12)"}],"links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-2.12_smt","name":"statement","parts":[{"id":"ac-2.12_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Monitor system accounts for {{ ac-2.12_prm_1 }}; and"},{"id":"ac-2.12_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Report atypical usage of system accounts to {{ ac-2.12_prm_2 }}."}]},{"id":"ac-2.12_gdn","name":"guidance","prose":"Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals working in organizations. Account monitoring may inadvertently create privacy risks. Data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."}]},{"id":"ac-2.13","class":"SP800-53-enhancement","title":"Disable Accounts for High-risk Individuals","parameters":[{"id":"ac-2.13_prm_1","label":"organization-defined time-period"},{"id":"ac-2.13_prm_2","label":"organization-defined significant risks"}],"properties":[{"name":"label","value":"AC-2(13)"},{"name":"sort-id","value":"AC-02(13)"}],"links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-2.13_smt","name":"statement","prose":"Disable accounts of users within {{ ac-2.13_prm_1 }} of discovery of {{ ac-2.13_prm_2 }}."},{"id":"ac-2.13_gdn","name":"guidance","prose":"Users posing a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes the adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential for execution of this control enhancement."}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","properties":[{"name":"label","value":"AC-3"},{"name":"sort-id","value":"AC-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#359f960c-2598-454c-ba3b-a30c553e498f","rel":"reference","text":"[SP 800-162]"},{"href":"#223b23a9-baea-4a50-8058-63cf7967b61f","rel":"reference","text":"[SP 800-178]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#ac-24","rel":"related","text":"AC-24"},{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-6","rel":"related","text":"IA-6"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ia-11","rel":"related","text":"IA-11"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pm-2","rel":"related","text":"PM-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-4","rel":"related","text":"SC-4"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-31","rel":"related","text":"SC-31"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family."}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","parameters":[{"id":"ac-4_prm_1","label":"organization-defined information flow control policies"}],"properties":[{"name":"label","value":"AC-4"},{"name":"sort-id","value":"AC-04"}],"links":[{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#359f960c-2598-454c-ba3b-a30c553e498f","rel":"reference","text":"[SP 800-162]"},{"href":"#223b23a9-baea-4a50-8058-63cf7967b61f","rel":"reference","text":"[SP 800-178]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-4","rel":"related","text":"SC-4"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-16","rel":"related","text":"SC-16"},{"href":"#sc-31","rel":"related","text":"SC-31"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ ac-4_prm_1 }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization; keeping export-controlled information from being transmitted in the clear to the Internet; restricting web requests that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only); verifying write permissions before accepting information from another security or privacy domain or connected system; employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and security or privacy labels.\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. This control also applies to control plane traffic (e.g., routing and DNS)."}],"controls":[{"id":"ac-4.4","class":"SP800-53-enhancement","title":"Flow Control of Encrypted Information","parameters":[{"id":"ac-4.4_prm_1","label":"organization-defined information flow control mechanisms"},{"id":"ac-4.4_prm_2"},{"id":"ac-4.4_prm_3","depends-on":"ac-4.4_prm_2","label":"organization-defined procedure or method"}],"properties":[{"name":"label","value":"AC-4(4)"},{"name":"sort-id","value":"AC-04(04)"}],"links":[{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-4.4_smt","name":"statement","prose":"Prevent encrypted information from bypassing {{ ac-4.4_prm_1 }} by {{ ac-4.4_prm_2 }}."},{"id":"ac-4.4_gdn","name":"guidance","prose":"Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms."}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","parameters":[{"id":"ac-5_prm_1","label":"organization-defined duties of individuals requiring separation"}],"properties":[{"name":"label","value":"AC-5"},{"name":"sort-id","value":"AC-05"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-17","rel":"related","text":"SA-17"}],"parts":[{"id":"ac-5_smt","name":"statement","parts":[{"id":"ac-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify and document {{ ac-5_prm_1 }}; and"},{"id":"ac-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Define system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles; conducting system support functions with different individuals; and ensuring security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. This control is enforced through the account management activities in AC-2 and access control mechanisms in AC-3."}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","properties":[{"name":"label","value":"AC-6"},{"name":"sort-id","value":"AC-06"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-38","rel":"related","text":"SC-38"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary, to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems."}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","parameters":[{"id":"ac-6.1_prm_1","label":"organization-defined individuals or roles"},{"id":"ac-6.1_prm_2","label":"organization-defined security functions (deployed in hardware, software, and firmware)"},{"id":"ac-6.1_prm_3","label":"organization-defined security-relevant information"}],"properties":[{"name":"label","value":"AC-6(1)"},{"name":"sort-id","value":"AC-06(01)"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#pe-2","rel":"related","text":"PE-2"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"Explicitly authorize access for {{ ac-6.1_prm_1 }} to:","parts":[{"id":"ac-6.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"\n {{ ac-6.1_prm_2 }}; and"},{"id":"ac-6.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"\n {{ ac-6.1_prm_3 }}."}]},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include establishing system accounts; configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Explicitly authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users."}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","parameters":[{"id":"ac-6.2_prm_1","label":"organization-defined security functions or security-relevant information"}],"properties":[{"name":"label","value":"AC-6(2)"},{"name":"sort-id","value":"AC-06(02)"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#pl-4","rel":"related","text":"PL-4"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"Require that users of system accounts (or roles) with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"Requiring use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account."}]},{"id":"ac-6.3","class":"SP800-53-enhancement","title":"Network Access to Privileged Commands","parameters":[{"id":"ac-6.3_prm_1","label":"organization-defined privileged commands"},{"id":"ac-6.3_prm_2","label":"organization-defined compelling operational needs"}],"properties":[{"name":"label","value":"AC-6(3)"},{"name":"sort-id","value":"AC-06(03)"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"}],"parts":[{"id":"ac-6.3_smt","name":"statement","prose":"Authorize network access to {{ ac-6.3_prm_1 }} only for {{ ac-6.3_prm_2 }} and document the rationale for such access in the security plan for the system."},{"id":"ac-6.3_gdn","name":"guidance","prose":"Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device)."}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","parameters":[{"id":"ac-6.5_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AC-6(5)"},{"name":"sort-id","value":"AC-06(05)"}],"links":[{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"Restrict privileged accounts on the system to {{ ac-6.5_prm_1 }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided they retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk."}]},{"id":"ac-6.7","class":"SP800-53-enhancement","title":"Review of User Privileges","parameters":[{"id":"ac-6.7_prm_1","label":"organization-defined frequency"},{"id":"ac-6.7_prm_2","label":"organization-defined roles or classes of users"}],"properties":[{"name":"label","value":"AC-6(7)"},{"name":"sort-id","value":"AC-06(07)"}],"links":[{"href":"#ca-7","rel":"related","text":"CA-7"}],"parts":[{"id":"ac-6.7_smt","name":"statement","parts":[{"id":"ac-6.7_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Review {{ ac-6.7_prm_1 }} the privileges assigned to {{ ac-6.7_prm_2 }} to validate the need for such privileges; and"},{"id":"ac-6.7_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs."}]},{"id":"ac-6.7_gdn","name":"guidance","prose":"The need for certain assigned user privileges may change over time reflecting changes in organizational missions and business functions, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions."}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Log Use of Privileged Functions","properties":[{"name":"label","value":"AC-6(9)"},{"name":"sort-id","value":"AC-06(09)"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"Audit the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"The misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Capturing the use of privileged functions in audit logs is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat."}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","properties":[{"name":"label","value":"AC-6(10)"},{"name":"sort-id","value":"AC-06(10)"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"Prevent non-privileged users from executing privileged functions."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include disabling, circumventing, or altering implemented security or privacy controls; establishing system accounts; performing system integrity checks; and administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. This control enhancement is enforced by AC-3."}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","parameters":[{"id":"ac-7_prm_1","label":"organization-defined number"},{"id":"ac-7_prm_2","label":"organization-defined time-period"},{"id":"ac-7_prm_3"},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time-period"},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"},{"id":"ac-7_prm_6","depends-on":"ac-7_prm_3","label":"organization-defined action"}],"properties":[{"name":"label","value":"AC-7"},{"name":"sort-id","value":"AC-07"}],"links":[{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ia-5","rel":"related","text":"IA-5"}],"parts":[{"id":"ac-7_smt","name":"statement","parts":[{"id":"ac-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforce a limit of {{ ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Automatically {{ ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address.\nTechniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need."}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","parameters":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner"},{"id":"ac-8_prm_2","label":"organization-defined conditions"}],"properties":[{"name":"label","value":"AC-8"},{"name":"sort-id","value":"AC-08"}],"links":[{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-8_smt","name":"statement","parts":[{"id":"ac-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Display {{ ac-8_prm_1 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:","parts":[{"id":"ac-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government system;"},{"id":"ac-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and"},{"id":"ac-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Display system use information {{ ac-8_prm_2 }}, before granting further access to the publicly accessible system;"},{"id":"ac-8_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Include a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content."}]},{"id":"ac-10","class":"SP800-53","title":"Concurrent Session Control","parameters":[{"id":"ac-10_prm_1","label":"organization-defined account and/or account type"},{"id":"ac-10_prm_2","label":"organization-defined number"}],"properties":[{"name":"label","value":"AC-10"},{"name":"sort-id","value":"AC-10"}],"links":[{"href":"#sc-23","rel":"related","text":"SC-23"}],"parts":[{"id":"ac-10_smt","name":"statement","prose":"Limit the number of concurrent sessions for each {{ ac-10_prm_1 }} to {{ ac-10_prm_2 }}."},{"id":"ac-10_gdn","name":"guidance","prose":"Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for system accounts and does not address concurrent sessions by single users via multiple system accounts."}]},{"id":"ac-11","class":"SP800-53","title":"Device Lock","parameters":[{"id":"ac-11_prm_1"},{"id":"ac-11_prm_2","depends-on":"ac-11_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"AC-11"},{"name":"sort-id","value":"AC-11"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ia-11","rel":"related","text":"IA-11"},{"href":"#pl-4","rel":"related","text":"PL-4"}],"parts":[{"id":"ac-11_smt","name":"statement","parts":[{"id":"ac-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Prevent further access to the system by {{ ac-11_prm_1 }}; and"},{"id":"ac-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain the device lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User initiated device locking is behavior or policy-based and as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, for example, if organizations require users to log out at the end of workdays."}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","properties":[{"name":"label","value":"AC-11(1)"},{"name":"sort-id","value":"AC-11(01)"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"Conceal, via the device lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"The pattern-hiding display can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the caveat that controlled unclassified information is not displayed."}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","parameters":[{"id":"ac-12_prm_1","label":"organization-defined conditions or trigger events requiring session disconnect"}],"properties":[{"name":"label","value":"AC-12"},{"name":"sort-id","value":"AC-12"}],"links":[{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-23","rel":"related","text":"SC-23"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"Automatically terminate a user session after {{ ac-12_prm_1 }}."},{"id":"ac-12_gdn","name":"guidance","prose":"Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","parameters":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"properties":[{"name":"label","value":"AC-14"},{"name":"sort-id","value":"AC-14"}],"links":[{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#pl-2","rel":"related","text":"PL-2"}],"parts":[{"id":"ac-14_smt","name":"statement","parts":[{"id":"ac-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify {{ ac-14_prm_1 }} that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and"},{"id":"ac-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none."}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","properties":[{"name":"label","value":"AC-17"},{"name":"sort-id","value":"AC-17"}],"links":[{"href":"#7768c184-088d-4ee8-a316-f9286b52df7f","rel":"reference","text":"[SP 800-46]"},{"href":"#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","rel":"reference","text":"[SP 800-77]"},{"href":"#36132a58-56fd-4980-9f6c-c010d3faf52b","rel":"reference","text":"[SP 800-113]"},{"href":"#49fa1ee1-aaf7-4270-bb5a-a86497f717dc","rel":"reference","text":"[SP 800-114]"},{"href":"#60b24979-65b8-4ca5-a442-11b74339fab5","rel":"reference","text":"[SP 800-121]"},{"href":"#30213e10-2aca-47b3-8cdb-61303e0959f5","rel":"reference","text":"[IR 7966]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-17","rel":"related","text":"PE-17"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-17_smt","name":"statement","parts":[{"id":"ac-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorize each type of remote access to the system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3."}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Monitoring and Control","properties":[{"name":"label","value":"AC-17(1)"},{"name":"sort-id","value":"AC-17(01)"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"Employ automated mechanisms to monitor and control remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Monitoring and control of remote access methods allows organizations to detect attacks and ensure compliance with remote access policies by auditing connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a."}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality and Integrity Using Encryption","properties":[{"name":"label","value":"AC-17(2)"},{"name":"sort-id","value":"AC-17(02)"}],"links":[{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions."}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","properties":[{"name":"label","value":"AC-17(3)"},{"name":"sort-id","value":"AC-17(03)"}],"links":[{"href":"#sc-7","rel":"related","text":"SC-7"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"Route remote accesses through authorized and managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Organizations consider the Trusted Internet Connections initiative [DHS TIC] requirements for external network connections since limiting the number of access control points for remote accesses reduces attack surface."}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands and Access","parameters":[{"id":"ac-17.4_prm_1","label":"organization-defined needs"}],"properties":[{"name":"label","value":"AC-17(4)"},{"name":"sort-id","value":"AC-17(04)"}],"links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"ac-17.4_smt","name":"statement","parts":[{"id":"ac-17.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ ac-17.4_prm_1 }}; and"},{"id":"ac-17.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Document the rationale for remote access in the security plan for the system."}]},{"id":"ac-17.4_gdn","name":"guidance","prose":"Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability."}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","properties":[{"name":"label","value":"AC-18"},{"name":"sort-id","value":"AC-18"}],"links":[{"href":"#41e2e2c6-2260-4258-85c8-09db17c43103","rel":"reference","text":"[SP 800-94]"},{"href":"#6bed1550-cd5d-4e80-8d83-4e597c1514fe","rel":"reference","text":"[SP 800-97]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-40","rel":"related","text":"SC-40"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-18_smt","name":"statement","parts":[{"id":"ac-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and"},{"id":"ac-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorize each type of wireless access to the system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication."}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","parameters":[{"id":"ac-18.1_prm_1"}],"properties":[{"name":"label","value":"AC-18(1)"},{"name":"sort-id","value":"AC-18(01)"}],"links":[{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"Protect wireless access to the system using authentication of {{ ac-18.1_prm_1 }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","prose":"Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices with encryption can reduce susceptibility to threats by adversaries involving wireless technologies."}]},{"id":"ac-18.3","class":"SP800-53-enhancement","title":"Disable Wireless Networking","properties":[{"name":"label","value":"AC-18(3)"},{"name":"sort-id","value":"AC-18(03)"}],"parts":[{"id":"ac-18.3_smt","name":"statement","prose":"Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment."},{"id":"ac-18.3_gdn","name":"guidance","prose":"Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies."}]},{"id":"ac-18.4","class":"SP800-53-enhancement","title":"Restrict Configurations by Users","properties":[{"name":"label","value":"AC-18(4)"},{"name":"sort-id","value":"AC-18(04)"}],"links":[{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-15","rel":"related","text":"SC-15"}],"parts":[{"id":"ac-18.4_smt","name":"statement","prose":"Identify and explicitly authorize users allowed to independently configure wireless networking capabilities."},{"id":"ac-18.4_gdn","name":"guidance","prose":"Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational systems."}]},{"id":"ac-18.5","class":"SP800-53-enhancement","title":"Antennas and Transmission Power Levels","properties":[{"name":"label","value":"AC-18(5)"},{"name":"sort-id","value":"AC-18(05)"}],"links":[{"href":"#pe-19","rel":"related","text":"PE-19"}],"parts":[{"id":"ac-18.5_smt","name":"statement","prose":"Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries."},{"id":"ac-18.5_gdn","name":"guidance","prose":"Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization; employing measures such as emissions security to control wireless emanations; and using directional or beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area."}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","properties":[{"name":"label","value":"AC-19"},{"name":"sort-id","value":"AC-19"}],"links":[{"href":"#49fa1ee1-aaf7-4270-bb5a-a86497f717dc","rel":"reference","text":"[SP 800-114]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-11","rel":"related","text":"AC-11"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-19_smt","name":"statement","parts":[{"id":"ac-19_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and"},{"id":"ac-19_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorize the connection of mobile devices to organizational systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled."}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device and Container-based Encryption","parameters":[{"id":"ac-19.5_prm_1"},{"id":"ac-19.5_prm_2","label":"organization-defined mobile devices"}],"properties":[{"name":"label","value":"AC-19(5)"},{"name":"sort-id","value":"AC-19(05)"}],"links":[{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"Employ {{ ac-19.5_prm_1 }} to protect the confidentiality and integrity of information on {{ ac-19.5_prm_2 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields."}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Systems","parameters":[{"id":"ac-20_prm_1"},{"id":"ac-20_prm_2","depends-on":"ac-20_prm_1","label":"organization-defined terms and conditions"},{"id":"ac-20_prm_3","depends-on":"ac-20_prm_1","label":"organization-defined controls asserted to be implemented on external systems"}],"properties":[{"name":"label","value":"AC-20"},{"name":"sort-id","value":"AC-20"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","rel":"reference","text":"[SP 800-171]"},{"href":"#aad55f03-8ece-4b21-b09c-9ef65b5a9f55","rel":"reference","text":"[SP 800-171B]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-7","rel":"related","text":"SC-7"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"Establish {{ ac-20_prm_1 }}, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Access the system from external systems; and"},{"id":"ac-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries.\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\nThis control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems."}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits on Authorized Use","properties":[{"name":"label","value":"AC-20(1)"},{"name":"sort-id","value":"AC-20(01)"}],"links":[{"href":"#ca-2","rel":"related","text":"CA-2"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:","parts":[{"id":"ac-20.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or"},{"id":"ac-20.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Retention of approved system connection or processing agreements with the organizational entity hosting the external system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"Limits on authorized use recognizes the circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations."}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices — Restricted Use","parameters":[{"id":"ac-20.2_prm_1","label":"organization-defined restrictions"}],"properties":[{"name":"label","value":"AC-20(2)"},{"name":"sort-id","value":"AC-20(02)"}],"links":[{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#sc-41","rel":"related","text":"SC-41"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ ac-20.2_prm_1 }}."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used."}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","parameters":[{"id":"ac-21_prm_1","label":"organization-defined information sharing circumstances where user discretion is required"},{"id":"ac-21_prm_2","label":"organization-defined automated mechanisms or manual processes"}],"properties":[{"name":"label","value":"AC-21"},{"name":"sort-id","value":"AC-21"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ad3e8f21-07c6-4968-b002-00b64dfa70ae","rel":"reference","text":"[SP 800-150]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-15","rel":"related","text":"SC-15"}],"parts":[{"id":"ac-21_smt","name":"statement","parts":[{"id":"ac-21_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ ac-21_prm_1 }}; and"},{"id":"ac-21_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ {{ ac-21_prm_2 }} to assist users in making information sharing and collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA)."}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","parameters":[{"id":"ac-22_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-22"},{"name":"sort-id","value":"AC-22"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-13","rel":"related","text":"AU-13"}],"parts":[{"id":"ac-22_smt","name":"statement","parts":[{"id":"ac-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Designate individuals authorized to make information publicly accessible;"},{"id":"ac-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review the content on the publicly accessible system for nonpublic information {{ ac-22_prm_1 }} and remove such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible."}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2"},{"id":"at-1_prm_3","label":"organization-defined official"},{"id":"at-1_prm_4","label":"organization-defined frequency"},{"id":"at-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-1"},{"name":"sort-id","value":"AT-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ at-1_prm_2 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ at-1_prm_4 }}; and"},{"id":"at-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ at-1_prm_5 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"at-2","class":"SP800-53","title":"Awareness Training","parameters":[{"id":"at-2_prm_1","label":"organization-defined frequency"},{"id":"at-2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-2"},{"name":"sort-id","value":"AT-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-13","rel":"related","text":"PM-13"},{"href":"#pm-21","rel":"related","text":"PM-21"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-16","rel":"related","text":"SA-16"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"}]},{"id":"at-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update awareness training {{ at-2_prm_2 }}."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective."}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","properties":[{"name":"label","value":"AT-2(2)"},{"name":"sort-id","value":"AT-02(02)"}],"links":[{"href":"#pm-12","rel":"related","text":"PM-12"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"Provide awareness training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations."}]},{"id":"at-2.3","class":"SP800-53-enhancement","title":"Social Engineering and Mining","properties":[{"name":"label","value":"AT-2(3)"},{"name":"sort-id","value":"AT-02(03)"}],"parts":[{"id":"at-2.3_smt","name":"statement","prose":"Provide awareness training on recognizing and reporting potential and actual instances of social engineering and social mining."},{"id":"at-2.3_gdn","name":"guidance","prose":"Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Awareness training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures."}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","parameters":[{"id":"at-3_prm_1","label":"organization-defined roles and responsibilities"},{"id":"at-3_prm_2","label":"organization-defined frequency"},{"id":"at-3_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-3"},{"name":"sort-id","value":"AT-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#ir-10","rel":"related","text":"IR-10"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-13","rel":"related","text":"PM-13"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-16","rel":"related","text":"SA-16"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"}]},{"id":"at-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update role-based training {{ at-3_prm_3 }}."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information.\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective."}]},{"id":"at-4","class":"SP800-53","title":"Training Records","parameters":[{"id":"at-4_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"AT-4"},{"name":"sort-id","value":"AT-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2"},{"id":"au-1_prm_3","label":"organization-defined official"},{"id":"au-1_prm_4","label":"organization-defined frequency"},{"id":"au-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AU-1"},{"name":"sort-id","value":"AU-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ au-1_prm_2 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ au-1_prm_4 }}; and"},{"id":"au-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ au-1_prm_5 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","parameters":[{"id":"au-2_prm_1","label":"organization-defined event types that the system is capable of logging"},{"id":"au-2_prm_2","label":"organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-2_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AU-2"},{"name":"sort-id","value":"AU-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#02d8ec60-6197-43f8-9f47-18732127963e","rel":"reference","text":"[SP 800-92]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pm-21","rel":"related","text":"PM-21"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-10","rel":"related","text":"SI-10"},{"href":"#si-11","rel":"related","text":"SI-11"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ au-2_prm_3 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\nTo balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage.\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","properties":[{"name":"label","value":"AU-3"},{"name":"sort-id","value":"AU-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-8","rel":"related","text":"AU-8"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-11","rel":"related","text":"SI-11"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage."}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","parameters":[{"id":"au-3.1_prm_1","label":"organization-defined additional information"}],"properties":[{"name":"label","value":"AU-3(1)"},{"name":"sort-id","value":"AU-03(01)"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"Generate audit records containing the following additional information: {{ au-3.1_prm_1 }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading or that could make it more difficult to locate information of interest."}]},{"id":"au-3.2","class":"SP800-53-enhancement","title":"Centralized Management of Planned Audit Record Content","parameters":[{"id":"au-3.2_prm_1","label":"organization-defined system components"}],"properties":[{"name":"label","value":"AU-3(2)"},{"name":"sort-id","value":"AU-03(02)"}],"links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"}],"parts":[{"id":"au-3.2_smt","name":"statement","prose":"Provide centralized management and configuration of the content to be captured in audit records generated by {{ au-3.2_prm_1 }}."},{"id":"au-3.2_gdn","name":"guidance","prose":"Centralized management of planned audit record content requires that the content to be captured in audit records be configured from a central location (necessitating an automated capability). Organizations coordinate the selection of the required audit record content to support the centralized management and configuration capability provided by the system."}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Log Storage Capacity","parameters":[{"id":"au-4_prm_1","label":"organization-defined audit log retention requirements"}],"properties":[{"name":"label","value":"AU-4"},{"name":"sort-id","value":"AU-04"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"Allocate audit log storage capacity to accommodate {{ au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability."}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Logging Process Failures","parameters":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined time-period"},{"id":"au-5_prm_3","label":"organization-defined additional actions"}],"properties":[{"name":"label","value":"AU-5"},{"name":"sort-id","value":"AU-05"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"au-5_smt","name":"statement","parts":[{"id":"au-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Alert {{ au-5_prm_1 }} within {{ au-5_prm_2 }} in the event of an audit logging process failure; and"},{"id":"au-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Take the following additional actions: {{ au-5_prm_3 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel."}],"controls":[{"id":"au-5.1","class":"SP800-53-enhancement","title":"Storage Capacity Warning","parameters":[{"id":"au-5.1_prm_1","label":"organization-defined personnel, roles, and/or locations"},{"id":"au-5.1_prm_2","label":"organization-defined time-period"},{"id":"au-5.1_prm_3","label":"organization-defined percentage"}],"properties":[{"name":"label","value":"AU-5(1)"},{"name":"sort-id","value":"AU-05(01)"}],"parts":[{"id":"au-5.1_smt","name":"statement","prose":"Provide a warning to {{ au-5.1_prm_1 }} within {{ au-5.1_prm_2 }} when allocated audit log storage volume reaches {{ au-5.1_prm_3 }} of repository maximum audit log storage capacity."},{"id":"au-5.1_gdn","name":"guidance","prose":"Organizations may have multiple audit log storage repositories distributed across multiple system components, with each repository having different storage volume capacities."}]},{"id":"au-5.2","class":"SP800-53-enhancement","title":"Real-time Alerts","parameters":[{"id":"au-5.2_prm_1","label":"organization-defined real-time-period"},{"id":"au-5.2_prm_2","label":"organization-defined personnel, roles, and/or locations"},{"id":"au-5.2_prm_3","label":"organization-defined audit logging failure events requiring real-time alerts"}],"properties":[{"name":"label","value":"AU-5(2)"},{"name":"sort-id","value":"AU-05(02)"}],"parts":[{"id":"au-5.2_smt","name":"statement","prose":"Provide an alert within {{ au-5.2_prm_1 }} to {{ au-5.2_prm_2 }} when the following audit failure events occur: {{ au-5.2_prm_3 }}."},{"id":"au-5.2_gdn","name":"guidance","prose":"Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less)."}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Record Review, Analysis, and Reporting","parameters":[{"id":"au-6_prm_1","label":"organization-defined frequency"},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AU-6"},{"name":"sort-id","value":"AU-06"}],"links":[{"href":"#35dfd59f-eef2-4f71-bdb5-6d878267456a","rel":"reference","text":"[SP 800-86]"},{"href":"#1e2c475a-84ae-4c60-b420-8fb2ea552b71","rel":"reference","text":"[SP 800-101]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"au-6_smt","name":"statement","parts":[{"id":"au-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Review and analyze system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};"},{"id":"au-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Report findings to {{ au-6_prm_3 }}; and"},{"id":"au-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received."}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Automated Process Integration","parameters":[{"id":"au-6.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"AU-6(1)"},{"name":"sort-id","value":"AU-06(01)"}],"links":[{"href":"#pm-7","rel":"related","text":"PM-7"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"Integrate audit record review, analysis, and reporting processes using {{ au-6.1_prm_1 }}."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes benefiting from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits."}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Record Repositories","properties":[{"name":"label","value":"AU-6(3)"},{"name":"sort-id","value":"AU-06(03)"}],"links":[{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ir-4","rel":"related","text":"IR-4"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"Analyze and correlate audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness."}]},{"id":"au-6.5","class":"SP800-53-enhancement","title":"Integrated Analysis of Audit Records","parameters":[{"id":"au-6.5_prm_1"},{"id":"au-6.5_prm_2","depends-on":"au-6.5_prm_1","label":"organization-defined data/information collected from other sources"}],"properties":[{"name":"label","value":"AU-6(5)"},{"name":"sort-id","value":"AU-06(05)"}],"links":[{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ir-4","rel":"related","text":"IR-4"}],"parts":[{"id":"au-6.5_smt","name":"statement","prose":"Integrate analysis of audit records with analysis of {{ au-6.5_prm_1 }} to further enhance the ability to identify inappropriate or unusual activity."},{"id":"au-6.5_gdn","name":"guidance","prose":"Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial of service attacks or other types of attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations."}]},{"id":"au-6.6","class":"SP800-53-enhancement","title":"Correlation with Physical Monitoring","properties":[{"name":"label","value":"AU-6(6)"},{"name":"sort-id","value":"AU-06(06)"}],"parts":[{"id":"au-6.6_smt","name":"statement","prose":"Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."},{"id":"au-6.6_gdn","name":"guidance","prose":"The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred, may be useful in investigations."}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Record Reduction and Report Generation","properties":[{"name":"label","value":"AU-7"},{"name":"sort-id","value":"AU-07"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"Provide and implement an audit record reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and"},{"id":"au-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit record reduction is a process that manipulates collected audit log information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities conducting audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient."}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","parameters":[{"id":"au-7.1_prm_1","label":"organization-defined fields within audit records"}],"properties":[{"name":"label","value":"AU-7(1)"},{"name":"sort-id","value":"AU-07(01)"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ au-7.1_prm_1 }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of audit records including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, for example, locations selectable by a general networking location or by specific system component."}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","parameters":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"properties":[{"name":"label","value":"AU-8"},{"name":"sort-id","value":"AU-08"}],"links":[{"href":"#17ca9481-ea11-4ef2-81c1-885fd37d4be5","rel":"reference","text":"[IETF 5905]"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#sc-45","rel":"related","text":"SC-45"}],"parts":[{"id":"au-8_smt","name":"statement","parts":[{"id":"au-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Use internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Record time stamps for audit records that meet {{ au-8_prm_1 }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities."}],"controls":[{"id":"au-8.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","parameters":[{"id":"au-8.1_prm_1","label":"organization-defined frequency"},{"id":"au-8.1_prm_2","label":"organization-defined authoritative time source"},{"id":"au-8.1_prm_3","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"AU-8(1)"},{"name":"sort-id","value":"AU-08(01)"}],"parts":[{"id":"au-8.1_smt","name":"statement","parts":[{"id":"au-8.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Compare the internal system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and"},{"id":"au-8.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ au-8.1_prm_3 }}."}]},{"id":"au-8.1_gdn","name":"guidance","prose":"Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network."}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","properties":[{"name":"label","value":"AU-9"},{"name":"sort-id","value":"AU-09"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#au-15","rel":"related","text":"AU-15"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"Protect audit information and audit logging tools from unauthorized access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls."}],"controls":[{"id":"au-9.2","class":"SP800-53-enhancement","title":"Store on Separate Physical Systems or Components","parameters":[{"id":"au-9.2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AU-9(2)"},{"name":"sort-id","value":"AU-09(02)"}],"links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"}],"parts":[{"id":"au-9.2_smt","name":"statement","prose":"Store audit records {{ au-9.2_prm_1 }} in a repository that is part of a physically different system or system component than the system or component being audited."},{"id":"au-9.2_gdn","name":"guidance","prose":"Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records."}]},{"id":"au-9.3","class":"SP800-53-enhancement","title":"Cryptographic Protection","properties":[{"name":"label","value":"AU-9(3)"},{"name":"sort-id","value":"AU-09(03)"}],"links":[{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"au-9.3_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the integrity of audit information and audit tools."},{"id":"au-9.3_gdn","name":"guidance","prose":"Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash."}]},{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","parameters":[{"id":"au-9.4_prm_1","label":"organization-defined subset of privileged users or roles"}],"properties":[{"name":"label","value":"AU-9(4)"},{"name":"sort-id","value":"AU-09(04)"}],"links":[{"href":"#ac-5","rel":"related","text":"AC-5"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"Authorize access to management of audit logging functionality to only {{ au-9.4_prm_1 }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals or roles with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges, limits the number of users or roles with audit-related privileges."}]}]},{"id":"au-10","class":"SP800-53","title":"Non-repudiation","parameters":[{"id":"au-10_prm_1","label":"organization-defined actions to be covered by non-repudiation"}],"properties":[{"name":"label","value":"AU-10"},{"name":"sort-id","value":"AU-10"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#64e044e4-b2a9-490f-a079-1106407c812f","rel":"reference","text":"[SP 800-177]"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-16","rel":"related","text":"SC-16"},{"href":"#sc-17","rel":"related","text":"SC-17"},{"href":"#sc-23","rel":"related","text":"SC-23"}],"parts":[{"id":"au-10_smt","name":"statement","prose":"Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ au-10_prm_1 }}."},{"id":"au-10_gdn","name":"guidance","prose":"Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents; senders of not having transmitted messages; receivers of not having received messages; and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, or approving a procurement request, or received specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts."}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","parameters":[{"id":"au-11_prm_1","label":"organization-defined time-period consistent with records retention policy"}],"properties":[{"name":"label","value":"AU-11"},{"name":"sort-id","value":"AU-11"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention."}]},{"id":"au-12","class":"SP800-53","title":"Audit Record Generation","parameters":[{"id":"au-12_prm_1","label":"organization-defined system components"},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AU-12"},{"name":"sort-id","value":"AU-12"}],"links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-10","rel":"related","text":"SI-10"}],"parts":[{"id":"au-12_smt","name":"statement","parts":[{"id":"au-12_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on {{ au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allow {{ au-12_prm_2 }} to select the event types that are to be logged by specific components of the system; and"},{"id":"au-12_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records."}],"controls":[{"id":"au-12.1","class":"SP800-53-enhancement","title":"System-wide and Time-correlated Audit Trail","parameters":[{"id":"au-12.1_prm_1","label":"organization-defined system components"},{"id":"au-12.1_prm_2","label":"organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail"}],"properties":[{"name":"label","value":"AU-12(1)"},{"name":"sort-id","value":"AU-12(01)"}],"links":[{"href":"#au-8","rel":"related","text":"AU-8"}],"parts":[{"id":"au-12.1_smt","name":"statement","prose":"Compile audit records from {{ au-12.1_prm_1 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ au-12.1_prm_2 }}."},{"id":"au-12.1_gdn","name":"guidance","prose":"Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances."}]},{"id":"au-12.3","class":"SP800-53-enhancement","title":"Changes by Authorized Individuals","parameters":[{"id":"au-12.3_prm_1","label":"organization-defined individuals or roles"},{"id":"au-12.3_prm_2","label":"organization-defined system components"},{"id":"au-12.3_prm_3","label":"organization-defined selectable event criteria"},{"id":"au-12.3_prm_4","label":"organization-defined time thresholds"}],"properties":[{"name":"label","value":"AU-12(3)"},{"name":"sort-id","value":"AU-12(03)"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"}],"parts":[{"id":"au-12.3_smt","name":"statement","prose":"Provide and implement the capability for {{ au-12.3_prm_1 }} to change the logging to be performed on {{ au-12.3_prm_2 }} based on {{ au-12.3_prm_3 }} within {{ au-12.3_prm_4 }}."},{"id":"au-12.3_gdn","name":"guidance","prose":"Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed, for example, near real-time, within minutes, or within hours."}]}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2"},{"id":"ca-1_prm_3","label":"organization-defined official"},{"id":"ca-1_prm_4","label":"organization-defined frequency"},{"id":"ca-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-1"},{"name":"sort-id","value":"CA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ca-1_prm_4 }}; and"},{"id":"ca-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ca-1_prm_5 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","parameters":[{"id":"ca-2_prm_1","label":"organization-defined frequency"},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles"}],"properties":[{"name":"label","value":"CA-2"},{"name":"sort-id","value":"CA-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Provide the results of the control assessment to {{ ca-2_prm_2 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\nOrganizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control."}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","properties":[{"name":"label","value":"CA-2(1)"},{"name":"sort-id","value":"CA-02(01)"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to conduct control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups conducting impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in positions of advocacy for the organizations acquiring their services.\nIndependent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination also includes whether contracted assessment services have sufficient independence, for example, when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, the analogy to independent assessors is having independent SMEs involved in design reviews.\nWhen organizations that own the systems are small or the structures of the organizations require that assessments are conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions, are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments."}]},{"id":"ca-2.2","class":"SP800-53-enhancement","title":"Specialized Assessments","parameters":[{"id":"ca-2.2_prm_1","label":"organization-defined frequency"},{"id":"ca-2.2_prm_2"},{"id":"ca-2.2_prm_3"},{"id":"ca-2.2_prm_4","depends-on":"ca-2.2_prm_3","label":"organization-defined other forms of assessment"}],"properties":[{"name":"label","value":"CA-2(2)"},{"name":"sort-id","value":"CA-02(02)"}],"links":[{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#si-2","rel":"related","text":"SI-2"}],"parts":[{"id":"ca-2.2_smt","name":"statement","prose":"Include as part of control assessments, {{ ca-2.2_prm_1 }}, {{ ca-2.2_prm_2 }}, {{ ca-2.2_prm_3 }}."},{"id":"ca-2.2_gdn","name":"guidance","prose":"Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle, for example, during design, development, and unit testing."}]}]},{"id":"ca-3","class":"SP800-53","title":"Information Exchange","parameters":[{"id":"ca-3_prm_1"},{"id":"ca-3_prm_2","depends-on":"ca-3_prm_1","label":"organization-defined type of agreement"},{"id":"ca-3_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-3"},{"name":"sort-id","value":"CA-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#2e66c31a-190e-49ad-8e00-f306f8a0df17","rel":"reference","text":"[SP 800-47]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-3_smt","name":"statement","parts":[{"id":"ca-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approve and manage the exchange of information between the system and other systems using {{ ca-3_prm_1 }};"},{"id":"ca-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the agreements {{ ca-3_prm_3 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk.\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks."}],"controls":[{"id":"ca-3.6","class":"SP800-53-enhancement","title":"Transfer Authorizations","properties":[{"name":"label","value":"CA-3(6)"},{"name":"sort-id","value":"CA-03(06)"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"}],"parts":[{"id":"ca-3.6_smt","name":"statement","prose":"Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data."},{"id":"ca-3.6_gdn","name":"guidance","prose":"To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies via independent means, whether the individual or system attempting to transfer information is authorized to do so. This control enhancement also applies to control plane traffic (e.g., routing and DNS) and services such as authenticated SMTP relays."}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","parameters":[{"id":"ca-5_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-5"},{"name":"sort-id","value":"CA-05"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB."}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","parameters":[{"id":"ca-6_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-6"},{"name":"sort-id","value":"CA-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ ca-6_prm_1 }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","parameters":[{"id":"ca-7_prm_1","label":"organization-defined system-level metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-7"},{"name":"sort-id","value":"CA-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#851b5ba4-6aa0-4583-857c-4c360cbdf2a0","rel":"reference","text":"[IR 8011 v1]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#pm-31","rel":"related","text":"PM-31"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-6","rel":"related","text":"SR-6"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }};"},{"id":"ca-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ ca-7_prm_4 }}\n {{ ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4."}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","properties":[{"name":"label","value":"CA-7(1)"},{"name":"sort-id","value":"CA-07(01)"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in advocacy positions for the organizations acquiring their services."}]},{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","properties":[{"name":"label","value":"CA-7(4)"},{"name":"sort-id","value":"CA-07(04)"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."}]}]},{"id":"ca-8","class":"SP800-53","title":"Penetration Testing","parameters":[{"id":"ca-8_prm_1","label":"organization-defined frequency"},{"id":"ca-8_prm_2","label":"organization-defined systems or system components"}],"properties":[{"name":"label","value":"CA-8"},{"name":"sort-id","value":"CA-08"}],"links":[{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"}],"parts":[{"id":"ca-8_smt","name":"statement","prose":"Conduct penetration testing {{ ca-8_prm_1 }} on {{ ca-8_prm_2 }}."},{"id":"ca-8_gdn","name":"guidance","prose":"Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries in carrying out attacks and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes pretest analysis based on full knowledge of the system; pretest identification of potential vulnerabilities based on pretest analysis; and testing designed to determine exploitability of vulnerabilities. All parties agree to the rules of engagement before commencement of penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing."}],"controls":[{"id":"ca-8.1","class":"SP800-53-enhancement","title":"Independent Penetration Testing Agent or Team","properties":[{"name":"label","value":"CA-8(1)"},{"name":"sort-id","value":"CA-08(01)"}],"links":[{"href":"#ca-2","rel":"related","text":"CA-2"}],"parts":[{"id":"ca-8.1_smt","name":"statement","prose":"Employ an independent penetration testing agent or team to perform penetration testing on the system or system components."},{"id":"ca-8.1_gdn","name":"guidance","prose":"Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. CA-2(1) provides additional information on independent assessments that can be applied to penetration testing."}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","parameters":[{"id":"ca-9_prm_1","label":"organization-defined system components or classes of components"},{"id":"ca-9_prm_2","label":"organization-defined conditions"},{"id":"ca-9_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-9"},{"name":"sort-id","value":"CA-09"}],"links":[{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-9_smt","name":"statement","parts":[{"id":"ca-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorize internal connections of {{ ca-9_prm_1 }} to the system;"},{"id":"ca-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;"},{"id":"ca-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Terminate internal system connections after {{ ca-9_prm_2 }}; and"},{"id":"ca-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review {{ ca-9_prm_3 }} the continued need for each internal connection."}]},{"id":"ca-9_gdn","name":"guidance","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions."}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2"},{"id":"cm-1_prm_3","label":"organization-defined official"},{"id":"cm-1_prm_4","label":"organization-defined frequency"},{"id":"cm-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-1"},{"name":"sort-id","value":"CM-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ cm-1_prm_2 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ cm-1_prm_4 }}; and"},{"id":"cm-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ cm-1_prm_5 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","parameters":[{"id":"cm-2_prm_1","label":"organization-defined frequency"},{"id":"cm-2_prm_2","label":"Assignment organization-defined circumstances"}],"properties":[{"name":"label","value":"CM-2"},{"name":"sort-id","value":"CM-02"}],"links":[{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#cp-12","rel":"related","text":"CP-12"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-18","rel":"related","text":"SC-18"}],"parts":[{"id":"cm-2_smt","name":"statement","parts":[{"id":"cm-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and maintain under configuration control, a current baseline configuration of the system; and"},{"id":"cm-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the baseline configuration of the system:","parts":[{"id":"cm-2_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ cm-2_prm_1 }};"},{"id":"cm-2_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When required due to {{ cm-2_prm_2 }}; and"},{"id":"cm-2_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"When system components are installed or upgraded."}]}]},{"id":"cm-2_gdn","name":"guidance","prose":"Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture."}],"controls":[{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy and Currency","parameters":[{"id":"cm-2.2_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"CM-2(2)"},{"name":"sort-id","value":"CM-02(02)"}],"links":[{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ cm-2.2_prm_1 }}."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, and firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission/business process level or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities."}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","parameters":[{"id":"cm-2.3_prm_1","label":"organization-defined number"}],"properties":[{"name":"label","value":"CM-2(3)"},{"name":"sort-id","value":"CM-02(03)"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"Retain {{ cm-2.3_prm_1 }} of previous versions of baseline configurations of the system to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, and configuration records."}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems and Components for High-risk Areas","parameters":[{"id":"cm-2.7_prm_1","label":"organization-defined systems or system components"},{"id":"cm-2.7_prm_2","label":"organization-defined configurations"},{"id":"cm-2.7_prm_3","label":"organization-defined controls"}],"properties":[{"name":"label","value":"CM-2(7)"},{"name":"sort-id","value":"CM-02(07)"}],"links":[{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"}],"parts":[{"id":"cm-2.7_smt","name":"statement","parts":[{"id":"cm-2.7_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Issue {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Apply the following controls to the systems or components when the individuals return from travel: {{ cm-2.7_prm_3 }}."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family."}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","parameters":[{"id":"cm-3_prm_1","label":"organization-defined time-period"},{"id":"cm-3_prm_2","label":"organization-defined configuration change control element"},{"id":"cm-3_prm_3"},{"id":"cm-3_prm_4","depends-on":"cm-3_prm_3","label":"organization-defined frequency"},{"id":"cm-3_prm_5","depends-on":"cm-3_prm_3","label":"organization-defined configuration change conditions"}],"properties":[{"name":"label","value":"CM-3"},{"name":"sort-id","value":"CM-03"}],"links":[{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pt-7","rel":"related","text":"PT-7"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-10","rel":"related","text":"SI-10"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"cm-3_smt","name":"statement","parts":[{"id":"cm-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determine and document the types of changes to the system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;"},{"id":"cm-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document configuration change decisions associated with the system;"},{"id":"cm-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implement approved configuration-controlled changes to the system;"},{"id":"cm-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Retain records of configuration-controlled changes to the system for {{ cm-3_prm_1 }};"},{"id":"cm-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Monitor and review activities associated with configuration-controlled changes to the system; and"},{"id":"cm-3_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Coordinate and provide oversight for configuration change control activities through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations and configuration items of systems; changes to operational procedures; changes to configuration settings for system components; unscheduled or unauthorized changes; and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes impacting privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10."}],"controls":[{"id":"cm-3.1","class":"SP800-53-enhancement","title":"Automated Documentation, Notification, and Prohibition of Changes","parameters":[{"id":"cm-3.1_prm_1","label":"organization-defined automated mechanisms"},{"id":"cm-3.1_prm_2","label":"organization-defined approval authorities"},{"id":"cm-3.1_prm_3","label":"organization-defined time-period"},{"id":"cm-3.1_prm_4","label":"organization-defined personnel"}],"properties":[{"name":"label","value":"CM-3(1)"},{"name":"sort-id","value":"CM-03(01)"}],"parts":[{"id":"cm-3.1_smt","name":"statement","prose":"Use {{ cm-3.1_prm_1 }} to:","parts":[{"id":"cm-3.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Document proposed changes to the system;"},{"id":"cm-3.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Notify {{ cm-3.1_prm_2 }} of proposed changes to the system and request change approval;"},{"id":"cm-3.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Highlight proposed changes to the system that have not been approved or disapproved within {{ cm-3.1_prm_3 }};"},{"id":"cm-3.1_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Prohibit changes to the system until designated approvals are received;"},{"id":"cm-3.1_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Document all changes to the system; and"},{"id":"cm-3.1_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Notify {{ cm-3.1_prm_4 }} when approved changes to the system are completed."}]},{"id":"cm-3.1_gdn","name":"guidance","prose":"None."}]},{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Testing, Validation, and Documentation of Changes","properties":[{"name":"label","value":"CM-3(2)"},{"name":"sort-id","value":"CM-03(02)"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"Test, validate, and document changes to the system before finalizing the implementation of the changes."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with system operations supporting organizational missions and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls."}]},{"id":"cm-3.4","class":"SP800-53-enhancement","title":"Security and Privacy Representatives","parameters":[{"id":"cm-3.4_prm_1","label":"organization-defined security and privacy representatives"},{"id":"cm-3.4_prm_2","label":"organization-defined configuration change control element"}],"properties":[{"name":"label","value":"CM-3(4)"},{"name":"sort-id","value":"CM-03(04)"}],"parts":[{"id":"cm-3.4_smt","name":"statement","prose":"Require {{ cm-3.4_prm_1 }} to be members of the {{ cm-3.4_prm_2 }}."},{"id":"cm-3.4_gdn","name":"guidance","prose":"Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3."}]},{"id":"cm-3.6","class":"SP800-53-enhancement","title":"Cryptography Management","parameters":[{"id":"cm-3.6_prm_1","label":"organization-defined controls"}],"properties":[{"name":"label","value":"CM-3(6)"},{"name":"sort-id","value":"CM-03(06)"}],"links":[{"href":"#sc-12","rel":"related","text":"SC-12"}],"parts":[{"id":"cm-3.6_smt","name":"statement","prose":"Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ cm-3.6_prm_1 }}."},{"id":"cm-3.6_gdn","name":"guidance","prose":"The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates."}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","properties":[{"name":"label","value":"CM-4"},{"name":"sort-id","value":"CM-04"}],"links":[{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-2","rel":"related","text":"SI-2"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required."}],"controls":[{"id":"cm-4.1","class":"SP800-53-enhancement","title":"Separate Test Environments","properties":[{"name":"label","value":"CM-4(1)"},{"name":"sort-id","value":"CM-04(01)"}],"links":[{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-7","rel":"related","text":"SC-7"}],"parts":[{"id":"cm-4.1_smt","name":"statement","prose":"Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice."},{"id":"cm-4.1_gdn","name":"guidance","prose":"A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation."}]},{"id":"cm-4.2","class":"SP800-53-enhancement","title":"Verification of Controls","properties":[{"name":"label","value":"CM-4(2)"},{"name":"sort-id","value":"CM-04(02)"}],"links":[{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#si-6","rel":"related","text":"SI-6"}],"parts":[{"id":"cm-4.2_smt","name":"statement","prose":"After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system."},{"id":"cm-4.2_gdn","name":"guidance","prose":"Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls."}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","properties":[{"name":"label","value":"CM-5"},{"name":"sort-id","value":"CM-05"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-10","rel":"related","text":"SI-10"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."},{"id":"cm-5_gdn","name":"guidance","prose":"Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)."}],"controls":[{"id":"cm-5.1","class":"SP800-53-enhancement","title":"Automated Access Enforcement and Audit Records","parameters":[{"id":"cm-5.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"CM-5(1)"},{"name":"sort-id","value":"CM-05(01)"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cm-5.1_smt","name":"statement","parts":[{"id":"cm-5.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Enforce access restrictions using {{ cm-5.1_prm_1 }}; and"},{"id":"cm-5.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Automatically generate audit records of the enforcement actions."}]},{"id":"cm-5.1_gdn","name":"guidance","prose":"Organizations log access records associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes."}]},{"id":"cm-5.3","class":"SP800-53-enhancement","title":"Signed Components","parameters":[{"id":"cm-5.3_prm_1","label":"organization-defined software and firmware components"}],"properties":[{"name":"label","value":"CM-5(3)"},{"name":"sort-id","value":"CM-05(03)"}],"links":[{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"cm-5.3_smt","name":"statement","prose":"Prevent the installation of {{ cm-5.3_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization."},{"id":"cm-5.3_gdn","name":"guidance","prose":"Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication."}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","parameters":[{"id":"cm-6_prm_1","label":"organization-defined common secure configurations"},{"id":"cm-6_prm_2","label":"organization-defined system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"properties":[{"name":"label","value":"CM-6"},{"name":"sort-id","value":"CM-06"}],"links":[{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f","rel":"reference","text":"[SP 800-126]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#06842bea-64c9-4e20-807a-b8fc003fa737","rel":"reference","text":"[USGCB]"},{"href":"#5cc04a1c-5489-4751-a493-746a9639067b","rel":"reference","text":"[NCPR]"},{"href":"#294eed19-7471-4517-9480-2ec73e7c6a78","rel":"reference","text":"[DOD STIG]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-6","rel":"related","text":"SI-6"}],"parts":[{"id":"cm-6_smt","name":"statement","parts":[{"id":"cm-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish and document configuration settings for components employed within the system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the configuration settings;"},{"id":"cm-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identify, document, and approve any deviations from established configuration settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Monitor and control changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\nImplementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings."}],"controls":[{"id":"cm-6.1","class":"SP800-53-enhancement","title":"Automated Management, Application, and Verification","parameters":[{"id":"cm-6.1_prm_1","label":"organization-defined system components"},{"id":"cm-6.1_prm_2","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"CM-6(1)"},{"name":"sort-id","value":"CM-06(01)"}],"links":[{"href":"#ca-7","rel":"related","text":"CA-7"}],"parts":[{"id":"cm-6.1_smt","name":"statement","prose":"Centrally manage, apply, and verify configuration settings for {{ cm-6.1_prm_1 }} using {{ cm-6.1_prm_2 }}."},{"id":"cm-6.1_gdn","name":"guidance","prose":"Automated tools (e.g., security information and event management tools or enterprise security monitoring tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision making within the organization."}]},{"id":"cm-6.2","class":"SP800-53-enhancement","title":"Respond to Unauthorized Changes","parameters":[{"id":"cm-6.2_prm_1","label":"organization-defined configuration settings"},{"id":"cm-6.2_prm_2","label":"organization-defined actions"}],"properties":[{"name":"label","value":"CM-6(2)"},{"name":"sort-id","value":"CM-06(02)"}],"links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"cm-6.2_smt","name":"statement","prose":"Take the following actions in response to unauthorized changes to {{ cm-6.2_prm_1 }}: {{ cm-6.2_prm_2 }}."},{"id":"cm-6.2_gdn","name":"guidance","prose":"Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected system processing."}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","parameters":[{"id":"cm-7_prm_1","label":"organization-defined mission essential capabilities"},{"id":"cm-7_prm_2","label":"organization-defined prohibited or restricted functions, ports, protocols, software, and/or services"}],"properties":[{"name":"label","value":"CM-7"},{"name":"sort-id","value":"CM-07"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#893d1736-324c-41d6-a5f4-d526b5ca981a","rel":"reference","text":"[SP 800-167]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"cm-7_smt","name":"statement","parts":[{"id":"cm-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Configure the system to provide only {{ cm-7_prm_1 }}; and"},{"id":"cm-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ cm-7_prm_2 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3)."}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","parameters":[{"id":"cm-7.1_prm_1","label":"organization-defined frequency"},{"id":"cm-7.1_prm_2","label":"organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure"}],"properties":[{"name":"label","value":"CM-7(1)"},{"name":"sort-id","value":"CM-07(01)"}],"links":[{"href":"#ac-18","rel":"related","text":"AC-18"}],"parts":[{"id":"cm-7.1_smt","name":"statement","parts":[{"id":"cm-7.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Review the system {{ cm-7.1_prm_1 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and"},{"id":"cm-7.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Disable or remove {{ cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking."}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","parameters":[{"id":"cm-7.2_prm_1"},{"id":"cm-7.2_prm_2","depends-on":"cm-7.2_prm_1","label":"organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions"}],"properties":[{"name":"label","value":"CM-7(2)"},{"name":"sort-id","value":"CM-07(02)"}],"links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#ps-6","rel":"related","text":"PS-6"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"Prevent program execution in accordance with {{ cm-7.2_prm_1 }}."},{"id":"cm-7.2_gdn","name":"guidance","prose":"Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements restricting software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features; restricting roles allowed to approve program execution; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time."}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software — Whitelisting","parameters":[{"id":"cm-7.5_prm_1","label":"organization-defined software programs authorized to execute on the system"},{"id":"cm-7.5_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-7(5)"},{"name":"sort-id","value":"CM-07(05)"}],"links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"cm-7.5_smt","name":"statement","parts":[{"id":"cm-7.5_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Identify {{ cm-7.5_prm_1 }};"},{"id":"cm-7.5_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and"},{"id":"cm-7.5_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of authorized software programs {{ cm-7.5_prm_2 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"The process used to identify specific software programs or entire categories of software programs that are authorized to execute on organizational systems is commonly referred to as whitelisting. Software programs identified can be limited to specific versions or from a specific source. To facilitate comprehensive whitelisting and increase the strength of protection for attacks that bypass application level whitelisting, software programs may be decomposed into and monitored at different levels of detail. Software program levels of detail include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of whitelisting may also be applied to user actions, ports, IP addresses, and media access control (MAC) addresses. Organizations consider verifying the integrity of white-listed software programs using, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Whitelisting of URLs for websites is addressed in CA-3(5) and SC-7."}]}]},{"id":"cm-8","class":"SP800-53","title":"System Component Inventory","parameters":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-8"},{"name":"sort-id","value":"CM-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"cm-8_smt","name":"statement","parts":[{"id":"cm-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and document an inventory of system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Accurately reflects the system;"},{"id":"cm-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Includes all components within the system;"},{"id":"cm-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Includes the following information to achieve system component accountability: {{ cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the system component inventory {{ cm-8_prm_2 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location."}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installation and Removal","properties":[{"name":"label","value":"CM-8(1)"},{"name":"sort-id","value":"CM-08(01)"}],"links":[{"href":"#pm-16","rel":"related","text":"PM-16"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"Update the inventory of system components as part of component installations, removals, and system updates."},{"id":"cm-8.1_gdn","name":"guidance","prose":"Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated routinely as part of component installations or removals, or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components."}]},{"id":"cm-8.2","class":"SP800-53-enhancement","title":"Automated Maintenance","parameters":[{"id":"cm-8.2_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"CM-8(2)"},{"name":"sort-id","value":"CM-08(02)"}],"parts":[{"id":"cm-8.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ cm-8.2_prm_1 }}."},{"id":"cm-8.2_gdn","name":"guidance","prose":"Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of CM-2(2) for organizations that combine system component inventory and baseline configuration activities."}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","parameters":[{"id":"cm-8.3_prm_1","label":"organization-defined automated mechanisms"},{"id":"cm-8.3_prm_2","label":"organization-defined frequency"},{"id":"cm-8.3_prm_3"},{"id":"cm-8.3_prm_4","depends-on":"cm-8.3_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"CM-8(3)"},{"name":"sort-id","value":"CM-08(03)"}],"links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-39","rel":"related","text":"SC-39"},{"href":"#sc-44","rel":"related","text":"SC-44"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"cm-8.3_smt","name":"statement","parts":[{"id":"cm-8.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ cm-8.3_prm_1 }}\n {{ cm-8.3_prm_2 }}; and"},{"id":"cm-8.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Take the following actions when unauthorized components are detected: {{ cm-8.3_prm_3 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices). Isolation can be achieved, for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing."}]},{"id":"cm-8.4","class":"SP800-53-enhancement","title":"Accountability Information","parameters":[{"id":"cm-8.4_prm_1"}],"properties":[{"name":"label","value":"CM-8(4)"},{"name":"sort-id","value":"CM-08(04)"}],"parts":[{"id":"cm-8.4_smt","name":"statement","prose":"Include in the system component inventory information, a means for identifying by {{ cm-8.4_prm_1 }}, individuals responsible and accountable for administering those components."},{"id":"cm-8.4_gdn","name":"guidance","prose":"Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required, for example, the component is determined to be the source of a breach; the component needs to be recalled or replaced; or the component needs to be relocated."}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","parameters":[{"id":"cm-9_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"CM-9"},{"name":"sort-id","value":"CM-09"}],"links":[{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"Develop, document, and implement a configuration management plan for the system that:","parts":[{"id":"cm-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the system and places the configuration items under configuration management;"},{"id":"cm-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Is reviewed and approved by {{ cm-9_prm_1 }}; and"},{"id":"cm-9_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes, how to update configuration settings and baselines, how to maintain component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents.\nOrganizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Templates can represent a master configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, for example, the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control."}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","properties":[{"name":"label","value":"CM-10"},{"name":"sort-id","value":"CM-10"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#sc-7","rel":"related","text":"SC-7"}],"parts":[{"id":"cm-10_smt","name":"statement","parts":[{"id":"cm-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Use software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement."}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","parameters":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-11"},{"name":"sort-id","value":"CM-11"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"cm-11_smt","name":"statement","parts":[{"id":"cm-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish {{ cm-11_prm_1 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Enforce software installation policies through the following methods: {{ cm-11_prm_2 }}; and"},{"id":"cm-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Monitor policy compliance {{ cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods."}]},{"id":"cm-12","class":"SP800-53","title":"Information Location","parameters":[{"id":"cm-12_prm_1","label":"organization-defined information"}],"properties":[{"name":"label","value":"CM-12"},{"name":"sort-id","value":"CM-12"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-23","rel":"related","text":"AC-23"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-4","rel":"related","text":"SC-4"},{"href":"#sc-16","rel":"related","text":"SC-16"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"cm-12_smt","name":"statement","parts":[{"id":"cm-12_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify and document the location of {{ cm-12_prm_1 }} and the specific system components on which the information is processed and stored;"},{"id":"cm-12_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Identify and document the users who have access to the system and system components where the information is processed and stored; and"},{"id":"cm-12_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document changes to the location (i.e., system or system components) where the information is processed and stored."}]},{"id":"cm-12_gdn","name":"guidance","prose":"Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and associated information reside in the system components; and how information is being processed so that information flow can be understood, and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17)."}],"controls":[{"id":"cm-12.1","class":"SP800-53-enhancement","title":"Automated Tools to Support Information Location","parameters":[{"id":"cm-12.1_prm_1","label":"organization-defined information by information type"},{"id":"cm-12.1_prm_2","label":"organization-defined system components"}],"properties":[{"name":"label","value":"CM-12(1)"},{"name":"sort-id","value":"CM-12(01)"}],"parts":[{"id":"cm-12.1_smt","name":"statement","prose":"Use automated tools to identify {{ cm-12.1_prm_1 }} on {{ cm-12.1_prm_2 }} to ensure controls are in place to protect organizational information and individual privacy."},{"id":"cm-12.1_gdn","name":"guidance","prose":"The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information organization-wide. The output of automated information location tools can be used to guide and inform system architecture and design decisions."}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2"},{"id":"cp-1_prm_3","label":"organization-defined official"},{"id":"cp-1_prm_4","label":"organization-defined frequency"},{"id":"cp-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CP-1"},{"name":"sort-id","value":"CP-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cp-1_smt","name":"statement","parts":[{"id":"cp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ cp-1_prm_2 }} contingency planning policy that:","parts":[{"id":"cp-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;"}]},{"id":"cp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ cp-1_prm_3 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and"},{"id":"cp-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current contingency planning:","parts":[{"id":"cp-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ cp-1_prm_4 }}; and"},{"id":"cp-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ cp-1_prm_5 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","parameters":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and/or by role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency"},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and/or by role) and organizational elements"}],"properties":[{"name":"label","value":"CP-2"},{"name":"sort-id","value":"CP-02"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#7a93e915-fd58-4147-be12-e48044c367e6","rel":"reference","text":"[IR 8179]"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#cp-11","rel":"related","text":"CP-11"},{"href":"#cp-13","rel":"related","text":"CP-13"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-20","rel":"related","text":"SA-20"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-23","rel":"related","text":"SC-23"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cp-2_smt","name":"statement","parts":[{"id":"cp-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a contingency plan for the system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute copies of the contingency plan to {{ cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinate contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review the contingency plan for the system {{ cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Communicate contingency plan changes to {{ cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Protect the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.\nIn addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family."}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","properties":[{"name":"label","value":"CP-2(1)"},{"name":"sort-id","value":"CP-02(01)"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"Coordinate contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Cyber Incident Response Plans, and Occupant Emergency Plans."}]},{"id":"cp-2.2","class":"SP800-53-enhancement","title":"Capacity Planning","properties":[{"name":"label","value":"CP-2(2)"},{"name":"sort-id","value":"CP-02(02)"}],"links":[{"href":"#pe-11","rel":"related","text":"PE-11"},{"href":"#pe-12","rel":"related","text":"PE-12"},{"href":"#pe-13","rel":"related","text":"PE-13"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-18","rel":"related","text":"PE-18"},{"href":"#sc-5","rel":"related","text":"SC-5"}],"parts":[{"id":"cp-2.2_smt","name":"statement","prose":"Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."},{"id":"cp-2.2_gdn","name":"guidance","prose":"Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential missions and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance."}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Missions and Business Functions","parameters":[{"id":"cp-2.3_prm_1"},{"id":"cp-2.3_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"CP-2(3)"},{"name":"sort-id","value":"CP-02(03)"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"Plan for the resumption of {{ cp-2.3_prm_1 }} missions and business functions within {{ cp-2.3_prm_2 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to conduct contingency planning activities to resume missions and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of missions and business functions. The time-period for the resumption of missions and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure."}]},{"id":"cp-2.5","class":"SP800-53-enhancement","title":"Continue Missions and Business Functions","parameters":[{"id":"cp-2.5_prm_1"}],"properties":[{"name":"label","value":"CP-2(5)"},{"name":"sort-id","value":"CP-02(05)"}],"parts":[{"id":"cp-2.5_smt","name":"statement","prose":"Plan for the continuance of {{ cp-2.5_prm_1 }} missions and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites."},{"id":"cp-2.5_gdn","name":"guidance","prose":"Organizations may choose to conduct the contingency planning activities to continue missions and business functions as part of business continuity planning or as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency."}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","parameters":[{"id":"cp-2.8_prm_1"}],"properties":[{"name":"label","value":"CP-2(8)"},{"name":"sort-id","value":"CP-02(08)"}],"links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ra-9","rel":"related","text":"RA-9"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"Identify critical system assets supporting {{ cp-2.8_prm_1 }} missions and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational missions and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (manually executed operations) and personnel (individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement."}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","parameters":[{"id":"cp-3_prm_1","label":"organization-defined time-period"},{"id":"cp-3_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CP-3"},{"name":"sort-id","value":"CP-03"}],"links":[{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-9","rel":"related","text":"IR-9"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"Provide contingency training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ cp-3_prm_1 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by system changes; and"},{"id":"cp-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n {{ cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan."}],"controls":[{"id":"cp-3.1","class":"SP800-53-enhancement","title":"Simulated Events","properties":[{"name":"label","value":"CP-3(1)"},{"name":"sort-id","value":"CP-03(01)"}],"parts":[{"id":"cp-3.1_smt","name":"statement","prose":"Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations."},{"id":"cp-3.1_gdn","name":"guidance","prose":"The use of simulated events creates an environment for personnel to experience actual threat events including cyber-attacks that disable web sites, ransom-ware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures."}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","parameters":[{"id":"cp-4_prm_1","label":"organization-defined frequency"},{"id":"cp-4_prm_2","label":"organization-defined tests"}],"properties":[{"name":"label","value":"CP-4"},{"name":"sort-id","value":"CP-04"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#20bf433b-074c-47a0-8fca-cd591772ccd6","rel":"reference","text":"[SP 800-84]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"cp-4_smt","name":"statement","parts":[{"id":"cp-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Test the contingency plan for the system {{ cp-4_prm_1 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ cp-4_prm_2 }}."},{"id":"cp-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Initiate corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions."}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","properties":[{"name":"label","value":"CP-4(1)"},{"name":"sort-id","value":"CP-04(01)"}],"links":[{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pm-8","rel":"related","text":"PM-8"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"Coordinate contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations coordinate with those elements."}]},{"id":"cp-4.2","class":"SP800-53-enhancement","title":"Alternate Processing Site","properties":[{"name":"label","value":"CP-4(2)"},{"name":"sort-id","value":"CP-04(02)"}],"links":[{"href":"#cp-7","rel":"related","text":"CP-7"}],"parts":[{"id":"cp-4.2_smt","name":"statement","prose":"Test the contingency plan at the alternate processing site:","parts":[{"id":"cp-4.2_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"To familiarize contingency personnel with the facility and available resources; and"},{"id":"cp-4.2_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"To evaluate the capabilities of the alternate processing site to support contingency operations."}]},{"id":"cp-4.2_gdn","name":"guidance","prose":"Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience, firsthand, the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational missions and functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing."}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","properties":[{"name":"label","value":"CP-6"},{"name":"sort-id","value":"CP-06"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-36","rel":"related","text":"SC-36"},{"href":"#si-13","rel":"related","text":"SI-13"}],"parts":[{"id":"cp-6_smt","name":"statement","parts":[{"id":"cp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and"},{"id":"cp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensure that the alternate storage site provides controls equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are sites that are geographically distinct from primary storage sites and that maintain duplicate copies of information and data if the primary storage site is not available. In contrast to alternate storage sites, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may also be considered as alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems."}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","properties":[{"name":"label","value":"CP-6(1)"},{"name":"sort-id","value":"CP-06(01)"}],"links":[{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."}]},{"id":"cp-6.2","class":"SP800-53-enhancement","title":"Recovery Time and Recovery Point Objectives","properties":[{"name":"label","value":"CP-6(2)"},{"name":"sort-id","value":"CP-06(02)"}],"parts":[{"id":"cp-6.2_smt","name":"statement","prose":"Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives."},{"id":"cp-6.2_gdn","name":"guidance","prose":"Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations ensuring accessibility and correct execution."}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","properties":[{"name":"label","value":"CP-6(3)"},{"name":"sort-id","value":"CP-06(03)"}],"links":[{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted."}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","parameters":[{"id":"cp-7_prm_1","label":"organization-defined system operations"},{"id":"cp-7_prm_2","label":"organization-defined time-period consistent with recovery time and recovery point objectives"}],"properties":[{"name":"label","value":"CP-7"},{"name":"sort-id","value":"CP-07"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-11","rel":"related","text":"PE-11"},{"href":"#pe-12","rel":"related","text":"PE-12"},{"href":"#pe-17","rel":"related","text":"PE-17"},{"href":"#sc-36","rel":"related","text":"SC-36"},{"href":"#si-13","rel":"related","text":"SI-13"}],"parts":[{"id":"cp-7_smt","name":"statement","parts":[{"id":"cp-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ cp-7_prm_1 }} for essential missions and business functions within {{ cp-7_prm_2 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time-period for transfer and resumption; and"},{"id":"cp-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provide controls at the alternate processing site that are equivalent to those at the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are sites that are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives such as failover to a cloud-based service provider or other internally- or externally-provided processing service. Geographically distributed architectures that support contingency requirements may also be considered as alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites; access rules; physical and environmental protection requirements; and the coordination for the transfer and assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems."}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","properties":[{"name":"label","value":"CP-7(1)"},{"name":"sort-id","value":"CP-07(01)"}],"links":[{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","properties":[{"name":"label","value":"CP-7(2)"},{"name":"sort-id","value":"CP-07(02)"}],"links":[{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk."}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","properties":[{"name":"label","value":"CP-7(3)"},{"name":"sort-id","value":"CP-07(03)"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning."}]},{"id":"cp-7.4","class":"SP800-53-enhancement","title":"Preparation for Use","properties":[{"name":"label","value":"CP-7(4)"},{"name":"sort-id","value":"CP-07(04)"}],"links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-4","rel":"related","text":"CP-4"}],"parts":[{"id":"cp-7.4_smt","name":"statement","prose":"Prepare the alternate processing site so that the site can serve as the operational site supporting essential missions and business functions."},{"id":"cp-7.4_gdn","name":"guidance","prose":"Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place."}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","parameters":[{"id":"cp-8_prm_1","label":"organization-defined system operations"},{"id":"cp-8_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"CP-8"},{"name":"sort-id","value":"CP-08"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-11","rel":"related","text":"CP-11"},{"href":"#sc-7","rel":"related","text":"SC-7"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for essential missions and business functions within {{ cp-8_prm_2 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"This control applies to telecommunications services (for data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions and business functions despite the loss of primary telecommunications services. Organizations may specify different time-periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines or the use of satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements."}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","properties":[{"name":"label","value":"CP-8(1)"},{"name":"sort-id","value":"CP-08(01)"}],"parts":[{"id":"cp-8.1_smt","name":"statement","parts":[{"id":"cp-8.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program and the Department of Homeland Security, manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program."}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","properties":[{"name":"label","value":"CP-8(2)"},{"name":"sort-id","value":"CP-08(02)"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_gdn","name":"guidance","prose":"In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services."}]},{"id":"cp-8.3","class":"SP800-53-enhancement","title":"Separation of Primary and Alternate Providers","properties":[{"name":"label","value":"CP-8(3)"},{"name":"sort-id","value":"CP-08(03)"}],"parts":[{"id":"cp-8.3_smt","name":"statement","prose":"Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."},{"id":"cp-8.3_gdn","name":"guidance","prose":"Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment."}]},{"id":"cp-8.4","class":"SP800-53-enhancement","title":"Provider Contingency Plan","parameters":[{"id":"cp-8.4_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CP-8(4)"},{"name":"sort-id","value":"CP-08(04)"}],"links":[{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-4","rel":"related","text":"CP-4"}],"parts":[{"id":"cp-8.4_smt","name":"statement","parts":[{"id":"cp-8.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Require primary and alternate telecommunications service providers to have contingency plans;"},{"id":"cp-8.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and"},{"id":"cp-8.4_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Obtain evidence of contingency testing and training by providers {{ cp-8.4_prm_1 }}."}]},{"id":"cp-8.4_gdn","name":"guidance","prose":"Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training."}]}]},{"id":"cp-9","class":"SP800-53","title":"System Backup","parameters":[{"id":"cp-9_prm_1","label":"organization-defined system components"},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_4","label":"organization-defined frequency consistent with recovery time and recovery point objectives"}],"properties":[{"name":"label","value":"CP-9"},{"name":"sort-id","value":"CP-09"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#ae412317-c2b4-47bb-b47b-c329ce0d7a0b","rel":"reference","text":"[SP 800-130]"},{"href":"#38dbdf55-9a14-446f-b563-c48e4e3d37fb","rel":"reference","text":"[SP 800-152]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-13","rel":"related","text":"SI-13"}],"parts":[{"id":"cp-9_smt","name":"statement","parts":[{"id":"cp-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conduct backups of user-level information contained in {{ cp-9_prm_1 }}\n {{ cp-9_prm_2 }};"},{"id":"cp-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Conduct backups of system-level information contained in the system {{ cp-9_prm_3 }};"},{"id":"cp-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conduct backups of system documentation, including security and privacy-related documentation {{ cp-9_prm_4 }}; and"},{"id":"cp-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect the confidentiality, integrity, and availability of backup information."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability and Integrity","parameters":[{"id":"cp-9.1_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CP-9(1)"},{"name":"sort-id","value":"CP-09(01)"}],"links":[{"href":"#cp-4","rel":"related","text":"CP-4"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"Test backup information {{ cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","prose":"Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance."}]},{"id":"cp-9.2","class":"SP800-53-enhancement","title":"Test Restoration Using Sampling","properties":[{"name":"label","value":"CP-9(2)"},{"name":"sort-id","value":"CP-09(02)"}],"links":[{"href":"#cp-4","rel":"related","text":"CP-4"}],"parts":[{"id":"cp-9.2_smt","name":"statement","prose":"Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing."},{"id":"cp-9.2_gdn","name":"guidance","prose":"Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is used to determine if the functions operate as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed."}]},{"id":"cp-9.3","class":"SP800-53-enhancement","title":"Separate Storage for Critical Information","parameters":[{"id":"cp-9.3_prm_1","label":"organization-defined critical system software and other security-related information"}],"properties":[{"name":"label","value":"CP-9(3)"},{"name":"sort-id","value":"CP-09(03)"}],"links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"}],"parts":[{"id":"cp-9.3_smt","name":"statement","prose":"Store backup copies of {{ cp-9.3_prm_1 }} in a separate facility or in a fire-rated container that is not collocated with the operational system."},{"id":"cp-9.3_gdn","name":"guidance","prose":"Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire-rated containers."}]},{"id":"cp-9.5","class":"SP800-53-enhancement","title":"Transfer to Alternate Storage Site","parameters":[{"id":"cp-9.5_prm_1","label":"organization-defined time-period and transfer rate consistent with the recovery time and recovery point objectives"}],"properties":[{"name":"label","value":"CP-9(5)"},{"name":"sort-id","value":"CP-09(05)"}],"links":[{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#mp-3","rel":"related","text":"MP-3"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"}],"parts":[{"id":"cp-9.5_smt","name":"statement","prose":"Transfer system backup information to the alternate storage site {{ cp-9.5_prm_1 }}."},{"id":"cp-9.5_gdn","name":"guidance","prose":"System backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media."}]},{"id":"cp-9.8","class":"SP800-53-enhancement","title":"Cryptographic Protection","parameters":[{"id":"cp-9.8_prm_1","label":"organization-defined backup information"}],"properties":[{"name":"label","value":"CP-9(8)"},{"name":"sort-id","value":"CP-09(08)"}],"links":[{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"}],"parts":[{"id":"cp-9.8_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ cp-9.8_prm_1 }}."},{"id":"cp-9.8_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. This control enhancement applies to system backup information in storage at primary and alternate locations. Organizations implementing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions."}]}]},{"id":"cp-10","class":"SP800-53","title":"System Recovery and Reconstitution","parameters":[{"id":"cp-10_prm_1","label":"organization-defined time-period consistent with recovery time and recovery point objectives"}],"properties":[{"name":"label","value":"CP-10"},{"name":"sort-id","value":"CP-10"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-24","rel":"related","text":"SC-24"},{"href":"#si-13","rel":"related","text":"SI-13"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ cp-10_prm_1 }} after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning."}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","properties":[{"name":"label","value":"CP-10(2)"},{"name":"sort-id","value":"CP-10(02)"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"Implement transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling."}]},{"id":"cp-10.4","class":"SP800-53-enhancement","title":"Restore Within Time-period","parameters":[{"id":"cp-10.4_prm_1","label":"organization-defined restoration time-periods"}],"properties":[{"name":"label","value":"CP-10(4)"},{"name":"sort-id","value":"CP-10(04)"}],"links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"}],"parts":[{"id":"cp-10.4_smt","name":"statement","prose":"Provide the capability to restore system components within {{ cp-10.4_prm_1 }} from configuration-controlled and integrity-protected information representing a known, operational state for the components."},{"id":"cp-10.4_gdn","name":"guidance","prose":"Restoration of system components includes reimaging which restores the components to known, operational states."}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2"},{"id":"ia-1_prm_3","label":"organization-defined official"},{"id":"ia-1_prm_4","label":"organization-defined frequency"},{"id":"ia-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IA-1"},{"name":"sort-id","value":"IA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ia-1_smt","name":"statement","parts":[{"id":"ia-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ia-1_prm_2 }} identification and authentication policy that:","parts":[{"id":"ia-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ia-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;"}]},{"id":"ia-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ia-1_prm_3 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and"},{"id":"ia-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current identification and authentication:","parts":[{"id":"ia-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ia-1_prm_4 }}; and"},{"id":"ia-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ia-1_prm_5 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","properties":[{"name":"label","value":"IA-2"},{"name":"sort-id","value":"IA-02"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#bb55e71a-e059-4263-8dd8-bc96fd3f063d","rel":"reference","text":"[SP 800-79-2]"},{"href":"#f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa","rel":"reference","text":"[SP 800-156]"},{"href":"#a8f55663-86c5-415b-aabe-d2a126981d65","rel":"reference","text":"[SP 800-166]"},{"href":"#d4779b49-8acc-45ef-b4f0-30f945e81d1b","rel":"reference","text":"[IR 7539]"},{"href":"#daf69edb-a0ef-4447-9880-8c4bf553181f","rel":"reference","text":"[IR 7676]"},{"href":"#a49f67fc-827c-40e6-9a37-2b1cbe8142fd","rel":"reference","text":"[IR 7817]"},{"href":"#972c10bd-aedf-485f-b0db-f46a402127e2","rel":"reference","text":"[IR 7849]"},{"href":"#197f7ba7-9af8-4a67-b3a4-5523d850e53b","rel":"reference","text":"[IR 7870]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#30213e10-2aca-47b3-8cdb-61303e0959f5","rel":"reference","text":"[IR 7966]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8."}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Multifactor Authentication to Privileged Accounts","properties":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"IA-02(01)"}],"links":[{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"Implement multifactor authentication for access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","prose":"Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Multifactor Authentication to Non-privileged Accounts","properties":[{"name":"label","value":"IA-2(2)"},{"name":"sort-id","value":"IA-02(02)"}],"links":[{"href":"#ac-5","rel":"related","text":"AC-5"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"Implement multifactor authentication for access to non-privileged accounts."},{"id":"ia-2.2_gdn","name":"guidance","prose":"Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."}]},{"id":"ia-2.5","class":"SP800-53-enhancement","title":"Individual Authentication with Group Authentication","properties":[{"name":"label","value":"IA-2(5)"},{"name":"sort-id","value":"IA-02(05)"}],"parts":[{"id":"ia-2.5_smt","name":"statement","prose":"When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources."},{"id":"ia-2.5_gdn","name":"guidance","prose":"Individual authentication prior to shared group authentication helps to mitigate the risk of using group accounts or authenticators."}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Access to Accounts — Replay Resistant","parameters":[{"id":"ia-2.8_prm_1"}],"properties":[{"name":"label","value":"IA-2(8)"},{"name":"sort-id","value":"IA-02(08)"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"Implement replay-resistant authentication mechanisms for access to {{ ia-2.8_prm_1 }}."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators."}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","properties":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"IA-02(12)"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential."}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","parameters":[{"id":"ia-3_prm_1","label":"organization-defined devices and/or types of devices"},{"id":"ia-3_prm_2"}],"properties":[{"name":"label","value":"IA-3"},{"name":"sort-id","value":"IA-03"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-9","rel":"related","text":"IA-9"},{"href":"#ia-11","rel":"related","text":"IA-11"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"Uniquely identify and authenticate {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Devices that require unique device-to-device identification and authentication are defined by type, by device, or by a combination of type and device. Organization-defined device types can include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on large scale, organizations can restrict the application of the control to a limited number (and type) of devices based on need."}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","parameters":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"IA-4"},{"name":"sort-id","value":"IA-04"}],"links":[{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ia-9","rel":"related","text":"IA-9"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#sc-37","rel":"related","text":"SC-37"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"Manage system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ ia-4_prm_1 }} to assign an individual, group, role, service, or device identifier;"},{"id":"ia-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, service, or device; and"},{"id":"ia-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ ia-4_prm_2 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices."}],"controls":[{"id":"ia-4.4","class":"SP800-53-enhancement","title":"Identify User Status","parameters":[{"id":"ia-4.4_prm_1","label":"organization-defined characteristic identifying individual status"}],"properties":[{"name":"label","value":"IA-4(4)"},{"name":"sort-id","value":"IA-04(04)"}],"parts":[{"id":"ia-4.4_smt","name":"statement","prose":"Manage individual identifiers by uniquely identifying each individual as {{ ia-4.4_prm_1 }}."},{"id":"ia-4.4_gdn","name":"guidance","prose":"Characteristics identifying the status of individuals include contractors and foreign nationals. Identifying the status of individuals by characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor."}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","parameters":[{"id":"ia-5_prm_1","label":"organization-defined time-period by authenticator type"}],"properties":[{"name":"label","value":"IA-5"},{"name":"sort-id","value":"IA-05"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#d4779b49-8acc-45ef-b4f0-30f945e81d1b","rel":"reference","text":"[IR 7539]"},{"href":"#a49f67fc-827c-40e6-9a37-2b1cbe8142fd","rel":"reference","text":"[IR 7817]"},{"href":"#972c10bd-aedf-485f-b0db-f46a402127e2","rel":"reference","text":"[IR 7849]"},{"href":"#197f7ba7-9af8-4a67-b3a4-5523d850e53b","rel":"reference","text":"[IR 7870]"},{"href":"#24738ee6-b3f3-4e37-825b-58775846bdbc","rel":"reference","text":"[IR 8040]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ia-9","rel":"related","text":"IA-9"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"Manage system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"},{"id":"ia-5_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Changing default authenticators prior to first use;"},{"id":"ia-5_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Changing or refreshing authenticators {{ ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed."}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","parameters":[{"id":"ia-5.1_prm_1","label":"organization-defined frequency"},{"id":"ia-5.1_prm_2","label":"organization-defined composition and complexity rules"}],"properties":[{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"IA-05(01)"}],"links":[{"href":"#ia-6","rel":"related","text":"IA-6"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"For password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ ia-5.1_prm_1 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords;"},{"id":"ia-5.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Transmit only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Store passwords using an approved hash algorithm and salt, preferably using a keyed hash;"},{"id":"ia-5.1_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Require immediate selection of a new password upon account recovery;"},{"id":"ia-5.1_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Allow user selection of long passwords and passphrases, including spaces and all printable characters;"},{"id":"ia-5.1_smt.g","name":"item","properties":[{"name":"label","value":"(g)"}],"prose":"Employ automated tools to assist the user in selecting strong password authenticators; and"},{"id":"ia-5.1_smt.h","name":"item","properties":[{"name":"label","value":"(h)"}],"prose":"Enforce the following composition and complexity rules: {{ ia-5.1_prm_2 }}."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof."}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Implement a local cache of revocation data to support path discovery and validation.","properties":[{"name":"label","value":"IA-5(2)"},{"name":"sort-id","value":"IA-05(02)"}],"links":[{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sc-17","rel":"related","text":"SC-17"}],"parts":[{"id":"ia-5.2_smt","name":"statement","prose":"Discussion: Public key cryptography is a valid authentication mechanism for individuals and machines or devices. When PKI is implemented, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation supports system availability in situations where organizations are unable to access revocation information via the network."},{"id":"ia-5.2_gdn","name":"guidance"}]},{"id":"ia-5.6","class":"SP800-53-enhancement","title":"Protection of Authenticators","properties":[{"name":"label","value":"IA-5(6)"},{"name":"sort-id","value":"IA-05(06)"}],"links":[{"href":"#ra-2","rel":"related","text":"RA-2"}],"parts":[{"id":"ia-5.6_smt","name":"statement","prose":"Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access."},{"id":"ia-5.6_gdn","name":"guidance","prose":"For systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process."}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","properties":[{"name":"label","value":"IA-6"},{"name":"sort-id","value":"IA-06"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it."}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","properties":[{"name":"label","value":"IA-7"},{"name":"sort-id","value":"IA-07"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role."}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","properties":[{"name":"label","value":"IA-8"},{"name":"sort-id","value":"IA-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#bb55e71a-e059-4263-8dd8-bc96fd3f063d","rel":"reference","text":"[SP 800-79-2]"},{"href":"#ad7d575f-b5fe-489b-8d48-36a93d964a5f","rel":"reference","text":"[SP 800-116]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-10","rel":"related","text":"IA-10"},{"href":"#ia-11","rel":"related","text":"IA-11"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-8","rel":"related","text":"SC-8"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk."}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","properties":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"IA-08(01)"}],"links":[{"href":"#pe-3","rel":"related","text":"PE-3"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2]."}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of External Credentials","properties":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"IA-08(02)"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"Accept only external credentials that are NIST-compliant."},{"id":"ia-8.2_gdn","name":"guidance","prose":"Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels."}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Nist-issued Profiles","properties":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"IA-08(04)"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"Conform to NIST-issued profiles for identity management."},{"id":"ia-8.4_gdn","name":"guidance","prose":"Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols."}]}]},{"id":"ia-11","class":"SP800-53","title":"Re-authentication","parameters":[{"id":"ia-11_prm_1","label":"organization-defined circumstances or situations requiring re-authentication"}],"properties":[{"name":"label","value":"IA-11"},{"name":"sort-id","value":"IA-11"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-11","rel":"related","text":"AC-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"}],"parts":[{"id":"ia-11_smt","name":"statement","prose":"Require users to re-authenticate when {{ ia-11_prm_1 }}."},{"id":"ia-11_gdn","name":"guidance","prose":"In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically."}]},{"id":"ia-12","class":"SP800-53","title":"Identity Proofing","properties":[{"name":"label","value":"IA-12"},{"name":"sort-id","value":"IA-12"}],"links":[{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3c50fa31-7f4d-4d30-91d7-27ee87cd5f75","rel":"reference","text":"[SP 800-63A]"},{"href":"#bb55e71a-e059-4263-8dd8-bc96fd3f063d","rel":"reference","text":"[SP 800-79-2]"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-6","rel":"related","text":"IA-6"},{"href":"#ia-8","rel":"related","text":"IA-8"}],"parts":[{"id":"ia-12_smt","name":"statement","parts":[{"id":"ia-12_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;"},{"id":"ia-12_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Resolve user identities to a unique individual; and"},{"id":"ia-12_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Collect, validate, and verify identity evidence."}]},{"id":"ia-12_gdn","name":"guidance","prose":"Identity proofing is the process of collecting, validating, and verifying user’s identity information for the purposes of issuing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3] and [SP 800-63A]."}],"controls":[{"id":"ia-12.2","class":"SP800-53-enhancement","title":"Identity Evidence","properties":[{"name":"label","value":"IA-12(2)"},{"name":"sort-id","value":"IA-12(02)"}],"parts":[{"id":"ia-12.2_smt","name":"statement","prose":"Require evidence of individual identification be presented to the registration authority."},{"id":"ia-12.2_gdn","name":"guidance","prose":"Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risk to the systems, roles, and privileges associated with the user’s account."}]},{"id":"ia-12.3","class":"SP800-53-enhancement","title":"Identity Evidence Validation and Verification","parameters":[{"id":"ia-12.3_prm_1","label":"organizational defined methods of validation and verification"}],"properties":[{"name":"label","value":"IA-12(3)"},{"name":"sort-id","value":"IA-12(03)"}],"parts":[{"id":"ia-12.3_smt","name":"statement","prose":"Require that the presented identity evidence be validated and verified through {{ ia-12.3_prm_1 }}."},{"id":"ia-12.3_gdn","name":"guidance","prose":"Validating and verifying identity evidence increases the assurance that accounts, identifiers, and authenticators are being issued to the correct user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an actual person or individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risk to the systems, roles, and privileges associated with the users account"}]},{"id":"ia-12.4","class":"SP800-53-enhancement","title":"In-person Validation and Verification","properties":[{"name":"label","value":"IA-12(4)"},{"name":"sort-id","value":"IA-12(04)"}],"parts":[{"id":"ia-12.4_smt","name":"statement","prose":"Require that the validation and verification of identity evidence be conducted in person before a designated registration authority."},{"id":"ia-12.4_gdn","name":"guidance","prose":"In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities."}]},{"id":"ia-12.5","class":"SP800-53-enhancement","title":"Address Confirmation","parameters":[{"id":"ia-12.5_prm_1"}],"properties":[{"name":"label","value":"IA-12(5)"},{"name":"sort-id","value":"IA-12(05)"}],"links":[{"href":"#ia-12","rel":"related","text":"IA-12"}],"parts":[{"id":"ia-12.5_smt","name":"statement","prose":"Require that a {{ ia-12.5_prm_1 }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record."},{"id":"ia-12.5_gdn","name":"guidance","prose":"To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to increase assurance that the individual associated with an address of record is the same person that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts are obtained from records and not self-asserted by the user. The address can include a physical or a digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses."}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2"},{"id":"ir-1_prm_3","label":"organization-defined official"},{"id":"ir-1_prm_4","label":"organization-defined frequency"},{"id":"ir-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IR-1"},{"name":"sort-id","value":"IR-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","rel":"reference","text":"[SP 800-83]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ir-1_prm_2 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ir-1_prm_4 }}; and"},{"id":"ir-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ir-1_prm_5 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","parameters":[{"id":"ir-2_prm_1","label":"organization-defined time-period"},{"id":"ir-2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IR-2"},{"name":"sort-id","value":"IR-02"}],"links":[{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-9","rel":"related","text":"IR-9"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ ir-2_prm_1 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n {{ ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3."}],"controls":[{"id":"ir-2.1","class":"SP800-53-enhancement","title":"Simulated Events","properties":[{"name":"label","value":"IR-2(1)"},{"name":"sort-id","value":"IR-02(01)"}],"parts":[{"id":"ir-2.1_smt","name":"statement","prose":"Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations."},{"id":"ir-2.1_gdn","name":"guidance","prose":"Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations."}]},{"id":"ir-2.2","class":"SP800-53-enhancement","title":"Automated Training Environments","parameters":[{"id":"ir-2.2_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"IR-2(2)"},{"name":"sort-id","value":"IR-02(02)"}],"parts":[{"id":"ir-2.2_smt","name":"statement","prose":"Provide an incident response training environment using {{ ir-2.2_prm_1 }}."},{"id":"ir-2.2_gdn","name":"guidance","prose":"Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues; by selecting more realistic training scenarios and training environments; and by stressing the response capability."}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","parameters":[{"id":"ir-3_prm_1","label":"organization-defined frequency"},{"id":"ir-3_prm_2","label":"organization-defined tests"}],"properties":[{"name":"label","value":"IR-3"},{"name":"sort-id","value":"IR-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#20bf433b-074c-47a0-8fca-cd591772ccd6","rel":"reference","text":"[SP 800-84]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pm-14","rel":"related","text":"PM-14"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"Test the effectiveness of the incident response capability for the system {{ ir-3_prm_1 }} using the following tests: {{ ir-3_prm_2 }}."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes."}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","properties":[{"name":"label","value":"IR-3(2)"},{"name":"sort-id","value":"IR-03(02)"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"Coordinate incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Contingency Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans."}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","properties":[{"name":"label","value":"IR-4"},{"name":"sort-id","value":"IR-04"}],"links":[{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#35dfd59f-eef2-4f71-bdb5-6d878267456a","rel":"reference","text":"[SP 800-86]"},{"href":"#1e2c475a-84ae-4c60-b420-8fb2ea552b71","rel":"reference","text":"[SP 800-101]"},{"href":"#ad3e8f21-07c6-4968-b002-00b64dfa70ae","rel":"reference","text":"[SP 800-150]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#08f518f7-f9b9-4bee-8986-860214f46b16","rel":"reference","text":"[SP 800-184]"},{"href":"#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","rel":"reference","text":"[IR 7559]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-10","rel":"related","text":"IR-10"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk."}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","parameters":[{"id":"ir-4.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"IR-4(1)"},{"name":"sort-id","value":"IR-04(01)"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"Support the incident handling process using {{ ir-4.1_prm_1 }}."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms supporting incident handling processes include online incident management systems; and tools that support the collection of live response data, full network packet capture, and forensic analysis."}]},{"id":"ir-4.4","class":"SP800-53-enhancement","title":"Information Correlation","properties":[{"name":"label","value":"IR-4(4)"},{"name":"sort-id","value":"IR-04(04)"}],"parts":[{"id":"ir-4.4_smt","name":"statement","prose":"Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."},{"id":"ir-4.4_gdn","name":"guidance","prose":"Sometimes a threat event, for example, a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations."}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","properties":[{"name":"label","value":"IR-5"},{"name":"sort-id","value":"IR-05"}],"links":[{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document security, privacy, and supply chain incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports."}],"controls":[{"id":"ir-5.1","class":"SP800-53-enhancement","title":"Automated Tracking, Data Collection, and Analysis","parameters":[{"id":"ir-5.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"IR-5(1)"},{"name":"sort-id","value":"IR-05(01)"}],"links":[{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#ir-4","rel":"related","text":"IR-4"}],"parts":[{"id":"ir-5.1_smt","name":"statement","prose":"Track security and privacy incidents and collect and analyze incident information using {{ ir-5.1_prm_1 }}."},{"id":"ir-5.1_gdn","name":"guidance","prose":"Automated mechanisms for tracking incidents and for collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices."}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","parameters":[{"id":"ir-6_prm_1","label":"organization-defined time-period"},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"properties":[{"name":"label","value":"IR-6"},{"name":"sort-id","value":"IR-06"}],"links":[{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-9","rel":"related","text":"IR-9"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","parameters":[{"id":"ir-6.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"IR-6(1)"},{"name":"sort-id","value":"IR-06(01)"}],"links":[{"href":"#ir-7","rel":"related","text":"IR-7"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"Report incidents using {{ ir-6.1_prm_1 }}."},{"id":"ir-6.1_gdn","name":"guidance","prose":"Reporting recipients are as specified in IR-6b. Automated reporting mechanisms include email, posting on web sites, and automated incident response tools and programs."}]},{"id":"ir-6.3","class":"SP800-53-enhancement","title":"Supply Chain Coordination","properties":[{"name":"label","value":"IR-6(3)"},{"name":"sort-id","value":"IR-06(03)"}],"links":[{"href":"#sr-8","rel":"related","text":"SR-8"}],"parts":[{"id":"ir-6.3_smt","name":"statement","prose":"Provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident."},{"id":"ir-6.3_gdn","name":"guidance","prose":"Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents including the ability to improve processes or to identify the root cause of an incident."}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","properties":[{"name":"label","value":"IR-7"},{"name":"sort-id","value":"IR-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","rel":"reference","text":"[IR 7559]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pm-26","rel":"related","text":"PM-26"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information and Support","parameters":[{"id":"ir-7.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"IR-7(1)"},{"name":"sort-id","value":"IR-07(01)"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"Increase the availability of incident response information and support using {{ ir-7.1_prm_1 }}."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","parameters":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined frequency"},{"id":"ir-8_prm_3","label":"organization-defined entities, personnel, or roles"},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and/or by role) and organizational elements"},{"id":"ir-8_prm_5","label":"organization-defined incident response personnel (identified by name and/or by role) and organizational elements"}],"properties":[{"name":"label","value":"IR-8"},{"name":"sort-id","value":"IR-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#389fe193-866e-46b1-bf1d-38904b56aa7b","rel":"reference","text":"[OMB M-17-12]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-8","rel":"related","text":"SR-8"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ ir-8_prm_1 }}\n {{ ir-8_prm_2 }}; and"},{"id":"ir-8_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}."}]},{"id":"ir-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ ir-8_prm_4 }};"},{"id":"ir-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ ir-8_prm_5 }}; and"},{"id":"ir-8_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."}]},{"id":"ir-10","class":"SP800-53","title":"Incident Analysis","properties":[{"name":"label","value":"IR-10"},{"name":"status","value":"Withdrawn"},{"name":"sort-id","value":"IR-10"}],"links":[{"href":"#ir-4.11","rel":"incorporated-into","text":"IR-4(11)"}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2"},{"id":"ma-1_prm_3","label":"organization-defined official"},{"id":"ma-1_prm_4","label":"organization-defined frequency"},{"id":"ma-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MA-1"},{"name":"sort-id","value":"MA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ma-1_smt","name":"statement","parts":[{"id":"ma-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ma-1_prm_2 }} maintenance policy that:","parts":[{"id":"ma-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ma-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;"}]},{"id":"ma-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ma-1_prm_3 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and"},{"id":"ma-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current maintenance:","parts":[{"id":"ma-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ma-1_prm_4 }}; and"},{"id":"ma-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ma-1_prm_5 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","parameters":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined information"},{"id":"ma-2_prm_3","label":"organization-defined information"}],"properties":[{"name":"label","value":"MA-2"},{"name":"sort-id","value":"MA-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"ma-2_smt","name":"statement","parts":[{"id":"ma-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Require that {{ ma-2_prm_1 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ ma-2_prm_2 }};"},{"id":"ma-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and"},{"id":"ma-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Include the following information in organizational maintenance records: {{ ma-2_prm_3 }}."}]},{"id":"ma-2_gdn","name":"guidance","prose":"Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems."}],"controls":[{"id":"ma-2.2","class":"SP800-53-enhancement","title":"Automated Maintenance Activities","parameters":[{"id":"ma-2.2_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"MA-2(2)"},{"name":"sort-id","value":"MA-02(02)"}],"links":[{"href":"#ma-3","rel":"related","text":"MA-3"}],"parts":[{"id":"ma-2.2_smt","name":"statement","parts":[{"id":"ma-2.2_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ ma-2.2_prm_1 }}; and"},{"id":"ma-2.2_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed."}]},{"id":"ma-2.2_gdn","name":"guidance","prose":"The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records."}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","parameters":[{"id":"ma-3_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MA-3"},{"name":"sort-id","value":"MA-03"}],"links":[{"href":"#fed6a3b5-2b74-499f-9172-46671f7c24c8","rel":"reference","text":"[SP 800-88]"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#pe-16","rel":"related","text":"PE-16"}],"parts":[{"id":"ma-3_smt","name":"statement","parts":[{"id":"ma-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approve, control, and monitor the use of system maintenance tools; and"},{"id":"ma-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review previously approved system maintenance tools {{ ma-3_prm_1 }}."}]},{"id":"ma-3_gdn","name":"guidance","prose":"Approving, controlling, monitoring, and reviewing maintenance tools are intended to address security-related issues associated with maintenance tools that are not within system boundaries but are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for approval of maintenance tools and how that approval is documented. Periodic review of maintenance tools facilitates withdrawal of the approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items. Such tools can be vehicles for transporting malicious code, intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support system maintenance and are a part of the system, including the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch, are not addressed by maintenance tools."}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","properties":[{"name":"label","value":"MA-3(1)"},{"name":"sort-id","value":"MA-03(01)"}],"links":[{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"Maintenance tools can be brought into a facility directly by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling."}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","properties":[{"name":"label","value":"MA-3(2)"},{"name":"sort-id","value":"MA-03(02)"}],"links":[{"href":"#si-3","rel":"related","text":"SI-3"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"Check media containing diagnostic and test programs for malicious code before the media are used in the system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures."}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","parameters":[{"id":"ma-3.3_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"MA-3(3)"},{"name":"sort-id","value":"MA-03(03)"}],"links":[{"href":"#mp-6","rel":"related","text":"MP-6"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"Prevent the removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the equipment;"},{"id":"ma-3.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards."}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","properties":[{"name":"label","value":"MA-4"},{"name":"sort-id","value":"MA-04"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#bbc7085f-b383-444e-af74-722a55cccc0f","rel":"reference","text":"[FIPS 197]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#fed6a3b5-2b74-499f-9172-46671f7c24c8","rel":"reference","text":"[SP 800-88]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-10","rel":"related","text":"SC-10"}],"parts":[{"id":"ma-4_smt","name":"statement","parts":[{"id":"ma-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approve and monitor nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;"},{"id":"ma-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Maintain records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Terminate session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls."}],"controls":[{"id":"ma-4.3","class":"SP800-53-enhancement","title":"Comparable Security and Sanitization","properties":[{"name":"label","value":"MA-4(3)"},{"name":"sort-id","value":"MA-04(03)"}],"links":[{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"ma-4.3_smt","name":"statement","parts":[{"id":"ma-4.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or"},{"id":"ma-4.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system."}]},{"id":"ma-4.3_gdn","name":"guidance","prose":"Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced."}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","properties":[{"name":"label","value":"MA-5"},{"name":"sort-id","value":"MA-05"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"ma-5_smt","name":"statement","parts":[{"id":"ma-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods."}],"controls":[{"id":"ma-5.1","class":"SP800-53-enhancement","title":"Individuals Without Appropriate Access","parameters":[{"id":"ma-5.1_prm_1","label":"organization-defined alternate controls"}],"properties":[{"name":"label","value":"MA-5(1)"},{"name":"sort-id","value":"MA-05(01)"}],"links":[{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pl-2","rel":"related","text":"PL-2"}],"parts":[{"id":"ma-5.1_smt","name":"statement","parts":[{"id":"ma-5.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:","parts":[{"id":"ma-5.1_smt.a.1","name":"item","properties":[{"name":"label","value":"(1)"}],"prose":"Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;"},{"id":"ma-5.1_smt.a.2","name":"item","properties":[{"name":"label","value":"(2)"}],"prose":"Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and"}]},{"id":"ma-5.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Develop and implement {{ ma-5.1_prm_1 }} in the event a system component cannot be sanitized, removed, or disconnected from the system."}]},{"id":"ma-5.1_gdn","name":"guidance","prose":"Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems."}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","parameters":[{"id":"ma-6_prm_1","label":"organization-defined system components"},{"id":"ma-6_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"MA-6"},{"name":"sort-id","value":"MA-06"}],"links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#si-13","rel":"related","text":"SI-13"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"Obtain maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place."}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2"},{"id":"mp-1_prm_3","label":"organization-defined official"},{"id":"mp-1_prm_4","label":"organization-defined frequency"},{"id":"mp-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MP-1"},{"name":"sort-id","value":"MP-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ mp-1_prm_2 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ mp-1_prm_4 }}; and"},{"id":"mp-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ mp-1_prm_5 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","parameters":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"MP-2"},{"name":"sort-id","value":"MP-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#1b14b50f-7154-4226-958c-7dfff8276755","rel":"reference","text":"[SP 800-111]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"Restrict access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media."}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","parameters":[{"id":"mp-3_prm_1","label":"organization-defined types of system media"},{"id":"mp-3_prm_2","label":"organization-defined controlled areas"}],"properties":[{"name":"label","value":"MP-3"},{"name":"sort-id","value":"MP-03"}],"links":[{"href":"#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc","rel":"reference","text":"[32 CFR 2002]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pe-22","rel":"related","text":"PE-22"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"mp-3_smt","name":"statement","parts":[{"id":"mp-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Exempt {{ mp-3_prm_1 }} from marking if the media remain within {{ mp-3_prm_2 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"Security marking refers to the application or use of human-readable security attributes. Security labeling refers to the application or use of security attributes regarding internal data structures within systems. System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002]. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","parameters":[{"id":"mp-4_prm_1","label":"organization-defined types of digital and/or non-digital media"},{"id":"mp-4_prm_2","label":"organization-defined controlled areas"}],"properties":[{"name":"label","value":"MP-4"},{"name":"sort-id","value":"MP-04"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#77dc1838-3664-4faa-bc6e-4e2a16e52f35","rel":"reference","text":"[SP 800-56A]"},{"href":"#f417e4ec-cadb-47a8-a363-6006b32c28ad","rel":"reference","text":"[SP 800-56B]"},{"href":"#7c3ba335-62bd-4f03-888f-960790409b11","rel":"reference","text":"[SP 800-56C]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#1b14b50f-7154-4226-958c-7dfff8276755","rel":"reference","text":"[SP 800-111]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"mp-4_smt","name":"statement","parts":[{"id":"mp-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Physically control and securely store {{ mp-4_prm_1 }} within {{ mp-4_prm_2 }}; and"},{"id":"mp-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet; or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. For media containing information determined to be in the public domain, to be publicly releasable, or to have limited adverse impact on organizations, operations, or individuals if accessed by other than authorized personnel, fewer controls may be needed. In these situations, physical access controls provide adequate protection."}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","parameters":[{"id":"mp-5_prm_1","label":"organization-defined types of system media"},{"id":"mp-5_prm_2","label":"organization-defined controls"}],"properties":[{"name":"label","value":"MP-5"},{"name":"sort-id","value":"MP-05"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#mp-3","rel":"related","text":"MP-3"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-34","rel":"related","text":"SC-34"}],"parts":[{"id":"mp-5_smt","name":"statement","parts":[{"id":"mp-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Protect and control {{ mp-5_prm_1 }} during transport outside of controlled areas using {{ mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintain accountability for system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document activities associated with the transport of system media; and"},{"id":"mp-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Restrict the activities associated with the transport of system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state and magnetic), compact disks, and digital video disks. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel, and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records."}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","parameters":[{"id":"mp-6_prm_1","label":"organization-defined system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"properties":[{"name":"label","value":"MP-6"},{"name":"sort-id","value":"MP-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#fed6a3b5-2b74-499f-9172-46671f7c24c8","rel":"reference","text":"[SP 800-88]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#a52271dc-11b5-423a-8b6f-14867bd94259","rel":"reference","text":"[NSA MEDIA]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#si-18","rel":"related","text":"SI-18"},{"href":"#si-19","rel":"related","text":"SI-19"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and"},{"id":"mp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information."}],"controls":[{"id":"mp-6.1","class":"SP800-53-enhancement","title":"Review, Approve, Track, Document, and Verify","properties":[{"name":"label","value":"MP-6(1)"},{"name":"sort-id","value":"MP-06(01)"}],"parts":[{"id":"mp-6.1_smt","name":"statement","prose":"Review, approve, track, document, and verify media sanitization and disposal actions."},{"id":"mp-6.1_gdn","name":"guidance","prose":"Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions; types of media sanitized; files stored on the media; sanitization methods used; date and time of the sanitization actions; personnel who performed the sanitization; verification actions taken and personnel who performed the verification; and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal."}]},{"id":"mp-6.2","class":"SP800-53-enhancement","title":"Equipment Testing","parameters":[{"id":"mp-6.2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MP-6(2)"},{"name":"sort-id","value":"MP-06(02)"}],"parts":[{"id":"mp-6.2_smt","name":"statement","prose":"Test sanitization equipment and procedures {{ mp-6.2_prm_1 }} to verify that the intended sanitization is being achieved."},{"id":"mp-6.2_gdn","name":"guidance","prose":"Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers."}]},{"id":"mp-6.3","class":"SP800-53-enhancement","title":"Nondestructive Techniques","parameters":[{"id":"mp-6.3_prm_1","label":"organization-defined circumstances requiring sanitization of portable storage devices"}],"properties":[{"name":"label","value":"MP-6(3)"},{"name":"sort-id","value":"MP-06(03)"}],"parts":[{"id":"mp-6.3_smt","name":"statement","prose":"Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ mp-6.3_prm_1 }}."},{"id":"mp-6.3_gdn","name":"guidance","prose":"Portable storage devices include external or removable hard disk drives (solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and can contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices."}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","parameters":[{"id":"mp-7_prm_1"},{"id":"mp-7_prm_2","label":"organization-defined types of system media"},{"id":"mp-7_prm_3","label":"organization-defined systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined controls"}],"properties":[{"name":"label","value":"MP-7"},{"name":"sort-id","value":"MP-07"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#1b14b50f-7154-4226-958c-7dfff8276755","rel":"reference","text":"[SP 800-111]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#sc-41","rel":"related","text":"SC-41"}],"parts":[{"id":"mp-7_smt","name":"statement","parts":[{"id":"mp-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"\n {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}; and"},{"id":"mp-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner."}]},{"id":"mp-7_gdn","name":"guidance","prose":"System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices."}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2"},{"id":"pe-1_prm_3","label":"organization-defined official"},{"id":"pe-1_prm_4","label":"organization-defined frequency"},{"id":"pe-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-1"},{"name":"sort-id","value":"PE-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pe-1_smt","name":"statement","parts":[{"id":"pe-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ pe-1_prm_2 }} physical and environmental protection policy that:","parts":[{"id":"pe-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pe-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;"}]},{"id":"pe-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ pe-1_prm_3 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and"},{"id":"pe-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current physical and environmental protection:","parts":[{"id":"pe-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ pe-1_prm_4 }}; and"},{"id":"pe-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ pe-1_prm_5 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","parameters":[{"id":"pe-2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-2"},{"name":"sort-id","value":"PE-02"}],"links":[{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#pe-8","rel":"related","text":"PE-8"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"}],"parts":[{"id":"pe-2_smt","name":"statement","parts":[{"id":"pe-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;"},{"id":"pe-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Issue authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review the access list detailing authorized facility access by individuals {{ pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Remove individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible."}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","parameters":[{"id":"pe-3_prm_1","label":"organization-defined entry and exit points to the facility where the system resides"},{"id":"pe-3_prm_2"},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems or devices"},{"id":"pe-3_prm_4","label":"organization-defined entry or exit points"},{"id":"pe-3_prm_5","label":"organization-defined controls"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and monitoring"},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency"},{"id":"pe-3_prm_9","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-3"},{"name":"sort-id","value":"PE-03"}],"links":[{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#ad7d575f-b5fe-489b-8d48-36a93d964a5f","rel":"reference","text":"[SP 800-116]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#pe-8","rel":"related","text":"PE-8"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#sr-3","rel":"related","text":"SR-3"}],"parts":[{"id":"pe-3_smt","name":"statement","parts":[{"id":"pe-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforce physical access authorizations at {{ pe-3_prm_1 }} by:","parts":[{"id":"pe-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Controlling ingress and egress to the facility using {{ pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintain physical access audit logs for {{ pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ pe-3_prm_5 }};"},{"id":"pe-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Escort visitors and monitor visitor activity {{ pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Secure keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Inventory {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }}; and"},{"id":"pe-3_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Change combinations and keys {{ pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components."}],"controls":[{"id":"pe-3.1","class":"SP800-53-enhancement","title":"System Access","parameters":[{"id":"pe-3.1_prm_1","label":"organization-defined physical spaces containing one or more components of the system"}],"properties":[{"name":"label","value":"PE-3(1)"},{"name":"sort-id","value":"PE-03(01)"}],"parts":[{"id":"pe-3.1_smt","name":"statement","prose":"Enforce physical access authorizations to the system in addition to the physical access controls for the facility at {{ pe-3.1_prm_1 }}."},{"id":"pe-3.1_gdn","name":"guidance","prose":"Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components."}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission","parameters":[{"id":"pe-4_prm_1","label":"organization-defined system distribution and transmission lines"},{"id":"pe-4_prm_2","label":"organization-defined security controls"}],"properties":[{"name":"label","value":"PE-4"},{"name":"sort-id","value":"PE-04"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#pe-9","rel":"related","text":"PE-9"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-8","rel":"related","text":"SC-8"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"Control physical access to {{ pe-4_prm_1 }} within organizational facilities using {{ pe-4_prm_2 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors."}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","parameters":[{"id":"pe-5_prm_1","label":"organization-defined output devices"}],"properties":[{"name":"label","value":"PE-5"},{"name":"sort-id","value":"PE-05"}],"links":[{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-18","rel":"related","text":"PE-18"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"Control physical access to output from {{ pe-5_prm_1 }} to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only; placing output devices in locations that can be monitored by personnel; installing monitor or screen filters; and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers."}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","parameters":[{"id":"pe-6_prm_1","label":"organization-defined frequency"},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"properties":[{"name":"label","value":"PE-6"},{"name":"sort-id","value":"PE-06"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"}],"parts":[{"id":"pe-6_smt","name":"statement","parts":[{"id":"pe-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review physical access logs {{ pe-6_prm_1 }} and upon occurrence of {{ pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinate results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses."}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms and Surveillance Equipment","properties":[{"name":"label","value":"PE-6(1)"},{"name":"sort-id","value":"PE-06(01)"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_gdn","name":"guidance","prose":"Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards, triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, for example, motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility."}]},{"id":"pe-6.4","class":"SP800-53-enhancement","title":"Monitoring Physical Access to Systems","parameters":[{"id":"pe-6.4_prm_1","label":"organization-defined physical spaces containing one or more components of the system"}],"properties":[{"name":"label","value":"PE-6(4)"},{"name":"sort-id","value":"PE-06(04)"}],"parts":[{"id":"pe-6.4_smt","name":"statement","prose":"Monitor physical access to the system in addition to the physical access monitoring of the facility at {{ pe-6.4_prm_1 }}."},{"id":"pe-6.4_gdn","name":"guidance","prose":"Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization."}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","parameters":[{"id":"pe-8_prm_1","label":"organization-defined time-period"},{"id":"pe-8_prm_2","label":"organization-defined frequency"},{"id":"pe-8_prm_3","label":"organization-defined personnel"}],"properties":[{"name":"label","value":"PE-8"},{"name":"sort-id","value":"PE-08"}],"links":[{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ pe-8_prm_1 }};"},{"id":"pe-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ pe-8_prm_2 }}; and"},{"id":"pe-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ pe-8_prm_3 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas."}],"controls":[{"id":"pe-8.1","class":"SP800-53-enhancement","title":"Automated Records Maintenance and Review","parameters":[{"id":"pe-8.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"PE-8(1)"},{"name":"sort-id","value":"PE-08(01)"}],"parts":[{"id":"pe-8.1_smt","name":"statement","prose":"Maintain and review visitor access records using {{ pe-8.1_prm_1 }}."},{"id":"pe-8.1_gdn","name":"guidance","prose":"Visitor access records can be stored and maintained, for example, in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on regular basis to determine if access authorizations are current and still required to support organizational missions and business functions."}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","properties":[{"name":"label","value":"PE-9"},{"name":"sort-id","value":"PE-09"}],"links":[{"href":"#pe-4","rel":"related","text":"PE-4"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"Protect power equipment and power cabling for the system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. Power equipment and cabling includes generators and power cabling outside of buildings; internal cabling and uninterruptable power sources in offices or data centers; and power sources for self-contained components such as satellites, vehicles, and other deployable systems."}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","parameters":[{"id":"pe-10_prm_1","label":"organization-defined system or individual system components"},{"id":"pe-10_prm_2","label":"organization-defined location by system or system component"}],"properties":[{"name":"label","value":"PE-10"},{"name":"sort-id","value":"PE-10"}],"links":[{"href":"#pe-15","rel":"related","text":"PE-15"}],"parts":[{"id":"pe-10_smt","name":"statement","parts":[{"id":"pe-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide the capability of shutting off power to {{ pe-10_prm_1 }} in emergency situations;"},{"id":"pe-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Place emergency shutoff switches or devices in {{ pe-10_prm_2 }} to facilitate access for authorized personnel; and"},{"id":"pe-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Protect emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"Emergency power shutoff applies primarily to organizational facilities containing concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery."}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","parameters":[{"id":"pe-11_prm_1"}],"properties":[{"name":"label","value":"PE-11"},{"name":"sort-id","value":"PE-11"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"Provide an uninterruptible power supply to facilitate {{ pe-11_prm_1 }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","prose":"An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of most UPS is relatively short but provides sufficient time to start a standby power source such as a backup generator or properly shut down the system."}],"controls":[{"id":"pe-11.1","class":"SP800-53-enhancement","title":"Alternate Power Supply — Minimal Operational Capability","parameters":[{"id":"pe-11.1_prm_1"}],"properties":[{"name":"label","value":"PE-11(1)"},{"name":"sort-id","value":"PE-11(01)"}],"parts":[{"id":"pe-11.1_smt","name":"statement","prose":"Provide an alternate power supply for the system that is activated {{ pe-11.1_prm_1 }} and that can maintain minimally required operational capability in the event of an extended loss of the primary power source."},{"id":"pe-11.1_gdn","name":"guidance","prose":"Provision of an alternate power supply with minimal operating capability can be satisfied, for example, by accessing a secondary commercial power supply or other external power supply."}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","properties":[{"name":"label","value":"PE-12"},{"name":"sort-id","value":"PE-12"}],"links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites."}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","properties":[{"name":"label","value":"PE-13"},{"name":"sort-id","value":"PE-13"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"Employ and maintain fire detection and suppression systems that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors."}],"controls":[{"id":"pe-13.1","class":"SP800-53-enhancement","title":"Detection Systems – Automatic Activation and Notification","parameters":[{"id":"pe-13.1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-13.1_prm_2","label":"organization-defined emergency responders"}],"properties":[{"name":"label","value":"PE-13(1)"},{"name":"sort-id","value":"PE-13(01)"}],"parts":[{"id":"pe-13.1_smt","name":"statement","prose":"Employ fire detection systems that activate automatically and notify {{ pe-13.1_prm_1 }} and {{ pe-13.1_prm_2 }} in the event of a fire."},{"id":"pe-13.1_gdn","name":"guidance","prose":"Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances, for example, to enter to facilities where access is restricted due to the classification or impact level of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire."}]},{"id":"pe-13.2","class":"SP800-53-enhancement","title":"Suppression Systems – Automatic Activation and Notification","parameters":[{"id":"pe-13.2_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-13.2_prm_2","label":"organization-defined emergency responders"}],"properties":[{"name":"label","value":"PE-13(2)"},{"name":"sort-id","value":"PE-13(02)"}],"parts":[{"id":"pe-13.2_smt","name":"statement","parts":[{"id":"pe-13.2_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Employ fire suppression systems that activate automatically and notify {{ pe-13.2_prm_1 }} and {{ pe-13.2_prm_2 }}; and"},{"id":"pe-13.2_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis."}]},{"id":"pe-13.2_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances, for example, to enter to facilities where access is restricted due to the impact level or classification of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire."}]}]},{"id":"pe-14","class":"SP800-53","title":"Environmental Controls","parameters":[{"id":"pe-14_prm_1"},{"id":"pe-14_prm_2","depends-on":"pe-14_prm_1","label":"organization-defined environmental control"},{"id":"pe-14_prm_3","label":"organization-defined acceptable levels"},{"id":"pe-14_prm_4","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-14"},{"name":"sort-id","value":"PE-14"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#pe-21","rel":"related","text":"PE-21"}],"parts":[{"id":"pe-14_smt","name":"statement","parts":[{"id":"pe-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintain {{ pe-14_prm_1 }} levels within the facility where the system resides at {{ pe-14_prm_3 }}; and"},{"id":"pe-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Monitor environmental control levels {{ pe-14_prm_4 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure."}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","properties":[{"name":"label","value":"PE-15"},{"name":"sort-id","value":"PE-15"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pe-10","rel":"related","text":"PE-10"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations."}],"controls":[{"id":"pe-15.1","class":"SP800-53-enhancement","title":"Automation Support","parameters":[{"id":"pe-15.1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-15.1_prm_2","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"PE-15(1)"},{"name":"sort-id","value":"PE-15(01)"}],"parts":[{"id":"pe-15.1_smt","name":"statement","prose":"Detect the presence of water near the system and alert {{ pe-15.1_prm_1 }} using {{ pe-15.1_prm_2 }}."},{"id":"pe-15.1_gdn","name":"guidance","prose":"Automated mechanisms include notification systems, water detection sensors, and alarms."}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","parameters":[{"id":"pe-16_prm_1","label":"organization-defined types of system components"}],"properties":[{"name":"label","value":"PE-16"},{"name":"sort-id","value":"PE-16"}],"links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-6","rel":"related","text":"SR-6"}],"parts":[{"id":"pe-16_smt","name":"statement","parts":[{"id":"pe-16_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorize and control {{ pe-16_prm_1 }} entering and exiting the facility; and"},{"id":"pe-16_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintain records of the system components."}]},{"id":"pe-16_gdn","name":"guidance","prose":"Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries."}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","parameters":[{"id":"pe-17_prm_1","label":"organization-defined alternate work sites"},{"id":"pe-17_prm_2","label":"organization-defined controls"}],"properties":[{"name":"label","value":"PE-17"},{"name":"sort-id","value":"PE-17"}],"links":[{"href":"#7768c184-088d-4ee8-a316-f9286b52df7f","rel":"reference","text":"[SP 800-46]"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#cp-7","rel":"related","text":"CP-7"}],"parts":[{"id":"pe-17_smt","name":"statement","parts":[{"id":"pe-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ pe-17_prm_1 }} allowed for use by employees;"},{"id":"pe-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ the following controls at alternate work sites: {{ pe-17_prm_2 }};"},{"id":"pe-17_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assess the effectiveness of controls at alternate work sites; and"},{"id":"pe-17_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Provide a means for employees to communicate with information security and privacy personnel in case of incidents."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations."}]},{"id":"pe-18","class":"SP800-53","title":"Location of System Components","parameters":[{"id":"pe-18_prm_1","label":"organization-defined physical and environmental hazards"}],"properties":[{"name":"label","value":"PE-18"},{"name":"sort-id","value":"PE-18"}],"links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#pe-19","rel":"related","text":"PE-19"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"pe-18_smt","name":"statement","prose":"Position system components within the facility to minimize potential damage from {{ pe-18_prm_1 }} and to minimize the opportunity for unauthorized access."},{"id":"pe-18_gdn","name":"guidance","prose":"Physical and environmental hazards include floods, fires, tornados, earthquakes, hurricanes, terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications, including using wireless sniffers or microphones."}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2"},{"id":"pl-1_prm_3","label":"organization-defined official"},{"id":"pl-1_prm_4","label":"organization-defined frequency"},{"id":"pl-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-1"},{"name":"sort-id","value":"PL-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ pl-1_prm_2 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ pl-1_prm_4 }}; and"},{"id":"pl-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ pl-1_prm_5 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","parameters":[{"id":"pl-2_prm_1","label":"organization-defined individuals or groups"},{"id":"pl-2_prm_2","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-2"},{"name":"sort-id","value":"PL-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-22","rel":"related","text":"SA-22"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.10","name":"item","properties":[{"name":"label","value":"10."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.11","name":"item","properties":[{"name":"label","value":"11."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.12","name":"item","properties":[{"name":"label","value":"12."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and"},{"id":"pl-2_smt.a.13","name":"item","properties":[{"name":"label","value":"13."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }};"},{"id":"pl-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review the plans {{ pl-2_prm_3 }};"},{"id":"pl-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation.\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate."}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","parameters":[{"id":"pl-4_prm_1","label":"organization-defined frequency"},{"id":"pl-4_prm_2"},{"id":"pl-4_prm_3","depends-on":"pl-4_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-4"},{"name":"sort-id","value":"PL-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons."}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site/application Usage Restrictions","properties":[{"name":"label","value":"PL-4(1)"},{"name":"sort-id","value":"PL-04(01)"}],"links":[{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#au-13","rel":"related","text":"AU-13"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites/applications;"},{"id":"pl-4.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information."}]}]},{"id":"pl-8","class":"SP800-53","title":"Security and Privacy Architectures","parameters":[{"id":"pl-8_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-8"},{"name":"sort-id","value":"PL-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pl-9","rel":"related","text":"PL-9"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-17","rel":"related","text":"SA-17"}],"parts":[{"id":"pl-8_smt","name":"statement","parts":[{"id":"pl-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop security and privacy architectures for the system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describe how the architectures are integrated into and support the enterprise architecture; and"},{"id":"pl-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Describe any assumptions about, and dependencies on, external systems and services;"}]},{"id":"pl-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the architectures {{ pl-8_prm_1 }} to reflect changes in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs.\n[SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented.\nPL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures."}]},{"id":"pl-10","class":"SP800-53","title":"Baseline Selection","properties":[{"name":"label","value":"PL-10"},{"name":"sort-id","value":"PL-10"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#31f3c9de-c57c-4281-929b-f9951f9640f1","rel":"reference","text":"[SP 800-53B]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ee96f130-3f91-46ed-a4d8-57e5f220a623","rel":"reference","text":"[CNSSI 1253]"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"pl-10_smt","name":"statement","prose":"Select a control baseline for the system."},{"id":"pl-10_gdn","name":"guidance","prose":"Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments."}]},{"id":"pl-11","class":"SP800-53","title":"Baseline Tailoring","properties":[{"name":"label","value":"PL-11"},{"name":"sort-id","value":"PL-11"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#31f3c9de-c57c-4281-929b-f9951f9640f1","rel":"reference","text":"[SP 800-53B]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ee96f130-3f91-46ed-a4d8-57e5f220a623","rel":"reference","text":"[CNSSI 1253]"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"pl-11_smt","name":"statement","prose":"Tailor the selected control baseline by applying specified tailoring actions."},{"id":"pl-11_gdn","name":"guidance","prose":"The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities."}]}]},{"id":"pm","class":"family","title":"Program Management","controls":[{"id":"pm-1","class":"SP800-53","title":"Information Security Program Plan","parameters":[{"id":"pm-1_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-1"},{"name":"sort-id","value":"PM-01"}],"links":[{"href":"#14958422-54f6-471f-a345-802dca594dd8","rel":"reference","text":"[FISMA]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"pm-1_smt","name":"statement","parts":[{"id":"pm-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide information security program plan that:","parts":[{"id":"pm-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;"},{"id":"pm-1_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Reflects the coordination among organizational entities responsible for information security; and"},{"id":"pm-1_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"}]},{"id":"pm-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review the organization-wide information security program plan {{ pm-1_prm_1 }};"},{"id":"pm-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and"},{"id":"pm-1_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect the information security program plan from unauthorized disclosure and modification."}]},{"id":"pm-1_gdn","name":"guidance","prose":"An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents.\nInformation security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls."}]},{"id":"pm-2","class":"SP800-53","title":"Information Security Program Leadership Role","properties":[{"name":"label","value":"PM-2"},{"name":"sort-id","value":"PM-02"}],"links":[{"href":"#ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3","rel":"reference","text":"[OMB M-17-25]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"}],"parts":[{"id":"pm-2_smt","name":"statement","prose":"Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program."},{"id":"pm-2_gdn","name":"guidance","prose":"The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer."}]},{"id":"pm-3","class":"SP800-53","title":"Information Security and Privacy Resources","properties":[{"name":"label","value":"PM-3"},{"name":"sort-id","value":"PM-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#sa-2","rel":"related","text":"SA-2"}],"parts":[{"id":"pm-3_smt","name":"statement","parts":[{"id":"pm-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;"},{"id":"pm-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and"},{"id":"pm-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Make available for expenditure, the planned information security and privacy resources."}]},{"id":"pm-3_gdn","name":"guidance","prose":"Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process."}]},{"id":"pm-4","class":"SP800-53","title":"Plan of Action and Milestones Process","properties":[{"name":"label","value":"PM-4"},{"name":"sort-id","value":"PM-04"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-3","rel":"related","text":"PM-3"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pm-4_smt","name":"statement","parts":[{"id":"pm-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:","parts":[{"id":"pm-4_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are developed and maintained;"},{"id":"pm-4_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and"},{"id":"pm-4_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Are reported in accordance with established reporting requirements."}]},{"id":"pm-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-4_gdn","name":"guidance","prose":"The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5."}]},{"id":"pm-5","class":"SP800-53","title":"System Inventory","parameters":[{"id":"pm-5_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-5"},{"name":"sort-id","value":"PM-05"}],"links":[{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"}],"parts":[{"id":"pm-5_smt","name":"statement","prose":"Develop and update {{ pm-5_prm_1 }} an inventory of organizational systems."},{"id":"pm-5_gdn","name":"guidance","prose":"[OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8."}],"controls":[{"id":"pm-5.1","class":"SP800-53-enhancement","title":"Inventory of Personally Identifiable Information","parameters":[{"id":"pm-5.1_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-5(1)"},{"name":"sort-id","value":"PM-05(01)"}],"links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-12","rel":"related","text":"CM-12"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pm-5.1_smt","name":"statement","prose":"Establish, maintain, and update {{ pm-5.1_prm_1 }} an inventory of all systems, applications, and projects that process personally identifiable information."},{"id":"pm-5.1_gdn","name":"guidance","prose":"An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein."}]}]},{"id":"pm-6","class":"SP800-53","title":"Measures of Performance","properties":[{"name":"label","value":"PM-6"},{"name":"sort-id","value":"PM-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#8ba0d54e-fa16-4f5d-baa1-763ec3e33e26","rel":"reference","text":"[SP 800-55]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ca-7","rel":"related","text":"CA-7"}],"parts":[{"id":"pm-6_smt","name":"statement","prose":"Develop, monitor, and report on the results of information security and privacy measures of performance."},{"id":"pm-6_gdn","name":"guidance","prose":"Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program."}]},{"id":"pm-7","class":"SP800-53","title":"Enterprise Architecture","properties":[{"name":"label","value":"PM-7"},{"name":"sort-id","value":"PM-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-17","rel":"related","text":"SA-17"}],"parts":[{"id":"pm-7_smt","name":"statement","prose":"Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."},{"id":"pm-7_gdn","name":"guidance","prose":"The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines."}],"controls":[{"id":"pm-7.1","class":"SP800-53-enhancement","title":"Offloading","parameters":[{"id":"pm-7.1_prm_1","label":"organization-defined non-essential functions or services"}],"properties":[{"name":"label","value":"PM-7(1)"},{"name":"sort-id","value":"PM-07(01)"}],"links":[{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"pm-7.1_smt","name":"statement","prose":"Offload {{ pm-7.1_prm_1 }} to other systems, system components, or an external provider."},{"id":"pm-7.1_gdn","name":"guidance","prose":"Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services."}]}]},{"id":"pm-8","class":"SP800-53","title":"Critical Infrastructure Plan","properties":[{"name":"label","value":"PM-8"},{"name":"sort-id","value":"PM-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#cde25174-38e0-4a00-8919-8ee3674b8088","rel":"reference","text":"[HSPD 7]"},{"href":"#24b7b1ec-6430-41de-9353-29fdb1b488fc","rel":"reference","text":"[DHS NIPP]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#pe-18","rel":"related","text":"PE-18"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pm-8_smt","name":"statement","prose":"Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan."},{"id":"pm-8_gdn","name":"guidance","prose":"Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."}]},{"id":"pm-9","class":"SP800-53","title":"Risk Management Strategy","parameters":[{"id":"pm-9_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-9"},{"name":"sort-id","value":"PM-09"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#at-1","rel":"related","text":"AT-1"},{"href":"#ca-1","rel":"related","text":"CA-1"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cp-1","rel":"related","text":"CP-1"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ma-1","rel":"related","text":"MA-1"},{"href":"#mp-1","rel":"related","text":"MP-1"},{"href":"#pe-1","rel":"related","text":"PE-1"},{"href":"#pl-1","rel":"related","text":"PL-1"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-2","rel":"related","text":"PM-2"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#ps-1","rel":"related","text":"PS-1"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-1","rel":"related","text":"SA-1"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-1","rel":"related","text":"SC-1"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-1","rel":"related","text":"SI-1"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"pm-9_smt","name":"statement","parts":[{"id":"pm-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a comprehensive strategy to manage:","parts":[{"id":"pm-9_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and"},{"id":"pm-9_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Privacy risk to individuals resulting from the authorized processing of personally identifiable information;"}]},{"id":"pm-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the risk management strategy consistently across the organization; and"},{"id":"pm-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes."}]},{"id":"pm-9_gdn","name":"guidance","prose":"An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive."}]},{"id":"pm-10","class":"SP800-53","title":"Authorization Process","properties":[{"name":"label","value":"PM-10"},{"name":"sort-id","value":"PM-10"}],"links":[{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pl-2","rel":"related","text":"PL-2"}],"parts":[{"id":"pm-10_smt","name":"statement","parts":[{"id":"pm-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;"},{"id":"pm-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and"},{"id":"pm-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Integrate the authorization processes into an organization-wide risk management program."}]},{"id":"pm-10_gdn","name":"guidance","prose":"Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation."}]},{"id":"pm-11","class":"SP800-53","title":"Mission and Business Process Definition","parameters":[{"id":"pm-11_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-11"},{"name":"sort-id","value":"PM-11"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-2","rel":"related","text":"SA-2"}],"parts":[{"id":"pm-11_smt","name":"statement","parts":[{"id":"pm-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"},{"id":"pm-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and"},{"id":"pm-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and revise the mission and business processes {{ pm-11_prm_1 }}."}]},{"id":"pm-11_gdn","name":"guidance","prose":"Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures."}]},{"id":"pm-12","class":"SP800-53","title":"Insider Threat Program","properties":[{"name":"label","value":"PM-12"},{"name":"sort-id","value":"PM-12"}],"links":[{"href":"#2b5e12fb-633f-49e6-8aff-81d75bf53545","rel":"reference","text":"[EO 13587]"},{"href":"#286d42a1-efbe-49a2-9ce1-4c9bf68feb3b","rel":"reference","text":"[ODNI NITP]"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-16","rel":"related","text":"PM-16"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#pm-14","rel":"related","text":"PM-14"}],"parts":[{"id":"pm-12_smt","name":"statement","prose":"Implement an insider threat program that includes a cross-discipline insider threat incident handling team."},{"id":"pm-12_gdn","name":"guidance","prose":"Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture.\nInsider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}]},{"id":"pm-13","class":"SP800-53","title":"Security and Privacy Workforce","properties":[{"name":"label","value":"PM-13"},{"name":"sort-id","value":"PM-13"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#f4c3f657-de83-47ae-9aec-e144de8268d1","rel":"reference","text":"[SP 800-181]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"}],"parts":[{"id":"pm-13_smt","name":"statement","prose":"Establish a security and privacy workforce development and improvement program."},{"id":"pm-13_gdn","name":"guidance","prose":"Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals."}]},{"id":"pm-14","class":"SP800-53","title":"Testing, Training, and Monitoring","properties":[{"name":"label","value":"PM-14"},{"name":"sort-id","value":"PM-14"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"pm-14_smt","name":"statement","parts":[{"id":"pm-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:","parts":[{"id":"pm-14_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are developed and maintained; and"},{"id":"pm-14_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Continue to be executed; and"}]},{"id":"pm-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-14_gdn","name":"guidance","prose":"This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments."}]},{"id":"pm-15","class":"SP800-53","title":"Security and Privacy Groups and Associations","properties":[{"name":"label","value":"PM-15"},{"name":"sort-id","value":"PM-15"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-5","rel":"related","text":"SI-5"}],"parts":[{"id":"pm-15_smt","name":"statement","prose":"Establish and institutionalize contact with selected groups and associations within the security and privacy communities:","parts":[{"id":"pm-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"To facilitate ongoing security and privacy education and training for organizational personnel;"},{"id":"pm-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"To maintain currency with recommended security and privacy practices, techniques, and technologies; and"},{"id":"pm-15_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"To share current security and privacy information, including threats, vulnerabilities, and incidents."}]},{"id":"pm-15_gdn","name":"guidance","prose":"Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."}]},{"id":"pm-16","class":"SP800-53","title":"Threat Awareness Program","properties":[{"name":"label","value":"PM-16"},{"name":"sort-id","value":"PM-16"}],"links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pm-12","rel":"related","text":"PM-12"}],"parts":[{"id":"pm-16_smt","name":"statement","prose":"Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence."},{"id":"pm-16_gdn","name":"guidance","prose":"Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared."}],"controls":[{"id":"pm-16.1","class":"SP800-53-enhancement","title":"Automated Means for Sharing Threat Intelligence","properties":[{"name":"label","value":"PM-16(1)"},{"name":"sort-id","value":"PM-16(01)"}],"parts":[{"id":"pm-16.1_smt","name":"statement","prose":"Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information."},{"id":"pm-16.1_gdn","name":"guidance","prose":"To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures."}]}]},{"id":"pm-17","class":"SP800-53","title":"Protecting Controlled Unclassified Information on External Systems","parameters":[{"id":"pm-17_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-17"},{"name":"sort-id","value":"PM-17"}],"links":[{"href":"#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc","rel":"reference","text":"[32 CFR 2002]"},{"href":"#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","rel":"reference","text":"[SP 800-171]"},{"href":"#dd87fdf0-840d-4392-9de4-220b2327e340","rel":"reference","text":"[NARA CUI]"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#pm-10","rel":"related","text":"PM-10"}],"parts":[{"id":"pm-17_smt","name":"statement","parts":[{"id":"pm-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards."},{"id":"pm-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update the policy and procedures {{ pm-17_prm_1 }}."}]},{"id":"pm-17_gdn","name":"guidance","prose":"Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes."}]},{"id":"pm-18","class":"SP800-53","title":"Privacy Program Plan","properties":[{"name":"label","value":"PM-18"},{"name":"sort-id","value":"PM-18"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-19","rel":"related","text":"PM-19"}],"parts":[{"id":"pm-18_smt","name":"statement","parts":[{"id":"pm-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:","parts":[{"id":"pm-18_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;"},{"id":"pm-18_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-18_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;"},{"id":"pm-18_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;"},{"id":"pm-18_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Reflects coordination among organizational entities responsible for the different aspects of privacy; and"},{"id":"pm-18_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and"}]},{"id":"pm-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments."}]},{"id":"pm-18_gdn","name":"guidance","prose":"A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls."}]},{"id":"pm-19","class":"SP800-53","title":"Privacy Program Leadership Role","properties":[{"name":"label","value":"PM-19"},{"name":"sort-id","value":"PM-19"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#pm-20","rel":"related","text":"PM-20"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-24","rel":"related","text":"PM-24"}],"parts":[{"id":"pm-19_smt","name":"statement","prose":"Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."},{"id":"pm-19_gdn","name":"guidance","prose":"The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24)."}]},{"id":"pm-20","class":"SP800-53","title":"Dissemination of Privacy Program Information","properties":[{"name":"label","value":"PM-20"},{"name":"sort-id","value":"PM-20"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#f7d3617a-9a4f-4f1a-a688-845081b70390","rel":"reference","text":"[OMB M-17-06]"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#pt-7","rel":"related","text":"PT-7"},{"href":"#ra-8","rel":"related","text":"RA-8"}],"parts":[{"id":"pm-20_smt","name":"statement","prose":"Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:","parts":[{"id":"pm-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;"},{"id":"pm-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that organizational privacy practices and reports are publicly available; and"},{"id":"pm-20_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices."}]},{"id":"pm-20_gdn","name":"guidance","prose":"Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications."}]},{"id":"pm-21","class":"SP800-53","title":"Accounting of Disclosures","properties":[{"name":"label","value":"PM-21"},{"name":"sort-id","value":"PM-21"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pt-2","rel":"related","text":"PT-2"}],"parts":[{"id":"pm-21_smt","name":"statement","parts":[{"id":"pm-21_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:","parts":[{"id":"pm-21_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Date, nature, and purpose of each disclosure; and"},{"id":"pm-21_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Name and address, or other contact information of the person or organization to which the disclosure was made;"}]},{"id":"pm-21_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and"},{"id":"pm-21_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request."}]},{"id":"pm-21_gdn","name":"guidance","prose":"The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions."}]},{"id":"pm-22","class":"SP800-53","title":"Personally Identifiable Information Quality Management","properties":[{"name":"label","value":"PM-22"},{"name":"sort-id","value":"PM-22"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#eadef75e-7e4d-4554-b818-44946c1dde0e","rel":"reference","text":"[SP 800-188]"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pm-22_smt","name":"statement","prose":"Develop and document policies and procedures for:","parts":[{"id":"pm-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;"},{"id":"pm-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Correcting or deleting inaccurate or outdated personally identifiable information;"},{"id":"pm-22_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and"},{"id":"pm-22_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Appeals of adverse decisions on correction or deletion requests."}]},{"id":"pm-22_gdn","name":"guidance","prose":"Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem."}]},{"id":"pm-23","class":"SP800-53","title":"Data Governance Body","parameters":[{"id":"pm-23_prm_1","label":"organization-defined roles"},{"id":"pm-23_prm_2","label":"organization-defined responsibilities"}],"properties":[{"name":"label","value":"PM-23"},{"name":"sort-id","value":"PM-23"}],"links":[{"href":"#43facb7b-0afb-480f-8191-34790d5b444b","rel":"reference","text":"[EVIDACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#d843e915-eeb6-4bbe-8cab-ccc802088703","rel":"reference","text":"[OMB M-19-23]"},{"href":"#eadef75e-7e4d-4554-b818-44946c1dde0e","rel":"reference","text":"[SP 800-188]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-19","rel":"related","text":"SI-19"}],"parts":[{"id":"pm-23_smt","name":"statement","prose":"Establish a Data Governance Body consisting of {{ pm-23_prm_1 }} with {{ pm-23_prm_2 }}."},{"id":"pm-23_gdn","name":"guidance","prose":"A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23]."}]},{"id":"pm-24","class":"SP800-53","title":"Data Integrity Board","properties":[{"name":"label","value":"PM-24"},{"name":"sort-id","value":"PM-24"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pt-8","rel":"related","text":"PT-8"}],"parts":[{"id":"pm-24_smt","name":"statement","prose":"Establish a Data Integrity Board to:","parts":[{"id":"pm-24_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Review proposals to conduct or participate in a matching program; and"},{"id":"pm-24_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Conduct an annual review of all matching programs in which the agency has participated."}]},{"id":"pm-24_gdn","name":"guidance","prose":"A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy."}]},{"id":"pm-25","class":"SP800-53","title":"Minimization of Pii Used in Testing, Training, and Research","parameters":[{"id":"pm-25_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-25"},{"name":"sort-id","value":"PM-25"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#sa-3","rel":"related","text":"SA-3"}],"parts":[{"id":"pm-25_smt","name":"statement","parts":[{"id":"pm-25_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;"},{"id":"pm-25_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;"},{"id":"pm-25_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and"},{"id":"pm-25_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review and update policies and procedures {{ pm-25_prm_1 }}."}]},{"id":"pm-25_gdn","name":"guidance","prose":"The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2)."}]},{"id":"pm-26","class":"SP800-53","title":"Complaint Management","parameters":[{"id":"pm-26_prm_1","label":"organization-defined time-period"},{"id":"pm-26_prm_2","label":"organization-defined time-period"},{"id":"pm-26_prm_3","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PM-26"},{"name":"sort-id","value":"PM-26"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pm-26_smt","name":"statement","prose":"Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:","parts":[{"id":"pm-26_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Mechanisms that are easy to use and readily accessible by the public;"},{"id":"pm-26_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"All information necessary for successfully filing complaints;"},{"id":"pm-26_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }};"},{"id":"pm-26_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and"},{"id":"pm-26_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}."}]},{"id":"pm-26_gdn","name":"guidance","prose":"Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information."}]},{"id":"pm-27","class":"SP800-53","title":"Privacy Reporting","parameters":[{"id":"pm-27_prm_1","label":"organization-defined privacy reports"},{"id":"pm-27_prm_2","label":"organization-defined officials"},{"id":"pm-27_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-27"},{"name":"sort-id","value":"PM-27"}],"links":[{"href":"#14958422-54f6-471f-a345-802dca594dd8","rel":"reference","text":"[FISMA]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-19","rel":"related","text":"PM-19"}],"parts":[{"id":"pm-27_smt","name":"statement","parts":[{"id":"pm-27_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop {{ pm-27_prm_1 }} and disseminate to:","parts":[{"id":"pm-27_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and"},{"id":"pm-27_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and"}]},{"id":"pm-27_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update privacy reports {{ pm-27_prm_3 }}."}]},{"id":"pm-27_gdn","name":"guidance","prose":"Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements."}]},{"id":"pm-28","class":"SP800-53","title":"Risk Framing","parameters":[{"id":"pm-28_prm_1","label":"organization-defined personnel"},{"id":"pm-28_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-28"},{"name":"sort-id","value":"PM-28"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-7","rel":"related","text":"RA-7"}],"parts":[{"id":"pm-28_smt","name":"statement","parts":[{"id":"pm-28_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify and document:","parts":[{"id":"pm-28_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Assumptions affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Constraints affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Priorities and trade-offs considered by the organization for managing risk; and"},{"id":"pm-28_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Organizational risk tolerance; and"}]},{"id":"pm-28_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute the results of risk framing activities to {{ pm-28_prm_1 }};"},{"id":"pm-28_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update risk framing considerations {{ pm-28_prm_2 }}."}]},{"id":"pm-28_gdn","name":"guidance","prose":"Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management."}]},{"id":"pm-29","class":"SP800-53","title":"Risk Management Program Leadership Roles","properties":[{"name":"label","value":"PM-29"},{"name":"sort-id","value":"PM-29"}],"links":[{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#pm-2","rel":"related","text":"PM-2"},{"href":"#pm-19","rel":"related","text":"PM-19"}],"parts":[{"id":"pm-29_smt","name":"statement","parts":[{"id":"pm-29_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and"},{"id":"pm-29_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization."}]},{"id":"pm-29_gdn","name":"guidance","prose":"The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities."}]},{"id":"pm-30","class":"SP800-53","title":"Supply Chain Risk Management Strategy","parameters":[{"id":"pm-30_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-30"},{"name":"sort-id","value":"PM-30"}],"links":[{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-7","rel":"related","text":"SR-7"},{"href":"#sr-8","rel":"related","text":"SR-8"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"pm-30_smt","name":"statement","parts":[{"id":"pm-30_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;"},{"id":"pm-30_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the supply chain risk management strategy consistently across the organization; and"},{"id":"pm-30_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the supply chain risk management strategy on {{ pm-30_prm_1 }} or as required, to address organizational changes."}]},{"id":"pm-30_gdn","name":"guidance","prose":"An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level."}]},{"id":"pm-31","class":"SP800-53","title":"Continuous Monitoring Strategy","parameters":[{"id":"pm-31_prm_1","label":"organization-defined metrics"},{"id":"pm-31_prm_2","label":"organization-defined frequencies"},{"id":"pm-31_prm_3","label":"organization-defined frequencies"},{"id":"pm-31_prm_4","label":"organization-defined personnel or roles"},{"id":"pm-31_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-31"},{"name":"sort-id","value":"PM-31"}],"links":[{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"pm-31_smt","name":"statement","prose":"Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:","parts":[{"id":"pm-31_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }};"},{"id":"pm-31_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness;"},{"id":"pm-31_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"pm-31_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"pm-31_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"pm-31_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }}\n {{ pm-31_prm_5 }}."}]},{"id":"pm-31_gdn","name":"guidance","prose":"Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4."}]},{"id":"pm-32","class":"SP800-53","title":"Purposing","parameters":[{"id":"pm-32_prm_1","label":"organization-defined systems or systems components"}],"properties":[{"name":"label","value":"PM-32"},{"name":"sort-id","value":"PM-32"}],"links":[{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"}],"parts":[{"id":"pm-32_smt","name":"statement","prose":"Analyze {{ pm-32_prm_1 }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose."},{"id":"pm-32_gdn","name":"guidance","prose":"Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures."}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2"},{"id":"ps-1_prm_3","label":"organization-defined official"},{"id":"ps-1_prm_4","label":"organization-defined frequency"},{"id":"ps-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-1"},{"name":"sort-id","value":"PS-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ps-1_smt","name":"statement","parts":[{"id":"ps-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ps-1_prm_2 }} personnel security policy that:","parts":[{"id":"ps-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ps-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;"}]},{"id":"ps-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ps-1_prm_3 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and"},{"id":"ps-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current personnel security:","parts":[{"id":"ps-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ps-1_prm_4 }}; and"},{"id":"ps-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ps-1_prm_5 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","parameters":[{"id":"ps-2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-2"},{"name":"sort-id","value":"PS-02"}],"links":[{"href":"#2383ccfd-d8a0-4e3a-bf40-21288ae1e07a","rel":"reference","text":"[5 CFR 731]"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-21","rel":"related","text":"SA-21"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ps-2_smt","name":"statement","parts":[{"id":"ps-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assign a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establish screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update position risk designations {{ ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions."}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","parameters":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening"}],"properties":[{"name":"label","value":"PS-3"},{"name":"sort-id","value":"PS-03"}],"links":[{"href":"#52a8b0c6-0c6b-424b-928d-41c50ba87838","rel":"reference","text":"[EO 13526]"},{"href":"#2b5e12fb-633f-49e6-8aff-81d75bf53545","rel":"reference","text":"[EO 13587]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-21","rel":"related","text":"SA-21"}],"parts":[{"id":"ps-3_smt","name":"statement","parts":[{"id":"ps-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Screen individuals prior to authorizing access to the system; and"},{"id":"ps-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Rescreen individuals in accordance with {{ ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","parameters":[{"id":"ps-4_prm_1","label":"organization-defined time-period"},{"id":"ps-4_prm_2","label":"organization-defined information security topics"}],"properties":[{"name":"label","value":"PS-4"},{"name":"sort-id","value":"PS-04"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"Upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Disable system access within {{ ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Terminate or revoke any authenticators and credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conduct exit interviews that include a discussion of {{ ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Retrieve all security-related organizational system-related property; and"},{"id":"ps-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Retain access to organizational information and systems formerly controlled by terminated individual."}]},{"id":"ps-4_gdn","name":"guidance","prose":"System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified."}],"controls":[{"id":"ps-4.2","class":"SP800-53-enhancement","title":"Automated Notification","parameters":[{"id":"ps-4.2_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-4.2_prm_2","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"PS-4(2)"},{"name":"sort-id","value":"PS-04(02)"}],"parts":[{"id":"ps-4.2_smt","name":"statement","prose":"Notify {{ ps-4.2_prm_1 }} of individual termination actions using {{ ps-4.2_prm_2 }}."},{"id":"ps-4.2_gdn","name":"guidance","prose":"In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications—or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including telephonically, via electronic mail, via text message, or via websites."}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","parameters":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time-period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PS-5"},{"name":"sort-id","value":"PS-05"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-7","rel":"related","text":"PS-7"}],"parts":[{"id":"ps-5_smt","name":"statement","parts":[{"id":"ps-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Initiate {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Notify {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts."}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","parameters":[{"id":"ps-6_prm_1","label":"organization-defined frequency"},{"id":"ps-6_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-6"},{"name":"sort-id","value":"PS-06"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-21","rel":"related","text":"SA-21"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."}]},{"id":"ps-7","class":"SP800-53","title":"External Personnel Security","parameters":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PS-7"},{"name":"sort-id","value":"PS-07"}],"links":[{"href":"#ed919d0d-8e21-4df6-801d-3fbc4cb8a505","rel":"reference","text":"[SP 800-35]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-21","rel":"related","text":"SA-21"}],"parts":[{"id":"ps-7_smt","name":"statement","parts":[{"id":"ps-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish personnel security requirements, including security roles and responsibilities for external providers;"},{"id":"ps-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Require external providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Require external providers to notify {{ ps-7_prm_1 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Monitor provider compliance with personnel security requirements."}]},{"id":"ps-7_gdn","name":"guidance","prose":"External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated."}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","parameters":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PS-8"},{"name":"sort-id","value":"PS-08"}],"links":[{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#at-1","rel":"related","text":"AT-1"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#ca-1","rel":"related","text":"CA-1"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cp-1","rel":"related","text":"CP-1"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ma-1","rel":"related","text":"MA-1"},{"href":"#mp-1","rel":"related","text":"MP-1"},{"href":"#pe-1","rel":"related","text":"PE-1"},{"href":"#pl-1","rel":"related","text":"PL-1"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#ps-1","rel":"related","text":"PS-1"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#sa-1","rel":"related","text":"SA-1"},{"href":"#sc-1","rel":"related","text":"SC-1"},{"href":"#si-1","rel":"related","text":"SI-1"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#pt-1","rel":"related","text":"PT-1"}],"parts":[{"id":"ps-8_smt","name":"statement","parts":[{"id":"ps-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Notify {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions."}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2"},{"id":"ra-1_prm_3","label":"organization-defined official"},{"id":"ra-1_prm_4","label":"organization-defined frequency"},{"id":"ra-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-1"},{"name":"sort-id","value":"RA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ra-1_prm_2 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ra-1_prm_4 }}; and"},{"id":"ra-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ra-1_prm_5 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","properties":[{"name":"label","value":"RA-2"},{"name":"sort-id","value":"RA-02"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ra-2_smt","name":"statement","parts":[{"id":"ra-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Categorize the system and information it processes, stores, and transmits;"},{"id":"ra-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document the security categorization results, including supporting rationale, in the security plan for the system; and"},{"id":"ra-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals.\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts.\nSecurity categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant."}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","parameters":[{"id":"ra-3_prm_1"},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document"},{"id":"ra-3_prm_3","label":"organization-defined frequency"},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-3"},{"name":"sort-id","value":"RA-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-18","rel":"related","text":"PE-18"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ ra-3_prm_1 }};"},{"id":"ra-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ ra-3_prm_3 }};"},{"id":"ra-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ ra-3_prm_4 }}; and"},{"id":"ra-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities.\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\nIn addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."}],"controls":[{"id":"ra-3.1","class":"SP800-53-enhancement","title":"Supply Chain Risk Assessment","parameters":[{"id":"ra-3.1_prm_1","label":"organization-defined systems, system components, and system services"},{"id":"ra-3.1_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-3(1)"},{"name":"sort-id","value":"RA-03(01)"}],"links":[{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#pm-17","rel":"related","text":"PM-17"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"ra-3.1_smt","name":"statement","parts":[{"id":"ra-3.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Assess supply chain risks associated with {{ ra-3.1_prm_1 }}; and"},{"id":"ra-3.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Update the supply chain risk assessment {{ ra-3.1_prm_2 }}, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_gdn","name":"guidance","prose":"Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Monitoring and Scanning","parameters":[{"id":"ra-5_prm_1","label":"organization-defined frequency and/or randomly in accordance with organization-defined process"},{"id":"ra-5_prm_2","label":"organization-defined response times"},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"RA-5"},{"name":"sort-id","value":"RA-05"}],"links":[{"href":"#1126ec09-2b27-4a21-80b2-fef70b31c49d","rel":"reference","text":"[SP 800-40]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f","rel":"reference","text":"[SP 800-126]"},{"href":"#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c","rel":"reference","text":"[IR 7788]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"ra-5_smt","name":"statement","parts":[{"id":"ra-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor and scan for vulnerabilities in the system and hosted applications {{ ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Analyze vulnerability scan reports and results from vulnerability monitoring;"},{"id":"ra-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Remediate legitimate vulnerabilities {{ ra-5_prm_2 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Share information obtained from the vulnerability monitoring process and control assessments with {{ ra-5_prm_3 }} to help eliminate similar vulnerabilities in other systems; and"},{"id":"ra-5_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\nVulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\nOrganizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points."}],"controls":[{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update System Vulnerabilities","parameters":[{"id":"ra-5.2_prm_1"},{"id":"ra-5.2_prm_2","depends-on":"ra-5.2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-5(2)"},{"name":"sort-id","value":"RA-05(02)"}],"links":[{"href":"#si-5","rel":"related","text":"SI-5"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"Update the system vulnerabilities to be scanned {{ ra-5.2_prm_1 }}."},{"id":"ra-5.2_gdn","name":"guidance","prose":"Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner."}]},{"id":"ra-5.4","class":"SP800-53-enhancement","title":"Discoverable Information","parameters":[{"id":"ra-5.4_prm_1","label":"organization-defined corrective actions"}],"properties":[{"name":"label","value":"RA-5(4)"},{"name":"sort-id","value":"RA-05(04)"}],"links":[{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#sc-26","rel":"related","text":"SC-26"}],"parts":[{"id":"ra-5.4_smt","name":"statement","prose":"Determine information about the system that is discoverable and take {{ ra-5.4_prm_1 }}."},{"id":"ra-5.4_gdn","name":"guidance","prose":"Discoverable information includes information that adversaries could obtain without compromising or breaching the system, for example, by collecting information the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization."}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","parameters":[{"id":"ra-5.5_prm_1","label":"organization-defined system components"},{"id":"ra-5.5_prm_2","label":"organization-defined vulnerability scanning activities"}],"properties":[{"name":"label","value":"RA-5(5)"},{"name":"sort-id","value":"RA-05(05)"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"Implement privileged access authorization to {{ ra-5.5_prm_1 }} for {{ ra-5.5_prm_2 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning."}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","properties":[{"name":"label","value":"RA-7"},{"name":"sort-id","value":"RA-07"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."}]},{"id":"ra-9","class":"SP800-53","title":"Criticality Analysis","parameters":[{"id":"ra-9_prm_1","label":"organization-defined systems, system components, or system services"},{"id":"ra-9_prm_2","label":"organization-defined decision points in the system development life cycle"}],"properties":[{"name":"label","value":"RA-9"},{"name":"sort-id","value":"RA-09"}],"links":[{"href":"#7a93e915-fd58-4147-be12-e48044c367e6","rel":"reference","text":"[IR 8179]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-20","rel":"related","text":"SA-20"}],"parts":[{"id":"ra-9_smt","name":"statement","prose":"Identify critical system components and functions by performing a criticality analysis for {{ ra-9_prm_1 }} at {{ ra-9_prm_2 }}."},{"id":"ra-9_gdn","name":"guidance","prose":"Not all system components, functions, or services necessarily require significant protections. Criticality analysis is a key tenet of, for example, supply chain risk management, and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders regulations, directives, policies, and standards; system functionality requirements; system and component interfaces; and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system; decomposition into the specific functions to perform those missions; and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system containing the components and functions. Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, for example, by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2."}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2"},{"id":"sa-1_prm_3","label":"organization-defined official"},{"id":"sa-1_prm_4","label":"organization-defined frequency"},{"id":"sa-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SA-1"},{"name":"sort-id","value":"SA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ sa-1_prm_2 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ sa-1_prm_4 }}; and"},{"id":"sa-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ sa-1_prm_5 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","properties":[{"name":"label","value":"SA-2"},{"name":"sort-id","value":"SA-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pm-3","rel":"related","text":"PM-3"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle."}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","parameters":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"properties":[{"name":"label","value":"SA-3"},{"name":"sort-id","value":"SA-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","rel":"reference","text":"[SP 800-171]"},{"href":"#aad55f03-8ece-4b21-b09c-9ef65b5a9f55","rel":"reference","text":"[SP 800-171B]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-22","rel":"related","text":"SA-22"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-9","rel":"related","text":"SR-9"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ sa-3_prm_1 }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle."}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","parameters":[{"id":"sa-4_prm_1"},{"id":"sa-4_prm_2","depends-on":"sa-4_prm_1","label":"organization-defined contract language"}],"properties":[{"name":"label","value":"SA-4"},{"name":"sort-id","value":"SA-04"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#6ddb507b-6ddb-4e15-a8d4-0854e704446e","rel":"reference","text":"[ISO 15408-1]"},{"href":"#18abb755-c10f-407d-b0ef-4f99e5ec4a49","rel":"reference","text":"[ISO 15408-2]"},{"href":"#2ce3a8bf-7f8b-4249-bd16-808231415b14","rel":"reference","text":"[ISO 15408-3]"},{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#ed919d0d-8e21-4df6-801d-3fbc4cb8a505","rel":"reference","text":"[SP 800-35]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#d4779b49-8acc-45ef-b4f0-30f945e81d1b","rel":"reference","text":"[IR 7539]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#daf69edb-a0ef-4447-9880-8c4bf553181f","rel":"reference","text":"[IR 7676]"},{"href":"#197f7ba7-9af8-4a67-b3a4-5523d850e53b","rel":"reference","text":"[IR 7870]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#5dac2312-1d0d-416f-aebb-400fa9775b74","rel":"reference","text":"[NIAP CCEVS]"},{"href":"#634dec27-df88-4c30-b1a4-b57cdfd24f20","rel":"reference","text":"[NSA CSFC]"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-16","rel":"related","text":"SA-16"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-21","rel":"related","text":"SA-21"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle.\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement."}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Controls","properties":[{"name":"label","value":"SA-4(1)"},{"name":"sort-id","value":"SA-04(01)"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls."}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design and Implementation Information for Controls","parameters":[{"id":"sa-4.2_prm_1"},{"id":"sa-4.2_prm_2","depends-on":"sa-4.2_prm_1","label":"organization-defined design and implementation information"},{"id":"sa-4.2_prm_3","label":"organization-defined level of detail"}],"properties":[{"name":"label","value":"SA-4(2)"},{"name":"sort-id","value":"SA-04(02)"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in the documentation for the design and implementation for controls in organizational systems, system components, or system services based on mission and business requirements; requirements for resiliency and trustworthiness; and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system."}]},{"id":"sa-4.5","class":"SP800-53-enhancement","title":"System, Component, and Service Configurations","parameters":[{"id":"sa-4.5_prm_1","label":"organization-defined security configurations"}],"properties":[{"name":"label","value":"SA-4(5)"},{"name":"sort-id","value":"SA-04(05)"}],"parts":[{"id":"sa-4.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-4.5_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Deliver the system, component, or service with {{ sa-4.5_prm_1 }} implemented; and"},{"id":"sa-4.5_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade."}]},{"id":"sa-4.5_gdn","name":"guidance","prose":"Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed."}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions, Ports, Protocols, and Services in Use","properties":[{"name":"label","value":"SA-4(9)"},{"name":"sort-id","value":"SA-04(09)"}],"links":[{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#sa-9","rel":"related","text":"SA-9"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle, for example, during the initial requirements definition and design stages, allows organizations to influence the design of the system, system component, or system service. This early involvement in the system life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or when requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources."}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","properties":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"SA-04(10)"}],"links":[{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pm-9","rel":"related","text":"PM-9"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."},{"id":"sa-4.10_gdn","name":"guidance","prose":"Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations."}]}]},{"id":"sa-5","class":"SP800-53","title":"System Documentation","parameters":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SA-5"},{"name":"sort-id","value":"SA-05"}],"links":[{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-16","rel":"related","text":"SA-16"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-3","rel":"related","text":"SR-3"}],"parts":[{"id":"sa-5_smt","name":"statement","parts":[{"id":"sa-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Obtain administrator documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security and privacy functions and mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative or privileged functions;"}]},{"id":"sa-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Obtain user documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and"},{"id":"sa-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;"}]},{"id":"sa-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes {{ sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect documentation as required, in accordance with the organizational risk management strategy; and"},{"id":"sa-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Distribute documentation to {{ sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation."}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","parameters":[{"id":"sa-8_prm_1","label":"organization-defined systems security and privacy engineering principles"}],"properties":[{"name":"label","value":"SA-8"},{"name":"sort-id","value":"SA-08"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-20","rel":"related","text":"SA-20"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-32","rel":"related","text":"SC-32"},{"href":"#sc-39","rel":"related","text":"SC-39"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\nThe application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design."}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","parameters":[{"id":"sa-9_prm_1","label":"organization-defined controls"},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques"}],"properties":[{"name":"label","value":"SA-9"},{"name":"sort-id","value":"SA-09"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ed919d0d-8e21-4df6-801d-3fbc4cb8a505","rel":"reference","text":"[SP 800-35]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-2","rel":"related","text":"SA-2"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }};"},{"id":"sa-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."}],"controls":[{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions, Ports, Protocols, and Services","parameters":[{"id":"sa-9.2_prm_1","label":"organization-defined external system services"}],"properties":[{"name":"label","value":"SA-9(2)"},{"name":"sort-id","value":"SA-09(02)"}],"links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ sa-9.2_prm_1 }}."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols."}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","parameters":[{"id":"sa-10_prm_1"},{"id":"sa-10_prm_2","label":"organization-defined configuration items under configuration management"},{"id":"sa-10_prm_3","label":"organization-defined personnel"}],"properties":[{"name":"label","value":"SA-10"},{"name":"sort-id","value":"SA-10"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ sa-10_prm_1 }};"},{"id":"sa-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }};"},{"id":"sa-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ sa-10_prm_3 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting from unauthorized modification or destruction, the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes.\nThe configuration items that are placed under configuration management include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle."}]},{"id":"sa-11","class":"SP800-53","title":"Developer Testing and Evaluation","parameters":[{"id":"sa-11_prm_1"},{"id":"sa-11_prm_2","label":"organization-defined frequency"},{"id":"sa-11_prm_3","label":"organization-defined depth and coverage"}],"properties":[{"name":"label","value":"SA-11"},{"name":"sort-id","value":"SA-11"}],"links":[{"href":"#2ce3a8bf-7f8b-4249-bd16-808231415b14","rel":"reference","text":"[ISO 15408-3]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#fd0f14f5-8910-45c4-b60a-0c8936e00daa","rel":"reference","text":"[SP 800-154]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-7","rel":"related","text":"SR-7"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:","parts":[{"id":"sa-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and implement a plan for ongoing security and privacy assessments;"},{"id":"sa-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Perform {{ sa-11_prm_1 }} testing/evaluation {{ sa-11_prm_2 }} at {{ sa-11_prm_3 }};"},{"id":"sa-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;"},{"id":"sa-11_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during testing and evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation."}]},{"id":"sa-15","class":"SP800-53","title":"Development Process, Standards, and Tools","parameters":[{"id":"sa-15_prm_1","label":"organization-defined frequency"},{"id":"sa-15_prm_2","label":"organization-defined security and privacy requirements"}],"properties":[{"name":"label","value":"SA-15"},{"name":"sort-id","value":"SA-15"}],"links":[{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#7a93e915-fd58-4147-be12-e48044c367e6","rel":"reference","text":"[IR 8179]"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-9","rel":"related","text":"SR-9"}],"parts":[{"id":"sa-15_smt","name":"statement","parts":[{"id":"sa-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Require the developer of the system, system component, or system service to follow a documented development process that:","parts":[{"id":"sa-15_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Explicitly addresses security and privacy requirements;"},{"id":"sa-15_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Identifies the standards and tools used in the development process;"},{"id":"sa-15_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Documents the specific tool options and tool configurations used in the development process; and"},{"id":"sa-15_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and"}]},{"id":"sa-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review the development process, standards, tools, tool options, and tool configurations {{ sa-15_prm_1 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ sa-15_prm_2 }}."}]},{"id":"sa-15_gdn","name":"guidance","prose":"Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes."}],"controls":[{"id":"sa-15.3","class":"SP800-53-enhancement","title":"Criticality Analysis","parameters":[{"id":"sa-15.3_prm_1","label":"organization-defined decision points in the system development life cycle"},{"id":"sa-15.3_prm_2","label":"organization-defined breadth and depth of criticality analysis"}],"properties":[{"name":"label","value":"SA-15(3)"},{"name":"sort-id","value":"SA-15(03)"}],"links":[{"href":"#ra-9","rel":"related","text":"RA-9"}],"parts":[{"id":"sa-15.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform a criticality analysis:","parts":[{"id":"sa-15.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"At the following decision points in the system development life cycle: {{ sa-15.3_prm_1 }}; and"},{"id":"sa-15.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"At the following level of rigor: {{ sa-15.3_prm_2 }}."}]},{"id":"sa-15.3_gdn","name":"guidance","prose":"Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, and source code and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses."}]}]},{"id":"sa-16","class":"SP800-53","title":"Developer-provided Training","parameters":[{"id":"sa-16_prm_1","label":"organization-defined training"}],"properties":[{"name":"label","value":"SA-16"},{"name":"sort-id","value":"SA-16"}],"links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"}],"parts":[{"id":"sa-16_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: {{ sa-16_prm_1 }}."},{"id":"sa-16_gdn","name":"guidance","prose":"Developer-provided training applies to external and internal (in-house) developers. Training of personnel is an essential element to help ensure the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training; classroom-style training; and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms."}]},{"id":"sa-17","class":"SP800-53","title":"Developer Security Architecture and Design","properties":[{"name":"label","value":"SA-17"},{"name":"sort-id","value":"SA-17"}],"links":[{"href":"#18abb755-c10f-407d-b0ef-4f99e5ec4a49","rel":"reference","text":"[ISO 15408-2]"},{"href":"#2ce3a8bf-7f8b-4249-bd16-808231415b14","rel":"reference","text":"[ISO 15408-3]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"sa-17_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to produce a design specification and security architecture that:","parts":[{"id":"sa-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Is consistent with the organization’s security architecture that is an integral part the organization’s enterprise architecture;"},{"id":"sa-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Accurately and completely describes the required security functionality, and the allocation of controls among physical and logical components; and"},{"id":"sa-17_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection."}]},{"id":"sa-17_gdn","name":"guidance","prose":"Developer security architecture and design is directed at external developers, although it could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security architecture and that the architecture is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services, and when there is a requirement to demonstrate consistency with the enterprise architecture and security architecture of the organization. [ISO 15408-2], [ISO 15408-3], and [SP 800-160 v1] provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing."}]},{"id":"sa-21","class":"SP800-53","title":"Developer Screening","parameters":[{"id":"sa-21_prm_1","label":"organization-defined system, system component, or system service"},{"id":"sa-21_prm_2","label":"organization-defined official government duties"},{"id":"sa-21_prm_3","label":"organization-defined additional personnel screening criteria"}],"properties":[{"name":"label","value":"SA-21"},{"name":"sort-id","value":"SA-21"}],"links":[{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-4","rel":"related","text":"SA-4"}],"parts":[{"id":"sa-21_smt","name":"statement","prose":"Require that the developer of {{ sa-21_prm_1 }}:","parts":[{"id":"sa-21_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Has appropriate access authorizations as determined by assigned {{ sa-21_prm_2 }};"},{"id":"sa-21_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Satisfies the following additional personnel screening criteria: {{ sa-21_prm_3 }}; and"},{"id":"sa-21_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provides information that the access authorizations and screening criteria are satisfied."}]},{"id":"sa-21_gdn","name":"guidance","prose":"Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals accessing the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships the company has with entities potentially affecting the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements."}]},{"id":"sa-22","class":"SP800-53","title":"Unsupported System Components","parameters":[{"id":"sa-22_prm_1"},{"id":"sa-22_prm_2","depends-on":"sa-22_prm_1","label":"organization-defined support from external providers"}],"properties":[{"name":"label","value":"SA-22"},{"name":"sort-id","value":"SA-22"}],"links":[{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sa-3","rel":"related","text":"SA-3"}],"parts":[{"id":"sa-22_smt","name":"statement","parts":[{"id":"sa-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or"},{"id":"sa-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provide the following options for alternative sources for continued support for unsupported components {{ sa-22_prm_1 }}."}]},{"id":"sa-22_gdn","name":"guidance","prose":"Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors."}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2"},{"id":"sc-1_prm_3","label":"organization-defined official"},{"id":"sc-1_prm_4","label":"organization-defined frequency"},{"id":"sc-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SC-1"},{"name":"sort-id","value":"SC-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"sc-1_smt","name":"statement","parts":[{"id":"sc-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ sc-1_prm_2 }} system and communications protection policy that:","parts":[{"id":"sc-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sc-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;"}]},{"id":"sc-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ sc-1_prm_3 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and"},{"id":"sc-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current system and communications protection:","parts":[{"id":"sc-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ sc-1_prm_4 }}; and"},{"id":"sc-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ sc-1_prm_5 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"sc-2","class":"SP800-53","title":"Separation of System and User Functionality","properties":[{"name":"label","value":"SC-2"},{"name":"sort-id","value":"SC-02"}],"links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-22","rel":"related","text":"SC-22"},{"href":"#sc-32","rel":"related","text":"SC-32"},{"href":"#sc-39","rel":"related","text":"SC-39"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"Separate user functionality, including user interface services, from system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations implement separation of system management functions from user functions, for example, by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18)."}]},{"id":"sc-3","class":"SP800-53","title":"Security Function Isolation","properties":[{"name":"label","value":"SC-3"},{"name":"sort-id","value":"SC-03"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-32","rel":"related","text":"SC-32"},{"href":"#sc-39","rel":"related","text":"SC-39"},{"href":"#si-16","rel":"related","text":"SI-16"}],"parts":[{"id":"sc-3_smt","name":"statement","prose":"Isolate security functions from nonsecurity functions."},{"id":"sc-3_gdn","name":"guidance","prose":"Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Systems implement code separation in many ways, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18)."}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared System Resources","properties":[{"name":"label","value":"SC-4"},{"name":"sort-id","value":"SC-04"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"Prevent unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This control also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. This control does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles."}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","parameters":[{"id":"sc-5_prm_1"},{"id":"sc-5_prm_2","label":"organization-defined types of denial of service events"},{"id":"sc-5_prm_3","label":"organization-defined controls by type of denial of service event"}],"properties":[{"name":"label","value":"SC-5"},{"name":"sort-id","value":"SC-05"}],"links":[{"href":"#3862cd94-ff25-4631-9a9a-b92c21a0a923","rel":"reference","text":"[SP 800-189]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#sc-6","rel":"related","text":"SC-6"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-40","rel":"related","text":"SC-40"}],"parts":[{"id":"sc-5_smt","name":"statement","parts":[{"id":"sc-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"\n {{ sc-5_prm_1 }} the effects of the following types of denial of service events: {{ sc-5_prm_2 }}; and"},{"id":"sc-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ the following controls to achieve the denial of service objective: {{ sc-5_prm_3 }}."}]},{"id":"sc-5_gdn","name":"guidance","prose":"Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events."}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","parameters":[{"id":"sc-7_prm_1"}],"properties":[{"name":"label","value":"SC-7"},{"name":"sort-id","value":"SC-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#db7877cf-1013-4fb1-b943-ca9361d16370","rel":"reference","text":"[SP 800-41]"},{"href":"#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","rel":"reference","text":"[SP 800-77]"},{"href":"#3862cd94-ff25-4631-9a9a-b92c21a0a923","rel":"reference","text":"[SP 800-189]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-32","rel":"related","text":"SC-32"},{"href":"#sc-43","rel":"related","text":"SC-43"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions."}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","properties":[{"name":"label","value":"SC-7(3)"},{"name":"sort-id","value":"SC-07(03)"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"Limit the number of external network connections to the system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline requiring limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system."}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","parameters":[{"id":"sc-7.4_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SC-7(4)"},{"name":"sort-id","value":"SC-07(04)"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#sc-8","rel":"related","text":"SC-8"}],"parts":[{"id":"sc-7.4_smt","name":"statement","parts":[{"id":"sc-7.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Implement a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Establish a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Protect the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;"},{"id":"sc-7.4_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Review exceptions to the traffic flow policy {{ sc-7.4_prm_1 }} and remove exceptions that are no longer supported by an explicit mission or business need;"},{"id":"sc-7.4_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Prevent unauthorized exchange of control plane traffic with external networks;"},{"id":"sc-7.4_smt.g","name":"item","properties":[{"name":"label","value":"(g)"}],"prose":"Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and"},{"id":"sc-7.4_smt.h","name":"item","properties":[{"name":"label","value":"(h)"}],"prose":"Filter unauthorized control plane traffic from external networks."}]},{"id":"sc-7.4_gdn","name":"guidance","prose":"External commercial telecommunications services may provide data or voice communications services. Examples of control plane traffic include routing, domain name system (DNS), and management. Unauthorized control plane traffic can occur for example, through a technique known as “spoofing.”"}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default — Allow by Exception","parameters":[{"id":"sc-7.5_prm_1"},{"id":"sc-7.5_prm_2","depends-on":"sc-7.5_prm_1","label":"organization-defined systems"}],"properties":[{"name":"label","value":"SC-7(5)"},{"name":"sort-id","value":"SC-07(05)"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"Deny network communications traffic by default and allow network communications traffic by exception {{ sc-7.5_prm_1 }}."},{"id":"sc-7.5_gdn","name":"guidance","prose":"Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system."}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Prevent Split Tunneling for Remote Devices","properties":[{"name":"label","value":"SC-7(7)"},{"name":"sort-id","value":"SC-07(07)"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"Prevent a remote device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."},{"id":"sc-7.7_gdn","name":"guidance","prose":"Prevention of split tunneling is implemented in remote devices through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being configurable by users. Prevention of split tunneling is implemented within the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information."}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","parameters":[{"id":"sc-7.8_prm_1","label":"organization-defined internal communications traffic"},{"id":"sc-7.8_prm_2","label":"organization-defined external networks"}],"properties":[{"name":"label","value":"SC-7(8)"},{"name":"sort-id","value":"SC-07(08)"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"Route {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers can support logging of Transmission Control Protocol sessions and blocking specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for “man-in-the-middle” attacks (depending on the implementation)."}]},{"id":"sc-7.18","class":"SP800-53-enhancement","title":"Fail Secure","properties":[{"name":"label","value":"SC-7(18)"},{"name":"sort-id","value":"SC-07(18)"}],"links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-12","rel":"related","text":"CP-12"},{"href":"#sc-24","rel":"related","text":"SC-24"}],"parts":[{"id":"sc-7.18_smt","name":"statement","prose":"Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device."},{"id":"sc-7.18_gdn","name":"guidance","prose":"Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases."}]},{"id":"sc-7.21","class":"SP800-53-enhancement","title":"Isolation of System Components","parameters":[{"id":"sc-7.21_prm_1","label":"organization-defined system components"},{"id":"sc-7.21_prm_2","label":"organization-defined missions and/or business functions"}],"properties":[{"name":"label","value":"SC-7(21)"},{"name":"sort-id","value":"SC-07(21)"}],"links":[{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#sc-3","rel":"related","text":"SC-3"}],"parts":[{"id":"sc-7.21_smt","name":"statement","prose":"Employ boundary protection mechanisms to isolate {{ sc-7.21_prm_1 }} supporting {{ sc-7.21_prm_2 }}."},{"id":"sc-7.21_gdn","name":"guidance","prose":"Organizations can isolate system components performing different missions or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls separating system components into physically separate networks or subnetworks; virtualization techniques; cross-domain devices separating subnetworks; and encrypting information flows among system components using distinct encryption keys."}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","parameters":[{"id":"sc-8_prm_1"}],"properties":[{"name":"label","value":"SC-8"},{"name":"sort-id","value":"SC-08"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#bbc7085f-b383-444e-af74-722a55cccc0f","rel":"reference","text":"[FIPS 197]"},{"href":"#286604ec-e383-4c1d-bd8c-d88f88e54a0f","rel":"reference","text":"[SP 800-52]"},{"href":"#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","rel":"reference","text":"[SP 800-77]"},{"href":"#93d44344-59f9-4669-845d-6cc2a5852621","rel":"reference","text":"[SP 800-81-2]"},{"href":"#36132a58-56fd-4980-9f6c-c010d3faf52b","rel":"reference","text":"[SP 800-113]"},{"href":"#64e044e4-b2a9-490f-a079-1106407c812f","rel":"reference","text":"[SP 800-177]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ia-9","rel":"related","text":"IA-9"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-16","rel":"related","text":"SC-16"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-23","rel":"related","text":"SC-23"},{"href":"#sc-28","rel":"related","text":"SC-28"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"Protect the {{ sc-8_prm_1 }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"Protecting the confidentiality and integrity of transmitted information applies to internal and external networks, and any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical means or by logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a term for wireline or fiber-optics telecommunication system that includes terminals and adequate acoustical, electrical, electromagnetic, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\nOrganizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services, may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunication service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls."}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","parameters":[{"id":"sc-8.1_prm_1"}],"properties":[{"name":"label","value":"SC-8(1)"},{"name":"sort-id","value":"SC-08(01)"}],"links":[{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have application in digital signatures, checksums, and message authentication codes. SC-13 is used to specify the specific protocols, algorithms, and algorithm parameters to be implemented on each transmission path."}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","parameters":[{"id":"sc-10_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"SC-10"},{"name":"sort-id","value":"SC-10"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#sc-23","rel":"related","text":"SC-23"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"Terminate the network connection associated with a communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time-periods by type of network access or for specific network accesses."}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","parameters":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage, access, and destruction"}],"properties":[{"name":"label","value":"SC-12"},{"name":"sort-id","value":"SC-12"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#77dc1838-3664-4faa-bc6e-4e2a16e52f35","rel":"reference","text":"[SP 800-56A]"},{"href":"#f417e4ec-cadb-47a8-a363-6006b32c28ad","rel":"reference","text":"[SP 800-56B]"},{"href":"#7c3ba335-62bd-4f03-888f-960790409b11","rel":"reference","text":"[SP 800-56C]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#f437b52f-7f26-42aa-8e8f-999e7d67b2fe","rel":"reference","text":"[IR 7956]"},{"href":"#30213e10-2aca-47b3-8cdb-61303e0959f5","rel":"reference","text":"[IR 7966]"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-11","rel":"related","text":"SC-11"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-17","rel":"related","text":"SC-17"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#sc-40","rel":"related","text":"SC-40"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ sc-12_prm_1 }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment."}],"controls":[{"id":"sc-12.1","class":"SP800-53-enhancement","title":"Availability","properties":[{"name":"label","value":"SC-12(1)"},{"name":"sort-id","value":"SC-12(01)"}],"parts":[{"id":"sc-12.1_smt","name":"statement","prose":"Maintain availability of information in the event of the loss of cryptographic keys by users."},{"id":"sc-12.1_gdn","name":"guidance","prose":"Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys. A forgotten passphrase is an example of losing a cryptographic key."}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","parameters":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses"},{"id":"sc-13_prm_2","label":"organization-defined types of cryptography for each specified cryptographic use"}],"properties":[{"name":"label","value":"SC-13"},{"name":"sort-id","value":"SC-13"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-23","rel":"related","text":"SC-23"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-40","rel":"related","text":"SC-40"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"sc-13_smt","name":"statement","parts":[{"id":"sc-13_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determine the {{ sc-13_prm_1 }}; and"},{"id":"sc-13_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the following types of cryptography required for each specified cryptographic use: {{ sc-13_prm_2 }}."}]},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices and Applications","parameters":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed"}],"properties":[{"name":"label","value":"SC-15"},{"name":"sort-id","value":"SC-15"}],"links":[{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#sc-42","rel":"related","text":"SC-42"}],"parts":[{"id":"sc-15_smt","name":"statement","parts":[{"id":"sc-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated."}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","parameters":[{"id":"sc-17_prm_1","label":"organization-defined certificate policy"}],"properties":[{"name":"label","value":"SC-17"},{"name":"sort-id","value":"SC-17"}],"links":[{"href":"#b7140427-d4c4-467a-97a1-5ca9f7c6584a","rel":"reference","text":"[SP 800-32]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#sc-12","rel":"related","text":"SC-12"}],"parts":[{"id":"sc-17_smt","name":"statement","parts":[{"id":"sc-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Issue public key certificates under an {{ sc-17_prm_1 }} or obtain public key certificates from an approved service provider; and"},{"id":"sc-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Include only approved trust anchors in trust stores or certificate stores managed by the organization."}]},{"id":"sc-17_gdn","name":"guidance","prose":"This control addresses certificates with visibility external to organizational systems and certificates related to internal operations of systems, for example, application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates."}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","properties":[{"name":"label","value":"SC-18"},{"name":"sort-id","value":"SC-18"}],"links":[{"href":"#8e334d74-fc06-47a9-bbb1-804fdfae0e44","rel":"reference","text":"[SP 800-28]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#si-3","rel":"related","text":"SI-3"}],"parts":[{"id":"sc-18_smt","name":"statement","parts":[{"id":"sc-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Define acceptable and unacceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorize, monitor, and control the use of mobile code within the system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java, JavaScript, Flash animations, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name/address Resolution Service (authoritative Source)","properties":[{"name":"label","value":"SC-20"},{"name":"sort-id","value":"SC-20"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#93d44344-59f9-4669-845d-6cc2a5852621","rel":"reference","text":"[SP 800-81-2]"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-22","rel":"related","text":"SC-22"}],"parts":[{"id":"sc-20_smt","name":"statement","parts":[{"id":"sc-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data."}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name/address Resolution Service (recursive or Caching Resolver)","properties":[{"name":"label","value":"SC-21"},{"name":"sort-id","value":"SC-21"}],"links":[{"href":"#93d44344-59f9-4669-845d-6cc2a5852621","rel":"reference","text":"[SP 800-81-2]"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-22","rel":"related","text":"SC-22"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data."}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name/address Resolution Service","properties":[{"name":"label","value":"SC-22"},{"name":"sort-id","value":"SC-22"}],"links":[{"href":"#93d44344-59f9-4669-845d-6cc2a5852621","rel":"reference","text":"[SP 800-81-2]"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-24","rel":"related","text":"SC-24"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists."}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","properties":[{"name":"label","value":"SC-23"},{"name":"sort-id","value":"SC-23"}],"links":[{"href":"#286604ec-e383-4c1d-bd8c-d88f88e54a0f","rel":"reference","text":"[SP 800-52]"},{"href":"#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","rel":"reference","text":"[SP 800-77]"},{"href":"#1d91d984-0cb6-4f96-a01d-c39a3eee7d43","rel":"reference","text":"[SP 800-95]"},{"href":"#36132a58-56fd-4980-9f6c-c010d3faf52b","rel":"reference","text":"[SP 800-113]"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-11","rel":"related","text":"SC-11"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"Protect the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"Protecting session authenticity addresses communications protection at the session, level; not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of information transmitted. Authenticity protection includes protecting against man-in-the-middle attacks and session hijacking, and the insertion of false information into sessions."}]},{"id":"sc-24","class":"SP800-53","title":"Fail in Known State","parameters":[{"id":"sc-24_prm_1","label":"organization-defined known system state"},{"id":"sc-24_prm_2","label":"organization-defined system state information"},{"id":"sc-24_prm_3","label":"list of organization-defined types of system failures on organization-defined system components"}],"properties":[{"name":"label","value":"SC-24"},{"name":"sort-id","value":"SC-24"}],"links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#cp-12","rel":"related","text":"CP-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-22","rel":"related","text":"SC-22"},{"href":"#si-13","rel":"related","text":"SI-13"}],"parts":[{"id":"sc-24_smt","name":"statement","prose":"Fail to a {{ sc-24_prm_1 }} for the following failures on the indicated components while preserving {{ sc-24_prm_2 }} in failure: {{ sc-24_prm_3 }}."},{"id":"sc-24_gdn","name":"guidance","prose":"Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes."}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","parameters":[{"id":"sc-28_prm_1"},{"id":"sc-28_prm_2","label":"organization-defined information at rest"}],"properties":[{"name":"label","value":"SC-28"},{"name":"sort-id","value":"SC-28"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#77dc1838-3664-4faa-bc6e-4e2a16e52f35","rel":"reference","text":"[SP 800-56A]"},{"href":"#f417e4ec-cadb-47a8-a363-6006b32c28ad","rel":"reference","text":"[SP 800-56B]"},{"href":"#7c3ba335-62bd-4f03-888f-960790409b11","rel":"reference","text":"[SP 800-56C]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#1b14b50f-7154-4226-958c-7dfff8276755","rel":"reference","text":"[SP 800-111]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-16","rel":"related","text":"SI-16"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"Protect the {{ sc-28_prm_1 }} of the following information at rest: {{ sc-28_prm_2 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information requiring protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure off-line storage in lieu of online storage."}],"controls":[{"id":"sc-28.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","parameters":[{"id":"sc-28.1_prm_1","label":"organization-defined system components or media"},{"id":"sc-28.1_prm_2","label":"organization-defined information"}],"properties":[{"name":"label","value":"SC-28(1)"},{"name":"sort-id","value":"SC-28(01)"}],"links":[{"href":"#ac-19","rel":"related","text":"AC-19"}],"parts":[{"id":"sc-28.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ sc-28.1_prm_1 }}: {{ sc-28.1_prm_2 }}."},{"id":"sc-28.1_gdn","name":"guidance","prose":"Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. Organizations using cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13)."}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","properties":[{"name":"label","value":"SC-39"},{"name":"sort-id","value":"SC-39"}],"links":[{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#si-16","rel":"related","text":"SI-16"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"Maintain a separate execution domain for each executing system process."},{"id":"sc-39_gdn","name":"guidance","prose":"Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies."}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2"},{"id":"si-1_prm_3","label":"organization-defined official"},{"id":"si-1_prm_4","label":"organization-defined frequency"},{"id":"si-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-1"},{"name":"sort-id","value":"SI-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ si-1_prm_2 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ si-1_prm_4 }}; and"},{"id":"si-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ si-1_prm_5 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","parameters":[{"id":"si-2_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"SI-2"},{"name":"sort-id","value":"SI-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#1126ec09-2b27-4a21-80b2-fef70b31c49d","rel":"reference","text":"[SP 800-40]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c","rel":"reference","text":"[IR 7788]"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-5","rel":"related","text":"SI-5"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-11","rel":"related","text":"SI-11"}],"parts":[{"id":"si-2_smt","name":"statement","parts":[{"id":"si-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify, report, and correct system flaws;"},{"id":"si-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Install security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Incorporate flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\nOrganization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures."}],"controls":[{"id":"si-2.1","class":"SP800-53-enhancement","title":"Central Management","properties":[{"name":"label","value":"SI-2(1)"},{"name":"sort-id","value":"SI-02(01)"}],"links":[{"href":"#pl-9","rel":"related","text":"PL-9"}],"parts":[{"id":"si-2.1_smt","name":"statement","prose":"Centrally manage the flaw remediation process."},{"id":"si-2.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of flaw remediation processes. It includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation controls."}]},{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","parameters":[{"id":"si-2.2_prm_1","label":"organization-defined automated mechanisms"},{"id":"si-2.2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-2(2)"},{"name":"sort-id","value":"SI-02(02)"}],"links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"Determine if system components have applicable security-relevant software and firmware updates installed using {{ si-2.2_prm_1 }}\n {{ si-2.2_prm_2 }}."},{"id":"si-2.2_gdn","name":"guidance","prose":"Automated mechanisms can track and determine the status of known flaws for system components."}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","parameters":[{"id":"si-3_prm_1"},{"id":"si-3_prm_2","label":"organization-defined frequency"},{"id":"si-3_prm_3"},{"id":"si-3_prm_4"},{"id":"si-3_prm_5","depends-on":"si-3_prm_4","label":"organization-defined action"},{"id":"si-3_prm_6","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SI-3"},{"name":"sort-id","value":"SI-03"}],"links":[{"href":"#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","rel":"reference","text":"[SP 800-83]"},{"href":"#c972a85c-fa75-4596-be25-a338dc7e4e46","rel":"reference","text":"[SP 800-125B]"},{"href":"#64e044e4-b2a9-490f-a079-1106407c812f","rel":"reference","text":"[SP 800-177]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-23","rel":"related","text":"SC-23"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-44","rel":"related","text":"SC-44"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-8","rel":"related","text":"SI-8"},{"href":"#si-15","rel":"related","text":"SI-15"}],"parts":[{"id":"si-3_smt","name":"statement","parts":[{"id":"si-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement {{ si-3_prm_1 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Configure malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the system {{ si-3_prm_2 }} and real-time scans of files from external sources at {{ si-3_prm_3 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and"},{"id":"si-3_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n {{ si-3_prm_4 }}; and send alert to {{ si-3_prm_6 }} in response to malicious code detection."}]},{"id":"si-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system."}]},{"id":"si-3_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions.\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files."}],"controls":[{"id":"si-3.1","class":"SP800-53-enhancement","title":"Central Management","properties":[{"name":"label","value":"SI-3(1)"},{"name":"sort-id","value":"SI-03(01)"}],"links":[{"href":"#pl-9","rel":"related","text":"PL-9"}],"parts":[{"id":"si-3.1_smt","name":"statement","prose":"Centrally manage malicious code protection mechanisms."},{"id":"si-3.1_gdn","name":"guidance","prose":"Central management addresses the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw and malicious code protection controls."}]}]},{"id":"si-4","class":"SP800-53","title":"System Monitoring","parameters":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5"},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-4"},{"name":"sort-id","value":"SI-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","rel":"reference","text":"[SP 800-83]"},{"href":"#02d8ec60-6197-43f8-9f47-18732127963e","rel":"reference","text":"[SP 800-92]"},{"href":"#41e2e2c6-2260-4258-85c8-09db17c43103","rel":"reference","text":"[SP 800-94]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-10","rel":"related","text":"IA-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-31","rel":"related","text":"SC-31"},{"href":"#sc-35","rel":"related","text":"SC-35"},{"href":"#sc-36","rel":"related","text":"SC-36"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-6","rel":"related","text":"SI-6"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-10","rel":"related","text":"SR-10"}],"parts":[{"id":"si-4_smt","name":"statement","parts":[{"id":"si-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor the system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Identify unauthorized use of the system through the following techniques and methods: {{ si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Invoke internal monitoring capabilities or deploy monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Strategically within the system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Obtain legal opinion regarding system monitoring activities; and"},{"id":"si-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Provide {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n {{ si-4_prm_5 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\nDepending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}],"controls":[{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools and Mechanisms for Real-time Analysis","properties":[{"name":"label","value":"SI-4(2)"},{"name":"sort-id","value":"SI-04(02)"}],"links":[{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-25","rel":"related","text":"PM-25"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"Employ automated tools and mechanisms to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or Security Information and Event Management technologies that provide real time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","parameters":[{"id":"si-4.4_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-4(4)"},{"name":"sort-id","value":"SI-04(04)"}],"parts":[{"id":"si-4.4_smt","name":"statement","prose":"Monitor inbound and outbound communications traffic {{ si-4.4_prm_1 }} for unusual or unauthorized activities or conditions."},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code within organizational systems or propagating among system components; the unauthorized exporting of information; or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components."}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","parameters":[{"id":"si-4.5_prm_1","label":"organization-defined personnel or roles"},{"id":"si-4.5_prm_2","label":"organization-defined compromise indicators"}],"properties":[{"name":"label","value":"SI-4(5)"},{"name":"sort-id","value":"SI-04(05)"}],"links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#pe-6","rel":"related","text":"PE-6"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"Alert {{ si-4.5_prm_1 }} when the following system-generated indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. This control enhancement addresses the security alerts generated by the system. Alternatively, alerts generated by organizations in SI-4(12) focus on information sources external to the system such as suspicious activity reports and reports on potential insider threats."}]},{"id":"si-4.10","class":"SP800-53-enhancement","title":"Visibility of Encrypted Communications","parameters":[{"id":"si-4.10_prm_1","label":"organization-defined encrypted communications traffic"},{"id":"si-4.10_prm_2","label":"organization-defined system monitoring tools and mechanisms"}],"properties":[{"name":"label","value":"SI-4(10)"},{"name":"sort-id","value":"SI-04(10)"}],"parts":[{"id":"si-4.10_smt","name":"statement","prose":"Make provisions so that {{ si-4.10_prm_1 }} is visible to {{ si-4.10_prm_2 }}."},{"id":"si-4.10_gdn","name":"guidance","prose":"Organizations balance the need for encrypting communications traffic to protect data confidentiality with the need for having visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types."}]},{"id":"si-4.12","class":"SP800-53-enhancement","title":"Automated Organization-generated Alerts","parameters":[{"id":"si-4.12_prm_1","label":"organization-defined personnel or roles"},{"id":"si-4.12_prm_2","label":"organization-defined automated mechanisms"},{"id":"si-4.12_prm_3","label":"organization-defined activities that trigger alerts"}],"properties":[{"name":"label","value":"SI-4(12)"},{"name":"sort-id","value":"SI-04(12)"}],"parts":[{"id":"si-4.12_smt","name":"statement","prose":"Alert {{ si-4.12_prm_1 }} using {{ si-4.12_prm_2 }} when the following indications of inappropriate or unusual activities with security or privacy implications occur: {{ si-4.12_prm_3 }}."},{"id":"si-4.12_gdn","name":"guidance","prose":"Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by systems in SI-4(5) that focus on information sources that are internal to the systems such as audit records, the sources of information for this enhancement focus on other entities such as suspicious activity reports and reports on potential insider threats."}]},{"id":"si-4.14","class":"SP800-53-enhancement","title":"Wireless Intrusion Detection","properties":[{"name":"label","value":"SI-4(14)"},{"name":"sort-id","value":"SI-04(14)"}],"links":[{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ia-3","rel":"related","text":"IA-3"}],"parts":[{"id":"si-4.14_smt","name":"statement","prose":"Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system."},{"id":"si-4.14_gdn","name":"guidance","prose":"Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems, but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems."}]},{"id":"si-4.20","class":"SP800-53-enhancement","title":"Privileged Users","parameters":[{"id":"si-4.20_prm_1","label":"organization-defined additional monitoring"}],"properties":[{"name":"label","value":"SI-4(20)"},{"name":"sort-id","value":"SI-04(20)"}],"links":[{"href":"#ac-18","rel":"related","text":"AC-18"}],"parts":[{"id":"si-4.20_smt","name":"statement","prose":"Implement the following additional monitoring of privileged users: {{ si-4.20_prm_1 }}."},{"id":"si-4.20_gdn","name":"guidance","prose":"Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions."}]},{"id":"si-4.22","class":"SP800-53-enhancement","title":"Unauthorized Network Services","parameters":[{"id":"si-4.22_prm_1","label":"organization-defined authorization or approval processes"},{"id":"si-4.22_prm_2"},{"id":"si-4.22_prm_3","depends-on":"si-4.22_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SI-4(22)"},{"name":"sort-id","value":"SI-04(22)"}],"links":[{"href":"#cm-7","rel":"related","text":"CM-7"}],"parts":[{"id":"si-4.22_smt","name":"statement","parts":[{"id":"si-4.22_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Detect network services that have not been authorized or approved by {{ si-4.22_prm_1 }}; and"},{"id":"si-4.22_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"\n {{ si-4.22_prm_2 }} when detected."}]},{"id":"si-4.22_gdn","name":"guidance","prose":"Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services."}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","parameters":[{"id":"si-5_prm_1","label":"organization-defined external organizations"},{"id":"si-5_prm_2"},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"properties":[{"name":"label","value":"SI-5"},{"name":"sort-id","value":"SI-05"}],"links":[{"href":"#1126ec09-2b27-4a21-80b2-fef70b31c49d","rel":"reference","text":"[SP 800-40]"},{"href":"#pm-15","rel":"related","text":"PM-15"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#si-2","rel":"related","text":"SI-2"}],"parts":[{"id":"si-5_smt","name":"statement","parts":[{"id":"si-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receive system security alerts, advisories, and directives from {{ si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Generate internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Disseminate security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations."}],"controls":[{"id":"si-5.1","class":"SP800-53-enhancement","title":"Automated Alerts and Advisories","parameters":[{"id":"si-5.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"SI-5(1)"},{"name":"sort-id","value":"SI-05(01)"}],"parts":[{"id":"si-5.1_smt","name":"statement","prose":"Broadcast security alert and advisory information throughout the organization using {{ si-5.1_prm_1 }}."},{"id":"si-5.1_gdn","name":"guidance","prose":"The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of information security and privacy risk, including the governance level, mission and business process level, and the information system level."}]}]},{"id":"si-6","class":"SP800-53","title":"Security and Privacy Function Verification","parameters":[{"id":"si-6_prm_1","label":"organization-defined security and privacy functions"},{"id":"si-6_prm_2"},{"id":"si-6_prm_3","depends-on":"si-6_prm_2","label":"organization-defined system transitional states"},{"id":"si-6_prm_4","depends-on":"si-6_prm_2","label":"organization-defined frequency"},{"id":"si-6_prm_5","label":"organization-defined personnel or roles"},{"id":"si-6_prm_6"},{"id":"si-6_prm_7","depends-on":"si-6_prm_6","label":"organization-defined alternative action(s)"}],"properties":[{"name":"label","value":"SI-6"},{"name":"sort-id","value":"SI-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"si-6_smt","name":"statement","parts":[{"id":"si-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Verify the correct operation of {{ si-6_prm_1 }};"},{"id":"si-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Perform the verification of the functions specified in SI-6a {{ si-6_prm_2 }};"},{"id":"si-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Notify {{ si-6_prm_5 }} of failed security and privacy verification tests; and"},{"id":"si-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"\n {{ si-6_prm_6 }} when anomalies are discovered."}]},{"id":"si-6_gdn","name":"guidance","prose":"Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy, or that privacy attributes are applied or used as expected."}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","parameters":[{"id":"si-7_prm_1","label":"organization-defined software, firmware, and information"},{"id":"si-7_prm_2","label":"organization-defined actions"}],"properties":[{"name":"label","value":"SI-7"},{"name":"sort-id","value":"SI-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#e9224c9b-4fa5-40b7-bfbb-02bff7712d92","rel":"reference","text":"[SP 800-147]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-10","rel":"related","text":"SR-10"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"si-7_smt","name":"statement","parts":[{"id":"si-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ si-7_prm_1 }}; and"},{"id":"si-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ si-7_prm_2 }}."}]},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes the Basic Input Output System (BIOS). Information includes personally identifiable information and metadata containing security and privacy attributes associated with information. Integrity-checking mechanisms, including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools can automatically monitor the integrity of systems and hosted applications."}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","parameters":[{"id":"si-7.1_prm_1","label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2"},{"id":"si-7.1_prm_3","depends-on":"si-7.1_prm_2","label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","depends-on":"si-7.1_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-7(1)"},{"name":"sort-id","value":"SI-07(01)"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"Perform an integrity check of {{ si-7.1_prm_1 }}\n {{ si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include the identification of a new threat to which organizational systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort."}]},{"id":"si-7.2","class":"SP800-53-enhancement","title":"Automated Notifications of Integrity Violations","parameters":[{"id":"si-7.2_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SI-7(2)"},{"name":"sort-id","value":"SI-07(02)"}],"parts":[{"id":"si-7.2_smt","name":"statement","prose":"Employ automated tools that provide notification to {{ si-7.2_prm_1 }} upon discovering discrepancies during integrity verification."},{"id":"si-7.2_gdn","name":"guidance","prose":"The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel having an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, systems administrators, software developers, systems integrators, and information security officers, and privacy officers."}]},{"id":"si-7.5","class":"SP800-53-enhancement","title":"Automated Response to Integrity Violations","parameters":[{"id":"si-7.5_prm_1"},{"id":"si-7.5_prm_2","depends-on":"si-7.5_prm_1","label":"organization-defined controls"}],"properties":[{"name":"label","value":"SI-7(5)"},{"name":"sort-id","value":"SI-07(05)"}],"parts":[{"id":"si-7.5_smt","name":"statement","prose":"Automatically {{ si-7.5_prm_1 }} when integrity violations are discovered."},{"id":"si-7.5_gdn","name":"guidance","prose":"Organizations may define different integrity checking responses by type of information, by specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur."}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","parameters":[{"id":"si-7.7_prm_1","label":"organization-defined security-relevant changes to the system"}],"properties":[{"name":"label","value":"SI-7(7)"},{"name":"sort-id","value":"SI-07(07)"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ si-7.7_prm_1 }}."},{"id":"si-7.7_gdn","name":"guidance","prose":"This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended time-period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or unauthorized elevation of system privileges."}]},{"id":"si-7.15","class":"SP800-53-enhancement","title":"Code Authentication","parameters":[{"id":"si-7.15_prm_1","label":"organization-defined software or firmware components"}],"properties":[{"name":"label","value":"SI-7(15)"},{"name":"sort-id","value":"SI-07(15)"}],"links":[{"href":"#cm-5","rel":"related","text":"CM-5"}],"parts":[{"id":"si-7.15_smt","name":"statement","prose":"Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: {{ si-7.15_prm_1 }}."},{"id":"si-7.15_gdn","name":"guidance","prose":"Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations employing cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13)."}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","properties":[{"name":"label","value":"SI-8"},{"name":"sort-id","value":"SI-08"}],"links":[{"href":"#23b0a203-c020-47dd-b86c-9f8c35ecaa4e","rel":"reference","text":"[SP 800-45]"},{"href":"#64e044e4-b2a9-490f-a079-1106407c812f","rel":"reference","text":"[SP 800-177]"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"si-8_smt","name":"statement","parts":[{"id":"si-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions."}],"controls":[{"id":"si-8.1","class":"SP800-53-enhancement","title":"Central Management","properties":[{"name":"label","value":"SI-8(1)"},{"name":"sort-id","value":"SI-08(01)"}],"links":[{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"si-8.1_smt","name":"statement","prose":"Centrally manage spam protection mechanisms."},{"id":"si-8.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection controls."}]},{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","parameters":[{"id":"si-8.2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-8(2)"},{"name":"sort-id","value":"SI-08(02)"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"Automatically update spam protection mechanisms {{ si-8.2_prm_1 }}."},{"id":"si-8.2_gdn","name":"guidance","prose":"Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capability."}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","parameters":[{"id":"si-10_prm_1","label":"organization-defined information inputs to the system"}],"properties":[{"name":"label","value":"SI-10"},{"name":"sort-id","value":"SI-10"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"Check the validity of the following information inputs: {{ si-10_prm_1 }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of system inputs, including character set, length, numerical range, and acceptable values, verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks."}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","parameters":[{"id":"si-11_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SI-11"},{"name":"sort-id","value":"SI-11"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#sc-31","rel":"related","text":"SC-31"},{"href":"#si-2","rel":"related","text":"SI-2"}],"parts":[{"id":"si-11_smt","name":"statement","parts":[{"id":"si-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and"},{"id":"si-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reveal error messages only to {{ si-11_prm_1 }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations consider the structure and the content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information."}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","properties":[{"name":"label","value":"SI-12"},{"name":"sort-id","value":"SI-12"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#at-1","rel":"related","text":"AT-1"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#ca-1","rel":"related","text":"CA-1"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cp-1","rel":"related","text":"CP-1"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ma-1","rel":"related","text":"MA-1"},{"href":"#mp-1","rel":"related","text":"MP-1"},{"href":"#pe-1","rel":"related","text":"PE-1"},{"href":"#pl-1","rel":"related","text":"PL-1"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#ps-1","rel":"related","text":"PS-1"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#sa-1","rel":"related","text":"SA-1"},{"href":"#sc-1","rel":"related","text":"SC-1"},{"href":"#si-1","rel":"related","text":"SI-1"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-3","rel":"related","text":"MP-3"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sr-1","rel":"related","text":"SR-1"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel."}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","parameters":[{"id":"si-16_prm_1","label":"organization-defined controls"}],"properties":[{"name":"label","value":"SI-16"},{"name":"sort-id","value":"SI-16"}],"links":[{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#sc-3","rel":"related","text":"SC-3"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"Implement the following controls to protect the system memory from unauthorized code execution: {{ si-16_prm_1 }}."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism."}]}]},{"id":"sr","class":"family","title":"Supply Chain Risk Management","controls":[{"id":"sr-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"sr-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sr-1_prm_2"},{"id":"sr-1_prm_3","label":"organization-defined official"},{"id":"sr-1_prm_4","label":"organization-defined frequency"},{"id":"sr-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SR-1"},{"name":"sort-id","value":"SR-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"sr-1_smt","name":"statement","parts":[{"id":"sr-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ sr-1_prm_1 }}:","parts":[{"id":"sr-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ sr-1_prm_2 }} supply chain risk management policy that:","parts":[{"id":"sr-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sr-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sr-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;"}]},{"id":"sr-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ sr-1_prm_3 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and"},{"id":"sr-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current supply chain risk management:","parts":[{"id":"sr-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ sr-1_prm_4 }}; and"},{"id":"sr-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ sr-1_prm_5 }}."}]}]},{"id":"sr-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"sr-2","class":"SP800-53","title":"Supply Chain Risk Management Plan","parameters":[{"id":"sr-2_prm_1","label":"organization-defined systems, system components, or system services"},{"id":"sr-2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SR-2"},{"name":"sort-id","value":"SR-02"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"sr-2_smt","name":"statement","parts":[{"id":"sr-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: {{ sr-2_prm_1 }};"},{"id":"sr-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the supply chain risk management plan consistently across the organization; and"},{"id":"sr-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the supply chain risk management plan {{ sr-2_prm_2 }} or as required, to address threat, organizational or environmental changes."}]},{"id":"sr-2_gdn","name":"guidance","prose":"The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans.\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8)."}],"controls":[{"id":"sr-2.1","class":"SP800-53-enhancement","title":"Establish Scrm Team","parameters":[{"id":"sr-2.1_prm_1","label":"organization-defined personnel, roles, and responsibilities"},{"id":"sr-2.1_prm_2","label":"organization-defined supply chain risk management activities"}],"properties":[{"name":"label","value":"SR-2(1)"},{"name":"sort-id","value":"SR-02(01)"}],"parts":[{"id":"sr-2.1_smt","name":"statement","prose":"Establish a supply chain risk management team consisting of {{ sr-2.1_prm_1 }} to lead and support the following SCRM activities: {{ sr-2.1_prm_2 }}."},{"id":"sr-2.1_gdn","name":"guidance","prose":"To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team."}]}]},{"id":"sr-3","class":"SP800-53","title":"Supply Chain Controls and Processes","parameters":[{"id":"sr-3_prm_1","label":"organization-defined system or system component"},{"id":"sr-3_prm_2","label":"organization-defined supply chain personnel"},{"id":"sr-3_prm_3","label":"organization-defined supply chain controls"},{"id":"sr-3_prm_4"},{"id":"sr-3_prm_5","depends-on":"sr-3_prm_4","label":"organization-defined document"}],"properties":[{"name":"label","value":"SR-3"},{"name":"sort-id","value":"SR-03"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#sa-2","rel":"related","text":"SA-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-29","rel":"related","text":"SC-29"},{"href":"#sc-30","rel":"related","text":"SC-30"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"sr-3_smt","name":"statement","parts":[{"id":"sr-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ sr-3_prm_1 }} in coordination with {{ sr-3_prm_2 }};"},{"id":"sr-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ sr-3_prm_3 }}; and"},{"id":"sr-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document the selected and implemented supply chain processes and controls in {{ sr-3_prm_4 }}."}]},{"id":"sr-3_gdn","name":"guidance","prose":"Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain."}]},{"id":"sr-5","class":"SP800-53","title":"Acquisition Strategies, Tools, and Methods","parameters":[{"id":"sr-5_prm_1","label":"organization-defined acquisition strategies, contract tools, and procurement methods"}],"properties":[{"name":"label","value":"SR-5"},{"name":"sort-id","value":"SR-05"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#sa-2","rel":"related","text":"SA-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-10","rel":"related","text":"SR-10"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"sr-5_smt","name":"statement","prose":"Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ sr-5_prm_1 }}."},{"id":"sr-5_gdn","name":"guidance","prose":"The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements."}]},{"id":"sr-6","class":"SP800-53","title":"Supplier Reviews","parameters":[{"id":"sr-6_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SR-6"},{"name":"sort-id","value":"SR-06"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sr-6_smt","name":"statement","prose":"Review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ sr-6_prm_1 }}."},{"id":"sr-6_gdn","name":"guidance","prose":"A review of supplier risk includes security processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess any subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate to share review results with other organizations in accordance with any applicable inter-organizational agreements or contracts."}]},{"id":"sr-8","class":"SP800-53","title":"Notification Agreements","parameters":[{"id":"sr-8_prm_1"},{"id":"sr-8_prm_2","depends-on":"sr-8_prm_1","label":"organization-defined information"}],"properties":[{"name":"label","value":"SR-8"},{"name":"sort-id","value":"SR-08"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"}],"parts":[{"id":"sr-8_smt","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ sr-8_prm_1 }}."},{"id":"sr-8_gdn","name":"guidance","prose":"The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes."}]},{"id":"sr-9","class":"SP800-53","title":"Tamper Resistance and Detection","properties":[{"name":"label","value":"SR-9"},{"name":"sort-id","value":"SR-09"}],"links":[{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-10","rel":"related","text":"SR-10"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"sr-9_smt","name":"statement","prose":"Implement a tamper protection program for the system, system component, or system service."},{"id":"sr-9_gdn","name":"guidance","prose":"Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use."}],"controls":[{"id":"sr-9.1","class":"SP800-53-enhancement","title":"Multiple Stages of System Development Life Cycle","properties":[{"name":"label","value":"SR-9(1)"},{"name":"sort-id","value":"SR-09(01)"}],"links":[{"href":"#sa-3","rel":"related","text":"SA-3"}],"parts":[{"id":"sr-9.1_smt","name":"statement","prose":"Employ anti-tamper technologies, tools, and techniques during multiple stages in the system development life cycle, including design, development, integration, operations, and maintenance."},{"id":"sr-9.1_gdn","name":"guidance","prose":"Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations employ obfuscation and self-checking, for example, to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage."}]}]},{"id":"sr-10","class":"SP800-53","title":"Inspection of Systems or Components","parameters":[{"id":"sr-10_prm_1"},{"id":"sr-10_prm_2","depends-on":"sr-10_prm_1","label":"organization-defined frequency"},{"id":"sr-10_prm_3","depends-on":"sr-10_prm_1","label":"organization-defined indications of need for inspection"},{"id":"sr-10_prm_4","label":"organization-defined systems or system components"}],"properties":[{"name":"label","value":"SR-10"},{"name":"sort-id","value":"SR-10"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"sr-10_smt","name":"statement","prose":"Inspect the following systems or system components {{ sr-10_prm_1 }} to detect tampering: {{ sr-10_prm_4 }}."},{"id":"sr-10_gdn","name":"guidance","prose":"Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations."}]},{"id":"sr-11","class":"SP800-53","title":"Component Authenticity","parameters":[{"id":"sr-11_prm_1"},{"id":"sr-11_prm_2","depends-on":"sr-11_prm_1","label":"organization-defined external reporting organizations"},{"id":"sr-11_prm_3","depends-on":"sr-11_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SR-11"},{"name":"sort-id","value":"SR-11"}],"links":[{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-10","rel":"related","text":"SR-10"}],"parts":[{"id":"sr-11_smt","name":"statement","parts":[{"id":"sr-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and"},{"id":"sr-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Report counterfeit system components to {{ sr-11_prm_1 }}."}]},{"id":"sr-11_gdn","name":"guidance","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA."}],"controls":[{"id":"sr-11.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","parameters":[{"id":"sr-11.1_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SR-11(1)"},{"name":"sort-id","value":"SR-11(01)"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"}],"parts":[{"id":"sr-11.1_smt","name":"statement","prose":"Train {{ sr-11.1_prm_1 }} to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_gdn","name":"guidance","prose":"None."}]},{"id":"sr-11.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","parameters":[{"id":"sr-11.2_prm_1","label":"organization-defined system components"}],"properties":[{"name":"label","value":"SR-11(2)"},{"name":"sort-id","value":"SR-11(02)"}],"links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#sa-10","rel":"related","text":"SA-10"}],"parts":[{"id":"sr-11.2_smt","name":"statement","prose":"Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ sr-11.2_prm_1 }}."},{"id":"sr-11.2_gdn","name":"guidance","prose":"None."}]},{"id":"sr-11.3","class":"SP800-53-enhancement","title":"Component Disposal","parameters":[{"id":"sr-11.3_prm_1","label":"organization-defined techniques and methods"}],"properties":[{"name":"label","value":"SR-11(3)"},{"name":"sort-id","value":"SR-11(03)"}],"links":[{"href":"#mp-6","rel":"related","text":"MP-6"}],"parts":[{"id":"sr-11.3_smt","name":"statement","prose":"Dispose of system components using the following techniques and methods: {{ sr-11.3_prm_1 }}."},{"id":"sr-11.3_gdn","name":"guidance","prose":"Proper disposal of system components helps to prevent such components from entering the gray market."}]}]}]}],"back-matter":{"resources":[{"uuid":"a7dfa526-b81f-41d7-9875-c8b0faafe74b","title":"[PRIVACT]","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf"}]},{"uuid":"43facb7b-0afb-480f-8191-34790d5b444b","title":"[EVIDACT]","citation":{"text":"Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019."},"rlinks":[{"href":"https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf"}]},{"uuid":"52a8b0c6-0c6b-424b-928d-41c50ba87838","title":"[EO 13526]","citation":{"text":"Executive Order 13526, *Classified National Security Information*, December 2009."},"rlinks":[{"href":"https://www.archives.gov/isoo/policy-documents/cnsi-eo.html"}]},{"uuid":"14958422-54f6-471f-a345-802dca594dd8","title":"[FISMA]","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf"}]},{"uuid":"2b5e12fb-633f-49e6-8aff-81d75bf53545","title":"[EO 13587]","citation":{"text":"Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information*, October 2011."},"rlinks":[{"href":"https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"cde25174-38e0-4a00-8919-8ee3674b8088","title":"[HSPD 7]","citation":{"text":"Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003."},"rlinks":[{"href":"https://www.dhs.gov/homeland-security-presidential-directive-7"}]},{"uuid":"2383ccfd-d8a0-4e3a-bf40-21288ae1e07a","title":"[5 CFR 731]","citation":{"text":"Code of Federal Regulations, Title 5, *Administrative Personnel*, Section 731.106, *Designation of Public Trust Positions and Investigative Requirements*(5 C.F.R. 731.106)."},"rlinks":[{"href":"https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf"}]},{"uuid":"742b7c0e-218e-4fca-9c3d-5f264bbaf2bc","title":"[32 CFR 2002]","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information*(32 C.F.R 2002)."},"rlinks":[{"href":"https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information"}]},{"uuid":"286d42a1-efbe-49a2-9ce1-4c9bf68feb3b","title":"[ODNI NITP]","citation":{"text":"Office of the Director National Intelligence, *National Insider Threat Policy*\n "},"rlinks":[{"href":"https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf"}]},{"uuid":"395f6bb9-bcc2-41fc-977f-04372f4a6a82","title":"[OMB A-108]","citation":{"text":"Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf"}]},{"uuid":"a646d45d-775f-4887-86d3-5a00ffbc4090","title":"[OMB A-130]","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016."},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf"}]},{"uuid":"f7d3617a-9a4f-4f1a-a688-845081b70390","title":"[OMB M-17-06]","citation":{"text":"Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf"}]},{"uuid":"389fe193-866e-46b1-bf1d-38904b56aa7b","title":"[OMB M-17-12]","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. **\n "},"rlinks":[{"href":"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf"}]},{"uuid":"ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3","title":"[OMB M-17-25]","citation":{"text":"Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure*, May 2017. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf"}]},{"uuid":"d843e915-eeb6-4bbe-8cab-ccc802088703","title":"[OMB M-19-23]","citation":{"text":"Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance*, July 2019. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf"}]},{"uuid":"ee96f130-3f91-46ed-a4d8-57e5f220a623","title":"[CNSSI 1253]","citation":{"text":"Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems*, March 2014."},"rlinks":[{"href":"https://www.cnss.gov/CNSS/issuances/Instructions.cfm"}]},{"uuid":"24b7b1ec-6430-41de-9353-29fdb1b488fc","title":"[DHS NIPP]","citation":{"text":"Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009."},"rlinks":[{"href":"https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf"}]},{"uuid":"6ddb507b-6ddb-4e15-a8d4-0854e704446e","title":"[ISO 15408-1]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf"}]},{"uuid":"18abb755-c10f-407d-b0ef-4f99e5ec4a49","title":"[ISO 15408-2]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf"}]},{"uuid":"2ce3a8bf-7f8b-4249-bd16-808231415b14","title":"[ISO 15408-3]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf"}]},{"uuid":"aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","title":"[FIPS 140-3]","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.140-3"}]},{"uuid":"d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","title":"[FIPS 180-4]","citation":{"text":"National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.180-4"}]},{"uuid":"0b9fe06d-1b89-4dba-b9f8-3baf51504b17","title":"[FIPS 186-4]","citation":{"text":"National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.186-4"}]},{"uuid":"bbc7085f-b383-444e-af74-722a55cccc0f","title":"[FIPS 197]","citation":{"text":"National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.197"}]},{"uuid":"b3e26423-0687-47c7-ba9a-a96870d58a27","title":"[FIPS 199]","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.199"}]},{"uuid":"f2163084-3287-45e2-9ee7-95f020415495","title":"[FIPS 200]","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.200"}]},{"uuid":"ab414c48-b7a2-4ffe-b74d-4d8b8120adce","title":"[FIPS 201-2]","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.201-2"}]},{"uuid":"11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","title":"[FIPS 202]","citation":{"text":"National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.202"}]},{"uuid":"12702585-0c72-43c9-9185-a76a59f74233","title":"[SP 800-12]","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-12r1"}]},{"uuid":"ae962073-f9bb-4210-b1ad-53ef6f6afad6","title":"[SP 800-18]","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-18r1"}]},{"uuid":"8e334d74-fc06-47a9-bbb1-804fdfae0e44","title":"[SP 800-28]","citation":{"text":"Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-28ver2"}]},{"uuid":"1d9f757b-00d5-4db1-b15b-0ad641c6df7c","title":"[SP 800-30]","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-30r1"}]},{"uuid":"b7140427-d4c4-467a-97a1-5ca9f7c6584a","title":"[SP 800-32]","citation":{"text":"Kuhn R, Hu VC, Polk T, Chang S-jH (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-32"}]},{"uuid":"65774382-fcc6-4bbc-89fc-9d35aab19952","title":"[SP 800-34]","citation":{"text":"Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-34r1"}]},{"uuid":"ed919d0d-8e21-4df6-801d-3fbc4cb8a505","title":"[SP 800-35]","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-35"}]},{"uuid":"e07d73ea-96b9-4330-aff2-e0215f455343","title":"[SP 800-37]","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-37r2"}]},{"uuid":"451e9636-402e-4c27-b3f5-e0e50f957f27","title":"[SP 800-39]","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-39"}]},{"uuid":"1126ec09-2b27-4a21-80b2-fef70b31c49d","title":"[SP 800-40]","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-40r3"}]},{"uuid":"db7877cf-1013-4fb1-b943-ca9361d16370","title":"[SP 800-41]","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-41r1"}]},{"uuid":"23b0a203-c020-47dd-b86c-9f8c35ecaa4e","title":"[SP 800-45]","citation":{"text":"Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-45ver2"}]},{"uuid":"7768c184-088d-4ee8-a316-f9286b52df7f","title":"[SP 800-46]","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-46r2"}]},{"uuid":"2e66c31a-190e-49ad-8e00-f306f8a0df17","title":"[SP 800-47]","citation":{"text":"Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-47"}]},{"uuid":"2e29c363-d5be-47ba-92f5-f8a58a69b65e","title":"[SP 800-50]","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-50"}]},{"uuid":"286604ec-e383-4c1d-bd8c-d88f88e54a0f","title":"[SP 800-52]","citation":{"text":"McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-52r2"}]},{"uuid":"5db6dfe4-788e-4183-93b9-f6fb29d75e41","title":"[SP 800-53A]","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-53Ar4"}]},{"uuid":"31f3c9de-c57c-4281-929b-f9951f9640f1","title":"[SP 800-53B]","citation":{"text":"National Institute of Standards and Technology Special Publication 800-53B, *Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations*. Projected for publication in 2020."}},{"uuid":"8ba0d54e-fa16-4f5d-baa1-763ec3e33e26","title":"[SP 800-55]","citation":{"text":"Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-55r1"}]},{"uuid":"77dc1838-3664-4faa-bc6e-4e2a16e52f35","title":"[SP 800-56A]","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-56Ar3"}]},{"uuid":"f417e4ec-cadb-47a8-a363-6006b32c28ad","title":"[SP 800-56B]","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-56Br2"}]},{"uuid":"7c3ba335-62bd-4f03-888f-960790409b11","title":"[SP 800-56C]","citation":{"text":"Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-56Cr1"}]},{"uuid":"770f9bdc-4023-48ef-8206-c65397f061ea","title":"[SP 800-57-1]","citation":{"text":"Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-57pt1r4"}]},{"uuid":"69644a9e-438a-47c3-bac9-cf28b5baf848","title":"[SP 800-57-2]","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-57pt2r1"}]},{"uuid":"9933c883-e8f3-4a83-9a9a-d1e058038080","title":"[SP 800-57-3]","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-57pt3r1"}]},{"uuid":"68949f14-9cf5-4116-91d8-e820b9df3ffd","title":"[SP 800-60 v1]","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-60v1r1"}]},{"uuid":"e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","title":"[SP 800-60 v2]","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-60v2r1"}]},{"uuid":"7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","title":"[SP 800-61]","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-61r2"}]},{"uuid":"549993c0-9bdd-4d49-875c-f56950cc5f30","title":"[SP 800-63-3]","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-63-3"}]},{"uuid":"3c50fa31-7f4d-4d30-91d7-27ee87cd5f75","title":"[SP 800-63A]","citation":{"text":"Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-63a"}]},{"uuid":"14a7d982-9747-48e0-a877-3e8fbf6ae381","title":"[SP 800-70]","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-70r4"}]},{"uuid":"3d6b3a16-94e7-4a43-8648-8bdeaadb271b","title":"[SP 800-73-4]","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-73-4"}]},{"uuid":"d5ef0056-c807-44c3-a7b5-6eb491538f8e","title":"[SP 800-76-2]","citation":{"text":"Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-76-2"}]},{"uuid":"8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","title":"[SP 800-77]","citation":{"text":"Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-77"}]},{"uuid":"013e098f-0680-4856-a130-b768c69dab9c","title":"[SP 800-78-4]","citation":{"text":"Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-78-4"}]},{"uuid":"bb55e71a-e059-4263-8dd8-bc96fd3f063d","title":"[SP 800-79-2]","citation":{"text":"Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-79-2"}]},{"uuid":"93d44344-59f9-4669-845d-6cc2a5852621","title":"[SP 800-81-2]","citation":{"text":"Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-81-2"}]},{"uuid":"8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","title":"[SP 800-83]","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-83r1"}]},{"uuid":"20bf433b-074c-47a0-8fca-cd591772ccd6","title":"[SP 800-84]","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-84"}]},{"uuid":"35dfd59f-eef2-4f71-bdb5-6d878267456a","title":"[SP 800-86]","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-86"}]},{"uuid":"fed6a3b5-2b74-499f-9172-46671f7c24c8","title":"[SP 800-88]","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-88r1"}]},{"uuid":"02d8ec60-6197-43f8-9f47-18732127963e","title":"[SP 800-92]","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-92"}]},{"uuid":"41e2e2c6-2260-4258-85c8-09db17c43103","title":"[SP 800-94]","citation":{"text":"Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-94"}]},{"uuid":"1d91d984-0cb6-4f96-a01d-c39a3eee7d43","title":"[SP 800-95]","citation":{"text":"Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-95"}]},{"uuid":"6bed1550-cd5d-4e80-8d83-4e597c1514fe","title":"[SP 800-97]","citation":{"text":"Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-97"}]},{"uuid":"9183bd83-170e-4701-b32c-97e08ef8bedb","title":"[SP 800-100]","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-100"}]},{"uuid":"1e2c475a-84ae-4c60-b420-8fb2ea552b71","title":"[SP 800-101]","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-101r1"}]},{"uuid":"1b14b50f-7154-4226-958c-7dfff8276755","title":"[SP 800-111]","citation":{"text":"Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-111"}]},{"uuid":"36132a58-56fd-4980-9f6c-c010d3faf52b","title":"[SP 800-113]","citation":{"text":"Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-113"}]},{"uuid":"49fa1ee1-aaf7-4270-bb5a-a86497f717dc","title":"[SP 800-114]","citation":{"text":"Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-114r1"}]},{"uuid":"a6b97214-55d4-4b86-a3a4-53d5911d96f7","title":"[SP 800-115]","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-115"}]},{"uuid":"ad7d575f-b5fe-489b-8d48-36a93d964a5f","title":"[SP 800-116]","citation":{"text":"Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-116r1"}]},{"uuid":"60b24979-65b8-4ca5-a442-11b74339fab5","title":"[SP 800-121]","citation":{"text":"Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-121r2"}]},{"uuid":"18c6942b-95f8-414c-b548-c8e6b8d8a172","title":"[SP 800-124]","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-124r1"}]},{"uuid":"c972a85c-fa75-4596-be25-a338dc7e4e46","title":"[SP 800-125B]","citation":{"text":"Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-125B"}]},{"uuid":"0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f","title":"[SP 800-126]","citation":{"text":"Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-126r3"}]},{"uuid":"a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","title":"[SP 800-128]","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-128"}]},{"uuid":"ae412317-c2b4-47bb-b47b-c329ce0d7a0b","title":"[SP 800-130]","citation":{"text":"Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-130"}]},{"uuid":"c3b34083-77b2-4dab-a980-73068f8933bd","title":"[SP 800-137]","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-137"}]},{"uuid":"e9224c9b-4fa5-40b7-bfbb-02bff7712d92","title":"[SP 800-147]","citation":{"text":"Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-147"}]},{"uuid":"ad3e8f21-07c6-4968-b002-00b64dfa70ae","title":"[SP 800-150]","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-150"}]},{"uuid":"38dbdf55-9a14-446f-b563-c48e4e3d37fb","title":"[SP 800-152]","citation":{"text":"Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-152"}]},{"uuid":"fd0f14f5-8910-45c4-b60a-0c8936e00daa","title":"[SP 800-154]","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154."},"rlinks":[{"href":"https://csrc.nist.gov/publications/detail/sp/800-154/draft"}]},{"uuid":"f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa","title":"[SP 800-156]","citation":{"text":"Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-156"}]},{"uuid":"8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","title":"[SP 800-160 v1]","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-160v1"}]},{"uuid":"8411e6e8-09bd-431d-bbcb-3423d36ad880","title":"[SP 800-160 v2]","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-160v2"}]},{"uuid":"66476e76-46b4-47fb-be19-d13e6f3840df","title":"[SP 800-161]","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-161"}]},{"uuid":"359f960c-2598-454c-ba3b-a30c553e498f","title":"[SP 800-162]","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-162"}]},{"uuid":"a8f55663-86c5-415b-aabe-d2a126981d65","title":"[SP 800-166]","citation":{"text":"Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-166"}]},{"uuid":"893d1736-324c-41d6-a5f4-d526b5ca981a","title":"[SP 800-167]","citation":{"text":"Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-167"}]},{"uuid":"0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","title":"[SP 800-171]","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-171r2"}]},{"uuid":"aad55f03-8ece-4b21-b09c-9ef65b5a9f55","title":"[SP 800-171B]","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B."},"rlinks":[{"href":"https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf"}]},{"uuid":"64e044e4-b2a9-490f-a079-1106407c812f","title":"[SP 800-177]","citation":{"text":"Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-177r1"}]},{"uuid":"223b23a9-baea-4a50-8058-63cf7967b61f","title":"[SP 800-178]","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-178"}]},{"uuid":"f4c3f657-de83-47ae-9aec-e144de8268d1","title":"[SP 800-181]","citation":{"text":"Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-181"}]},{"uuid":"08f518f7-f9b9-4bee-8986-860214f46b16","title":"[SP 800-184]","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-184"}]},{"uuid":"eadef75e-7e4d-4554-b818-44946c1dde0e","title":"[SP 800-188]","citation":{"text":"Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188."},"rlinks":[{"href":"https://csrc.nist.gov/publications/detail/sp/800-188/draft"}]},{"uuid":"3862cd94-ff25-4631-9a9a-b92c21a0a923","title":"[SP 800-189]","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-189"}]},{"uuid":"06d3c11a-4a00-42d9-ad75-e6a777ffae5e","title":"[SP 800-192]","citation":{"text":"Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-192"}]},{"uuid":"d4779b49-8acc-45ef-b4f0-30f945e81d1b","title":"[IR 7539]","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7539"}]},{"uuid":"09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","title":"[IR 7559]","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7559"}]},{"uuid":"7b03adec-4405-4aac-94a0-6a9eb3f42e31","title":"[IR 7622]","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7622"}]},{"uuid":"daf69edb-a0ef-4447-9880-8c4bf553181f","title":"[IR 7676]","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7676"}]},{"uuid":"bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c","title":"[IR 7788]","citation":{"text":"Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7788"}]},{"uuid":"a49f67fc-827c-40e6-9a37-2b1cbe8142fd","title":"[IR 7817]","citation":{"text":"Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7817"}]},{"uuid":"972c10bd-aedf-485f-b0db-f46a402127e2","title":"[IR 7849]","citation":{"text":"Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7849"}]},{"uuid":"197f7ba7-9af8-4a67-b3a4-5523d850e53b","title":"[IR 7870]","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7870"}]},{"uuid":"bb22d510-54a9-4588-b725-00d37576562b","title":"[IR 7874]","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7874"}]},{"uuid":"f437b52f-7f26-42aa-8e8f-999e7d67b2fe","title":"[IR 7956]","citation":{"text":"Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7956"}]},{"uuid":"30213e10-2aca-47b3-8cdb-61303e0959f5","title":"[IR 7966]","citation":{"text":"Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7966"}]},{"uuid":"851b5ba4-6aa0-4583-857c-4c360cbdf2a0","title":"[IR 8011 v1]","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8011-1"}]},{"uuid":"7e7538d7-9c3a-4e5f-bbb4-638cec975415","title":"[IR 8023]","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8023"}]},{"uuid":"24738ee6-b3f3-4e37-825b-58775846bdbc","title":"[IR 8040]","citation":{"text":"Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8040"}]},{"uuid":"817b4227-5857-494d-9032-915980b32f15","title":"[IR 8062]","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8062"}]},{"uuid":"7a93e915-fd58-4147-be12-e48044c367e6","title":"[IR 8179]","citation":{"text":"Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8179"}]},{"uuid":"294eed19-7471-4517-9480-2ec73e7c6a78","title":"[DOD STIG]","citation":{"text":"Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*."},"rlinks":[{"href":"https://iase.disa.mil/stigs/Pages/index.aspx"}]},{"uuid":"17ca9481-ea11-4ef2-81c1-885fd37d4be5","title":"[IETF 5905]","citation":{"text":""}},{"uuid":"dd87fdf0-840d-4392-9de4-220b2327e340","title":"[NARA CUI]","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https://www.archives.gov/cui"}]},{"uuid":"5dac2312-1d0d-416f-aebb-400fa9775b74","title":"[NIAP CCEVS]","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https://www.niap-ccevs.org/"}]},{"uuid":"5cc04a1c-5489-4751-a493-746a9639067b","title":"[NCPR]","citation":{"text":"National Institute of Standards and Technology (2020) *National Checklist Program Repository*. Available at"},"rlinks":[{"href":"https://nvd.nist.gov/ncp/repository"}]},{"uuid":"634dec27-df88-4c30-b1a4-b57cdfd24f20","title":"[NSA CSFC]","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https://www.nsa.gov/resources/everyone/csfc"}]},{"uuid":"a52271dc-11b5-423a-8b6f-14867bd94259","title":"[NSA MEDIA]","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https://www.nsa.gov/resources/everyone/media-destruction"}]},{"uuid":"06842bea-64c9-4e20-807a-b8fc003fa737","title":"[USGCB]","citation":{"text":"National Institute of Standards and Technology (2020) *United States Government Configuration Baseline*. Available at"},"rlinks":[{"href":"https://csrc.nist.gov/projects/united-states-government-configuration-baseline"}]}]}}} \ No newline at end of file diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.json deleted file mode 100644 index ccef7b9908..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.json +++ /dev/null @@ -1,40922 +0,0 @@ -{ - "catalog": { - "uuid": "5656c824-bd88-462c-b967-bb7cb01cdbbd", - "metadata": { - "title": "SP800-53 HIGH IMPACT BASELINE", - "last-modified": "2020-08-26T16:28:38.111-04:00", - "version": "FPD", - "oscal-version": "1.0.0-milestone3", - "properties": [ - { - "name": "resolution-timestamp", - "value": "2020-08-31T17:39:35.488827Z" - } - ], - "links": [ - { - "href": "NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml", - "rel": "resolution-source", - "text": "SP800-53 HIGH IMPACT BASELINE" - } - ], - "roles": [ - { - "id": "creator", - "title": "Document Creator" - }, - { - "id": "contact", - "title": "Contact" - } - ], - "parties": [ - { - "uuid": "a90f4235-ab3c-4bf1-ba0a-865bbc833346", - "type": "organization", - "party-name": "Joint Task Force, Transformation Initiative", - "addresses": [ - { - "postal-address": [ - "National Institute of Standards and Technology", - "Attn: Computer Security Division", - "Information Technology Laboratory", - "100 Bureau Drive (Mail Stop 8930)" - ], - "city": "Gaithersburg", - "state": "MD", - "postal-code": "20899-8930" - } - ], - "email-addresses": [ - "sec-cert@nist.gov" - ] - } - ], - "responsible-parties": { - "creator": { - "party-uuids": [ - "a90f4235-ab3c-4bf1-ba0a-865bbc833346" - ] - }, - "contact": { - "party-uuids": [ - "a90f4235-ab3c-4bf1-ba0a-865bbc833346" - ] - } - } - }, - "groups": [ - { - "id": "ac", - "class": "family", - "title": "Access Control", - "controls": [ - { - "id": "ac-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ac-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ac-1_prm_2" - }, - { - "id": "ac-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ac-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ac-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-1" - }, - { - "name": "sort-id", - "value": "AC-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ac-1_smt", - "name": "statement", - "parts": [ - { - "id": "ac-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ac-1_prm_1 }}:", - "parts": [ - { - "id": "ac-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ac-1_prm_2 }} access control policy that:", - "parts": [ - { - "id": "ac-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ac-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ac-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" - } - ] - }, - { - "id": "ac-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" - }, - { - "id": "ac-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current access control:", - "parts": [ - { - "id": "ac-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ac-1_prm_4 }}; and" - }, - { - "id": "ac-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ac-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ac-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ac-2", - "class": "SP800-53", - "title": "Account Management", - "parameters": [ - { - "id": "ac-2_prm_1", - "label": "organization-defined attributes (as required)" - }, - { - "id": "ac-2_prm_2", - "label": "organization-defined personnel or roles" - }, - { - "id": "ac-2_prm_3", - "label": "organization-defined policy, procedures, and conditions" - }, - { - "id": "ac-2_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "ac-2_prm_5", - "label": "organization-defined time-period" - }, - { - "id": "ac-2_prm_6", - "label": "organization-defined time-period" - }, - { - "id": "ac-2_prm_7", - "label": "organization-defined time-period" - }, - { - "id": "ac-2_prm_8", - "label": "organization-defined attributes (as required)" - }, - { - "id": "ac-2_prm_9", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2" - }, - { - "name": "sort-id", - "value": "AC-02" - } - ], - "links": [ - { - "href": "#359f960c-2598-454c-ba3b-a30c553e498f", - "rel": "reference", - "text": "[SP 800-162]" - }, - { - "href": "#223b23a9-baea-4a50-8058-63cf7967b61f", - "rel": "reference", - "text": "[SP 800-178]" - }, - { - "href": "#06d3c11a-4a00-42d9-ad75-e6a777ffae5e", - "rel": "reference", - "text": "[SP 800-192]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ac-24", - "rel": "related", - "text": "AC-24" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - } - ], - "parts": [ - { - "id": "ac-2_smt", - "name": "statement", - "parts": [ - { - "id": "ac-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Define and document the types of accounts allowed for use within the system;" - }, - { - "id": "ac-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Assign account managers;" - }, - { - "id": "ac-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Establish conditions for group and role membership;" - }, - { - "id": "ac-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Specify:", - "parts": [ - { - "id": "ac-2_smt.d.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Authorized users of the system;" - }, - { - "id": "ac-2_smt.d.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Group and role membership; and" - }, - { - "id": "ac-2_smt.d.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Access authorizations (i.e., privileges) and {{ ac-2_prm_1 }} for each account;" - } - ] - }, - { - "id": "ac-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Require approvals by {{ ac-2_prm_2 }} for requests to create accounts;" - }, - { - "id": "ac-2_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ ac-2_prm_3 }};" - }, - { - "id": "ac-2_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Monitor the use of accounts;" - }, - { - "id": "ac-2_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "h." - } - ], - "prose": "Notify account managers and {{ ac-2_prm_4 }} within:", - "parts": [ - { - "id": "ac-2_smt.h.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ac-2_prm_5 }} when accounts are no longer required;" - }, - { - "id": "ac-2_smt.h.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "\n {{ ac-2_prm_6 }} when users are terminated or transferred; and" - }, - { - "id": "ac-2_smt.h.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "\n {{ ac-2_prm_7 }} when system usage or need-to-know changes for an individual;" - } - ] - }, - { - "id": "ac-2_smt.i", - "name": "item", - "properties": [ - { - "name": "label", - "value": "i." - } - ], - "prose": "Authorize access to the system based on:", - "parts": [ - { - "id": "ac-2_smt.i.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "A valid access authorization;" - }, - { - "id": "ac-2_smt.i.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Intended system usage; and" - }, - { - "id": "ac-2_smt.i.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "\n {{ ac-2_prm_8 }};" - } - ] - }, - { - "id": "ac-2_smt.j", - "name": "item", - "properties": [ - { - "name": "label", - "value": "j." - } - ], - "prose": "Review accounts for compliance with account management requirements {{ ac-2_prm_9 }};" - }, - { - "id": "ac-2_smt.k", - "name": "item", - "properties": [ - { - "name": "label", - "value": "k." - } - ], - "prose": "Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and" - }, - { - "id": "ac-2_smt.l", - "name": "item", - "properties": [ - { - "name": "label", - "value": "l." - } - ], - "prose": "Align account management processes with personnel termination and transfer processes." - } - ] - }, - { - "id": "ac-2_gdn", - "name": "guidance", - "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy.\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." - } - ], - "controls": [ - { - "id": "ac-2.1", - "class": "SP800-53-enhancement", - "title": "Automated System Account Management", - "parameters": [ - { - "id": "ac-2.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(1)" - }, - { - "name": "sort-id", - "value": "AC-02(01)" - } - ], - "parts": [ - { - "id": "ac-2.1_smt", - "name": "statement", - "prose": "Support the management of system accounts using {{ ac-2.1_prm_1 }}." - }, - { - "id": "ac-2.1_gdn", - "name": "guidance", - "prose": "Automated mechanisms include using email or text messaging to automatically notify account managers when users are terminated or transferred; using the system to monitor account usage; and using telephonic notification to report atypical system account usage." - } - ] - }, - { - "id": "ac-2.2", - "class": "SP800-53-enhancement", - "title": "Automated Temporary and Emergency Account Management", - "parameters": [ - { - "id": "ac-2.2_prm_1" - }, - { - "id": "ac-2.2_prm_2", - "label": "organization-defined time-period for each type of account" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(2)" - }, - { - "name": "sort-id", - "value": "AC-02(02)" - } - ], - "parts": [ - { - "id": "ac-2.2_smt", - "name": "statement", - "prose": "Automatically {{ ac-2.2_prm_1 }} temporary and emergency accounts after {{ ac-2.2_prm_2 }}." - }, - { - "id": "ac-2.2_gdn", - "name": "guidance", - "prose": "Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time-period, rather than at the convenience of the systems administrator. Automatic removal or disabling of accounts provides a more consistent implementation." - } - ] - }, - { - "id": "ac-2.3", - "class": "SP800-53-enhancement", - "title": "Disable Accounts", - "parameters": [ - { - "id": "ac-2.3_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(3)" - }, - { - "name": "sort-id", - "value": "AC-02(03)" - } - ], - "parts": [ - { - "id": "ac-2.3_smt", - "name": "statement", - "prose": "Disable accounts when the accounts:", - "parts": [ - { - "id": "ac-2.3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Have expired;" - }, - { - "id": "ac-2.3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Are no longer associated with a user or individual;" - }, - { - "id": "ac-2.3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Are in violation of organizational policy; or" - }, - { - "id": "ac-2.3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(d)" - } - ], - "prose": "Have been inactive for {{ ac-2.3_prm_1 }}." - } - ] - }, - { - "id": "ac-2.3_gdn", - "name": "guidance", - "prose": "Disabling expired, inactive, or otherwise anomalous accounts supports the concept of least privilege and least functionality which reduces the attack surface of the system." - } - ] - }, - { - "id": "ac-2.4", - "class": "SP800-53-enhancement", - "title": "Automated Audit Actions", - "properties": [ - { - "name": "label", - "value": "AC-2(4)" - }, - { - "name": "sort-id", - "value": "AC-02(04)" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - } - ], - "parts": [ - { - "id": "ac-2.4_smt", - "name": "statement", - "prose": "Automatically audit account creation, modification, enabling, disabling, and removal actions." - }, - { - "id": "ac-2.4_gdn", - "name": "guidance", - "prose": "Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6." - } - ] - }, - { - "id": "ac-2.5", - "class": "SP800-53-enhancement", - "title": "Inactivity Logout", - "parameters": [ - { - "id": "ac-2.5_prm_1", - "label": "organization-defined time-period of expected inactivity or description of when to log out" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(5)" - }, - { - "name": "sort-id", - "value": "AC-02(05)" - } - ], - "links": [ - { - "href": "#ac-11", - "rel": "related", - "text": "AC-11" - } - ], - "parts": [ - { - "id": "ac-2.5_smt", - "name": "statement", - "prose": "Require that users log out when {{ ac-2.5_prm_1 }}." - }, - { - "id": "ac-2.5_gdn", - "name": "guidance", - "prose": "Inactivity logout is behavior or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of this control enhancement is addressed by AC-11." - } - ] - }, - { - "id": "ac-2.11", - "class": "SP800-53-enhancement", - "title": "Usage Conditions", - "parameters": [ - { - "id": "ac-2.11_prm_1", - "label": "organization-defined circumstances and/or usage conditions" - }, - { - "id": "ac-2.11_prm_2", - "label": "organization-defined system accounts" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(11)" - }, - { - "name": "sort-id", - "value": "AC-02(11)" - } - ], - "parts": [ - { - "id": "ac-2.11_smt", - "name": "statement", - "prose": "Enforce {{ ac-2.11_prm_1 }} for {{ ac-2.11_prm_2 }}." - }, - { - "id": "ac-2.11_gdn", - "name": "guidance", - "prose": "Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time." - } - ] - }, - { - "id": "ac-2.12", - "class": "SP800-53-enhancement", - "title": "Account Monitoring for Atypical Usage", - "parameters": [ - { - "id": "ac-2.12_prm_1", - "label": "organization-defined atypical usage" - }, - { - "id": "ac-2.12_prm_2", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(12)" - }, - { - "name": "sort-id", - "value": "AC-02(12)" - } - ], - "links": [ - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-2.12_smt", - "name": "statement", - "parts": [ - { - "id": "ac-2.12_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Monitor system accounts for {{ ac-2.12_prm_1 }}; and" - }, - { - "id": "ac-2.12_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Report atypical usage of system accounts to {{ ac-2.12_prm_2 }}." - } - ] - }, - { - "id": "ac-2.12_gdn", - "name": "guidance", - "prose": "Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals working in organizations. Account monitoring may inadvertently create privacy risks. Data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." - } - ] - }, - { - "id": "ac-2.13", - "class": "SP800-53-enhancement", - "title": "Disable Accounts for High-risk Individuals", - "parameters": [ - { - "id": "ac-2.13_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ac-2.13_prm_2", - "label": "organization-defined significant risks" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(13)" - }, - { - "name": "sort-id", - "value": "AC-02(13)" - } - ], - "links": [ - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-2.13_smt", - "name": "statement", - "prose": "Disable accounts of users within {{ ac-2.13_prm_1 }} of discovery of {{ ac-2.13_prm_2 }}." - }, - { - "id": "ac-2.13_gdn", - "name": "guidance", - "prose": "Users posing a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes the adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential for execution of this control enhancement." - } - ] - } - ] - }, - { - "id": "ac-3", - "class": "SP800-53", - "title": "Access Enforcement", - "properties": [ - { - "name": "label", - "value": "AC-3" - }, - { - "name": "sort-id", - "value": "AC-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#359f960c-2598-454c-ba3b-a30c553e498f", - "rel": "reference", - "text": "[SP 800-162]" - }, - { - "href": "#223b23a9-baea-4a50-8058-63cf7967b61f", - "rel": "reference", - "text": "[SP 800-178]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ac-21", - "rel": "related", - "text": "AC-21" - }, - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#ac-24", - "rel": "related", - "text": "AC-24" - }, - { - "href": "#ac-25", - "rel": "related", - "text": "AC-25" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-6", - "rel": "related", - "text": "IA-6" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#ia-11", - "rel": "related", - "text": "IA-11" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pm-2", - "rel": "related", - "text": "PM-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-4", - "rel": "related", - "text": "SC-4" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-31", - "rel": "related", - "text": "SC-31" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-3_smt", - "name": "statement", - "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." - }, - { - "id": "ac-3_gdn", - "name": "guidance", - "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family." - } - ] - }, - { - "id": "ac-4", - "class": "SP800-53", - "title": "Information Flow Enforcement", - "parameters": [ - { - "id": "ac-4_prm_1", - "label": "organization-defined information flow control policies" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-4" - }, - { - "name": "sort-id", - "value": "AC-04" - } - ], - "links": [ - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#359f960c-2598-454c-ba3b-a30c553e498f", - "rel": "reference", - "text": "[SP 800-162]" - }, - { - "href": "#223b23a9-baea-4a50-8058-63cf7967b61f", - "rel": "reference", - "text": "[SP 800-178]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-21", - "rel": "related", - "text": "AC-21" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sc-4", - "rel": "related", - "text": "SC-4" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-16", - "rel": "related", - "text": "SC-16" - }, - { - "href": "#sc-31", - "rel": "related", - "text": "SC-31" - } - ], - "parts": [ - { - "id": "ac-4_smt", - "name": "statement", - "prose": "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ ac-4_prm_1 }}." - }, - { - "id": "ac-4_gdn", - "name": "guidance", - "prose": "Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization; keeping export-controlled information from being transmitted in the clear to the Internet; restricting web requests that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only); verifying write permissions before accepting information from another security or privacy domain or connected system; employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and security or privacy labels.\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. This control also applies to control plane traffic (e.g., routing and DNS)." - } - ], - "controls": [ - { - "id": "ac-4.4", - "class": "SP800-53-enhancement", - "title": "Flow Control of Encrypted Information", - "parameters": [ - { - "id": "ac-4.4_prm_1", - "label": "organization-defined information flow control mechanisms" - }, - { - "id": "ac-4.4_prm_2" - }, - { - "id": "ac-4.4_prm_3", - "depends-on": "ac-4.4_prm_2", - "label": "organization-defined procedure or method" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-4(4)" - }, - { - "name": "sort-id", - "value": "AC-04(04)" - } - ], - "links": [ - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-4.4_smt", - "name": "statement", - "prose": "Prevent encrypted information from bypassing {{ ac-4.4_prm_1 }} by {{ ac-4.4_prm_2 }}." - }, - { - "id": "ac-4.4_gdn", - "name": "guidance", - "prose": "Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms." - } - ] - } - ] - }, - { - "id": "ac-5", - "class": "SP800-53", - "title": "Separation of Duties", - "parameters": [ - { - "id": "ac-5_prm_1", - "label": "organization-defined duties of individuals requiring separation" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-5" - }, - { - "name": "sort-id", - "value": "AC-05" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - } - ], - "parts": [ - { - "id": "ac-5_smt", - "name": "statement", - "parts": [ - { - "id": "ac-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify and document {{ ac-5_prm_1 }}; and" - }, - { - "id": "ac-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Define system access authorizations to support separation of duties." - } - ] - }, - { - "id": "ac-5_gdn", - "name": "guidance", - "prose": "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles; conducting system support functions with different individuals; and ensuring security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. This control is enforced through the account management activities in AC-2 and access control mechanisms in AC-3." - } - ] - }, - { - "id": "ac-6", - "class": "SP800-53", - "title": "Least Privilege", - "properties": [ - { - "name": "label", - "value": "AC-6" - }, - { - "name": "sort-id", - "value": "AC-06" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - } - ], - "parts": [ - { - "id": "ac-6_smt", - "name": "statement", - "prose": "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks." - }, - { - "id": "ac-6_gdn", - "name": "guidance", - "prose": "Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary, to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems." - } - ], - "controls": [ - { - "id": "ac-6.1", - "class": "SP800-53-enhancement", - "title": "Authorize Access to Security Functions", - "parameters": [ - { - "id": "ac-6.1_prm_1", - "label": "organization-defined individuals or roles" - }, - { - "id": "ac-6.1_prm_2", - "label": "organization-defined security functions (deployed in hardware, software, and firmware)" - }, - { - "id": "ac-6.1_prm_3", - "label": "organization-defined security-relevant information" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-6(1)" - }, - { - "name": "sort-id", - "value": "AC-06(01)" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - } - ], - "parts": [ - { - "id": "ac-6.1_smt", - "name": "statement", - "prose": "Explicitly authorize access for {{ ac-6.1_prm_1 }} to:", - "parts": [ - { - "id": "ac-6.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "\n {{ ac-6.1_prm_2 }}; and" - }, - { - "id": "ac-6.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "\n {{ ac-6.1_prm_3 }}." - } - ] - }, - { - "id": "ac-6.1_gdn", - "name": "guidance", - "prose": "Security functions include establishing system accounts; configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Explicitly authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users." - } - ] - }, - { - "id": "ac-6.2", - "class": "SP800-53-enhancement", - "title": "Non-privileged Access for Nonsecurity Functions", - "parameters": [ - { - "id": "ac-6.2_prm_1", - "label": "organization-defined security functions or security-relevant information" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-6(2)" - }, - { - "name": "sort-id", - "value": "AC-06(02)" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - } - ], - "parts": [ - { - "id": "ac-6.2_smt", - "name": "statement", - "prose": "Require that users of system accounts (or roles) with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or roles, when accessing nonsecurity functions." - }, - { - "id": "ac-6.2_gdn", - "name": "guidance", - "prose": "Requiring use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account." - } - ] - }, - { - "id": "ac-6.3", - "class": "SP800-53-enhancement", - "title": "Network Access to Privileged Commands", - "parameters": [ - { - "id": "ac-6.3_prm_1", - "label": "organization-defined privileged commands" - }, - { - "id": "ac-6.3_prm_2", - "label": "organization-defined compelling operational needs" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-6(3)" - }, - { - "name": "sort-id", - "value": "AC-06(03)" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - } - ], - "parts": [ - { - "id": "ac-6.3_smt", - "name": "statement", - "prose": "Authorize network access to {{ ac-6.3_prm_1 }} only for {{ ac-6.3_prm_2 }} and document the rationale for such access in the security plan for the system." - }, - { - "id": "ac-6.3_gdn", - "name": "guidance", - "prose": "Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device)." - } - ] - }, - { - "id": "ac-6.5", - "class": "SP800-53-enhancement", - "title": "Privileged Accounts", - "parameters": [ - { - "id": "ac-6.5_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-6(5)" - }, - { - "name": "sort-id", - "value": "AC-06(05)" - } - ], - "links": [ - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - } - ], - "parts": [ - { - "id": "ac-6.5_smt", - "name": "statement", - "prose": "Restrict privileged accounts on the system to {{ ac-6.5_prm_1 }}." - }, - { - "id": "ac-6.5_gdn", - "name": "guidance", - "prose": "Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided they retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk." - } - ] - }, - { - "id": "ac-6.7", - "class": "SP800-53-enhancement", - "title": "Review of User Privileges", - "parameters": [ - { - "id": "ac-6.7_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ac-6.7_prm_2", - "label": "organization-defined roles or classes of users" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-6(7)" - }, - { - "name": "sort-id", - "value": "AC-06(07)" - } - ], - "links": [ - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - } - ], - "parts": [ - { - "id": "ac-6.7_smt", - "name": "statement", - "parts": [ - { - "id": "ac-6.7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Review {{ ac-6.7_prm_1 }} the privileges assigned to {{ ac-6.7_prm_2 }} to validate the need for such privileges; and" - }, - { - "id": "ac-6.7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs." - } - ] - }, - { - "id": "ac-6.7_gdn", - "name": "guidance", - "prose": "The need for certain assigned user privileges may change over time reflecting changes in organizational missions and business functions, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions." - } - ] - }, - { - "id": "ac-6.9", - "class": "SP800-53-enhancement", - "title": "Log Use of Privileged Functions", - "properties": [ - { - "name": "label", - "value": "AC-6(9)" - }, - { - "name": "sort-id", - "value": "AC-06(09)" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - } - ], - "parts": [ - { - "id": "ac-6.9_smt", - "name": "statement", - "prose": "Audit the execution of privileged functions." - }, - { - "id": "ac-6.9_gdn", - "name": "guidance", - "prose": "The misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Capturing the use of privileged functions in audit logs is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat." - } - ] - }, - { - "id": "ac-6.10", - "class": "SP800-53-enhancement", - "title": "Prohibit Non-privileged Users from Executing Privileged Functions", - "properties": [ - { - "name": "label", - "value": "AC-6(10)" - }, - { - "name": "sort-id", - "value": "AC-06(10)" - } - ], - "parts": [ - { - "id": "ac-6.10_smt", - "name": "statement", - "prose": "Prevent non-privileged users from executing privileged functions." - }, - { - "id": "ac-6.10_gdn", - "name": "guidance", - "prose": "Privileged functions include disabling, circumventing, or altering implemented security or privacy controls; establishing system accounts; performing system integrity checks; and administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. This control enhancement is enforced by AC-3." - } - ] - } - ] - }, - { - "id": "ac-7", - "class": "SP800-53", - "title": "Unsuccessful Logon Attempts", - "parameters": [ - { - "id": "ac-7_prm_1", - "label": "organization-defined number" - }, - { - "id": "ac-7_prm_2", - "label": "organization-defined time-period" - }, - { - "id": "ac-7_prm_3" - }, - { - "id": "ac-7_prm_4", - "depends-on": "ac-7_prm_3", - "label": "organization-defined time-period" - }, - { - "id": "ac-7_prm_5", - "depends-on": "ac-7_prm_3", - "label": "organization-defined delay algorithm" - }, - { - "id": "ac-7_prm_6", - "depends-on": "ac-7_prm_3", - "label": "organization-defined action" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-7" - }, - { - "name": "sort-id", - "value": "AC-07" - } - ], - "links": [ - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-9", - "rel": "related", - "text": "AC-9" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - } - ], - "parts": [ - { - "id": "ac-7_smt", - "name": "statement", - "parts": [ - { - "id": "ac-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Enforce a limit of {{ ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ ac-7_prm_2 }}; and" - }, - { - "id": "ac-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Automatically {{ ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded." - } - ] - }, - { - "id": "ac-7_gdn", - "name": "guidance", - "prose": "This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address.\nTechniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." - } - ] - }, - { - "id": "ac-8", - "class": "SP800-53", - "title": "System Use Notification", - "parameters": [ - { - "id": "ac-8_prm_1", - "label": "organization-defined system use notification message or banner" - }, - { - "id": "ac-8_prm_2", - "label": "organization-defined conditions" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-8" - }, - { - "name": "sort-id", - "value": "AC-08" - } - ], - "links": [ - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-8_smt", - "name": "statement", - "parts": [ - { - "id": "ac-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Display {{ ac-8_prm_1 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", - "parts": [ - { - "id": "ac-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Users are accessing a U.S. Government system;" - }, - { - "id": "ac-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "System usage may be monitored, recorded, and subject to audit;" - }, - { - "id": "ac-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" - }, - { - "id": "ac-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Use of the system indicates consent to monitoring and recording;" - } - ] - }, - { - "id": "ac-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" - }, - { - "id": "ac-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "For publicly accessible systems:", - "parts": [ - { - "id": "ac-8_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Display system use information {{ ac-8_prm_2 }}, before granting further access to the publicly accessible system;" - }, - { - "id": "ac-8_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" - }, - { - "id": "ac-8_smt.c.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Include a description of the authorized uses of the system." - } - ] - } - ] - }, - { - "id": "ac-8_gdn", - "name": "guidance", - "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content." - } - ] - }, - { - "id": "ac-10", - "class": "SP800-53", - "title": "Concurrent Session Control", - "parameters": [ - { - "id": "ac-10_prm_1", - "label": "organization-defined account and/or account type" - }, - { - "id": "ac-10_prm_2", - "label": "organization-defined number" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-10" - }, - { - "name": "sort-id", - "value": "AC-10" - } - ], - "links": [ - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - } - ], - "parts": [ - { - "id": "ac-10_smt", - "name": "statement", - "prose": "Limit the number of concurrent sessions for each {{ ac-10_prm_1 }} to {{ ac-10_prm_2 }}." - }, - { - "id": "ac-10_gdn", - "name": "guidance", - "prose": "Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for system accounts and does not address concurrent sessions by single users via multiple system accounts." - } - ] - }, - { - "id": "ac-11", - "class": "SP800-53", - "title": "Device Lock", - "parameters": [ - { - "id": "ac-11_prm_1" - }, - { - "id": "ac-11_prm_2", - "depends-on": "ac-11_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-11" - }, - { - "name": "sort-id", - "value": "AC-11" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ia-11", - "rel": "related", - "text": "IA-11" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - } - ], - "parts": [ - { - "id": "ac-11_smt", - "name": "statement", - "parts": [ - { - "id": "ac-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Prevent further access to the system by {{ ac-11_prm_1 }}; and" - }, - { - "id": "ac-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain the device lock until the user reestablishes access using established identification and authentication procedures." - } - ] - }, - { - "id": "ac-11_gdn", - "name": "guidance", - "prose": "Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User initiated device locking is behavior or policy-based and as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, for example, if organizations require users to log out at the end of workdays." - } - ], - "controls": [ - { - "id": "ac-11.1", - "class": "SP800-53-enhancement", - "title": "Pattern-hiding Displays", - "properties": [ - { - "name": "label", - "value": "AC-11(1)" - }, - { - "name": "sort-id", - "value": "AC-11(01)" - } - ], - "parts": [ - { - "id": "ac-11.1_smt", - "name": "statement", - "prose": "Conceal, via the device lock, information previously visible on the display with a publicly viewable image." - }, - { - "id": "ac-11.1_gdn", - "name": "guidance", - "prose": "The pattern-hiding display can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the caveat that controlled unclassified information is not displayed." - } - ] - } - ] - }, - { - "id": "ac-12", - "class": "SP800-53", - "title": "Session Termination", - "parameters": [ - { - "id": "ac-12_prm_1", - "label": "organization-defined conditions or trigger events requiring session disconnect" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-12" - }, - { - "name": "sort-id", - "value": "AC-12" - } - ], - "links": [ - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#sc-10", - "rel": "related", - "text": "SC-10" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - } - ], - "parts": [ - { - "id": "ac-12_smt", - "name": "statement", - "prose": "Automatically terminate a user session after {{ ac-12_prm_1 }}." - }, - { - "id": "ac-12_gdn", - "name": "guidance", - "prose": "Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use." - } - ] - }, - { - "id": "ac-14", - "class": "SP800-53", - "title": "Permitted Actions Without Identification or Authentication", - "parameters": [ - { - "id": "ac-14_prm_1", - "label": "organization-defined user actions" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-14" - }, - { - "name": "sort-id", - "value": "AC-14" - } - ], - "links": [ - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - } - ], - "parts": [ - { - "id": "ac-14_smt", - "name": "statement", - "parts": [ - { - "id": "ac-14_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify {{ ac-14_prm_1 }} that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and" - }, - { - "id": "ac-14_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." - } - ] - }, - { - "id": "ac-14_gdn", - "name": "guidance", - "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none." - } - ] - }, - { - "id": "ac-17", - "class": "SP800-53", - "title": "Remote Access", - "properties": [ - { - "name": "label", - "value": "AC-17" - }, - { - "name": "sort-id", - "value": "AC-17" - } - ], - "links": [ - { - "href": "#7768c184-088d-4ee8-a316-f9286b52df7f", - "rel": "reference", - "text": "[SP 800-46]" - }, - { - "href": "#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "rel": "reference", - "text": "[SP 800-77]" - }, - { - "href": "#36132a58-56fd-4980-9f6c-c010d3faf52b", - "rel": "reference", - "text": "[SP 800-113]" - }, - { - "href": "#49fa1ee1-aaf7-4270-bb5a-a86497f717dc", - "rel": "reference", - "text": "[SP 800-114]" - }, - { - "href": "#60b24979-65b8-4ca5-a442-11b74339fab5", - "rel": "reference", - "text": "[SP 800-121]" - }, - { - "href": "#30213e10-2aca-47b3-8cdb-61303e0959f5", - "rel": "reference", - "text": "[IR 7966]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-17", - "rel": "related", - "text": "PE-17" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sc-10", - "rel": "related", - "text": "SC-10" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-17_smt", - "name": "statement", - "parts": [ - { - "id": "ac-17_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" - }, - { - "id": "ac-17_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Authorize each type of remote access to the system prior to allowing such connections." - } - ] - }, - { - "id": "ac-17_gdn", - "name": "guidance", - "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3." - } - ], - "controls": [ - { - "id": "ac-17.1", - "class": "SP800-53-enhancement", - "title": "Monitoring and Control", - "properties": [ - { - "name": "label", - "value": "AC-17(1)" - }, - { - "name": "sort-id", - "value": "AC-17(01)" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - } - ], - "parts": [ - { - "id": "ac-17.1_smt", - "name": "statement", - "prose": "Employ automated mechanisms to monitor and control remote access methods." - }, - { - "id": "ac-17.1_gdn", - "name": "guidance", - "prose": "Monitoring and control of remote access methods allows organizations to detect attacks and ensure compliance with remote access policies by auditing connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a." - } - ] - }, - { - "id": "ac-17.2", - "class": "SP800-53-enhancement", - "title": "Protection of Confidentiality and Integrity Using Encryption", - "properties": [ - { - "name": "label", - "value": "AC-17(2)" - }, - { - "name": "sort-id", - "value": "AC-17(02)" - } - ], - "links": [ - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "ac-17.2_smt", - "name": "statement", - "prose": "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions." - }, - { - "id": "ac-17.2_gdn", - "name": "guidance", - "prose": "Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions." - } - ] - }, - { - "id": "ac-17.3", - "class": "SP800-53-enhancement", - "title": "Managed Access Control Points", - "properties": [ - { - "name": "label", - "value": "AC-17(3)" - }, - { - "name": "sort-id", - "value": "AC-17(03)" - } - ], - "links": [ - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - } - ], - "parts": [ - { - "id": "ac-17.3_smt", - "name": "statement", - "prose": "Route remote accesses through authorized and managed network access control points." - }, - { - "id": "ac-17.3_gdn", - "name": "guidance", - "prose": "Organizations consider the Trusted Internet Connections initiative [DHS TIC] requirements for external network connections since limiting the number of access control points for remote accesses reduces attack surface." - } - ] - }, - { - "id": "ac-17.4", - "class": "SP800-53-enhancement", - "title": "Privileged Commands and Access", - "parameters": [ - { - "id": "ac-17.4_prm_1", - "label": "organization-defined needs" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-17(4)" - }, - { - "name": "sort-id", - "value": "AC-17(04)" - } - ], - "links": [ - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "ac-17.4_smt", - "name": "statement", - "parts": [ - { - "id": "ac-17.4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ ac-17.4_prm_1 }}; and" - }, - { - "id": "ac-17.4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Document the rationale for remote access in the security plan for the system." - } - ] - }, - { - "id": "ac-17.4_gdn", - "name": "guidance", - "prose": "Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability." - } - ] - } - ] - }, - { - "id": "ac-18", - "class": "SP800-53", - "title": "Wireless Access", - "properties": [ - { - "name": "label", - "value": "AC-18" - }, - { - "name": "sort-id", - "value": "AC-18" - } - ], - "links": [ - { - "href": "#41e2e2c6-2260-4258-85c8-09db17c43103", - "rel": "reference", - "text": "[SP 800-94]" - }, - { - "href": "#6bed1550-cd5d-4e80-8d83-4e597c1514fe", - "rel": "reference", - "text": "[SP 800-97]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-18_smt", - "name": "statement", - "parts": [ - { - "id": "ac-18_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" - }, - { - "id": "ac-18_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Authorize each type of wireless access to the system prior to allowing such connections." - } - ] - }, - { - "id": "ac-18_gdn", - "name": "guidance", - "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication." - } - ], - "controls": [ - { - "id": "ac-18.1", - "class": "SP800-53-enhancement", - "title": "Authentication and Encryption", - "parameters": [ - { - "id": "ac-18.1_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-18(1)" - }, - { - "name": "sort-id", - "value": "AC-18(01)" - } - ], - "links": [ - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "ac-18.1_smt", - "name": "statement", - "prose": "Protect wireless access to the system using authentication of {{ ac-18.1_prm_1 }} and encryption." - }, - { - "id": "ac-18.1_gdn", - "name": "guidance", - "prose": "Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices with encryption can reduce susceptibility to threats by adversaries involving wireless technologies." - } - ] - }, - { - "id": "ac-18.3", - "class": "SP800-53-enhancement", - "title": "Disable Wireless Networking", - "properties": [ - { - "name": "label", - "value": "AC-18(3)" - }, - { - "name": "sort-id", - "value": "AC-18(03)" - } - ], - "parts": [ - { - "id": "ac-18.3_smt", - "name": "statement", - "prose": "Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment." - }, - { - "id": "ac-18.3_gdn", - "name": "guidance", - "prose": "Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies." - } - ] - }, - { - "id": "ac-18.4", - "class": "SP800-53-enhancement", - "title": "Restrict Configurations by Users", - "properties": [ - { - "name": "label", - "value": "AC-18(4)" - }, - { - "name": "sort-id", - "value": "AC-18(04)" - } - ], - "links": [ - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-15", - "rel": "related", - "text": "SC-15" - } - ], - "parts": [ - { - "id": "ac-18.4_smt", - "name": "statement", - "prose": "Identify and explicitly authorize users allowed to independently configure wireless networking capabilities." - }, - { - "id": "ac-18.4_gdn", - "name": "guidance", - "prose": "Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational systems." - } - ] - }, - { - "id": "ac-18.5", - "class": "SP800-53-enhancement", - "title": "Antennas and Transmission Power Levels", - "properties": [ - { - "name": "label", - "value": "AC-18(5)" - }, - { - "name": "sort-id", - "value": "AC-18(05)" - } - ], - "links": [ - { - "href": "#pe-19", - "rel": "related", - "text": "PE-19" - } - ], - "parts": [ - { - "id": "ac-18.5_smt", - "name": "statement", - "prose": "Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries." - }, - { - "id": "ac-18.5_gdn", - "name": "guidance", - "prose": "Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization; employing measures such as emissions security to control wireless emanations; and using directional or beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area." - } - ] - } - ] - }, - { - "id": "ac-19", - "class": "SP800-53", - "title": "Access Control for Mobile Devices", - "properties": [ - { - "name": "label", - "value": "AC-19" - }, - { - "name": "sort-id", - "value": "AC-19" - } - ], - "links": [ - { - "href": "#49fa1ee1-aaf7-4270-bb5a-a86497f717dc", - "rel": "reference", - "text": "[SP 800-114]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-11", - "rel": "related", - "text": "AC-11" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-19_smt", - "name": "statement", - "parts": [ - { - "id": "ac-19_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" - }, - { - "id": "ac-19_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Authorize the connection of mobile devices to organizational systems." - } - ] - }, - { - "id": "ac-19_gdn", - "name": "guidance", - "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled." - } - ], - "controls": [ - { - "id": "ac-19.5", - "class": "SP800-53-enhancement", - "title": "Full Device and Container-based Encryption", - "parameters": [ - { - "id": "ac-19.5_prm_1" - }, - { - "id": "ac-19.5_prm_2", - "label": "organization-defined mobile devices" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-19(5)" - }, - { - "name": "sort-id", - "value": "AC-19(05)" - } - ], - "links": [ - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - } - ], - "parts": [ - { - "id": "ac-19.5_smt", - "name": "statement", - "prose": "Employ {{ ac-19.5_prm_1 }} to protect the confidentiality and integrity of information on {{ ac-19.5_prm_2 }}." - }, - { - "id": "ac-19.5_gdn", - "name": "guidance", - "prose": "Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields." - } - ] - } - ] - }, - { - "id": "ac-20", - "class": "SP800-53", - "title": "Use of External Systems", - "parameters": [ - { - "id": "ac-20_prm_1" - }, - { - "id": "ac-20_prm_2", - "depends-on": "ac-20_prm_1", - "label": "organization-defined terms and conditions" - }, - { - "id": "ac-20_prm_3", - "depends-on": "ac-20_prm_1", - "label": "organization-defined controls asserted to be implemented on external systems" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-20" - }, - { - "name": "sort-id", - "value": "AC-20" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "rel": "reference", - "text": "[SP 800-171]" - }, - { - "href": "#aad55f03-8ece-4b21-b09c-9ef65b5a9f55", - "rel": "reference", - "text": "[SP 800-171B]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - } - ], - "parts": [ - { - "id": "ac-20_smt", - "name": "statement", - "prose": "Establish {{ ac-20_prm_1 }}, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", - "parts": [ - { - "id": "ac-20_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Access the system from external systems; and" - }, - { - "id": "ac-20_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Process, store, or transmit organization-controlled information using external systems." - } - ] - }, - { - "id": "ac-20_gdn", - "name": "guidance", - "prose": "External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries.\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\nThis control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." - } - ], - "controls": [ - { - "id": "ac-20.1", - "class": "SP800-53-enhancement", - "title": "Limits on Authorized Use", - "properties": [ - { - "name": "label", - "value": "AC-20(1)" - }, - { - "name": "sort-id", - "value": "AC-20(01)" - } - ], - "links": [ - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - } - ], - "parts": [ - { - "id": "ac-20.1_smt", - "name": "statement", - "prose": "Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:", - "parts": [ - { - "id": "ac-20.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or" - }, - { - "id": "ac-20.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Retention of approved system connection or processing agreements with the organizational entity hosting the external system." - } - ] - }, - { - "id": "ac-20.1_gdn", - "name": "guidance", - "prose": "Limits on authorized use recognizes the circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations." - } - ] - }, - { - "id": "ac-20.2", - "class": "SP800-53-enhancement", - "title": "Portable Storage Devices — Restricted Use", - "parameters": [ - { - "id": "ac-20.2_prm_1", - "label": "organization-defined restrictions" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-20(2)" - }, - { - "name": "sort-id", - "value": "AC-20(02)" - } - ], - "links": [ - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#sc-41", - "rel": "related", - "text": "SC-41" - } - ], - "parts": [ - { - "id": "ac-20.2_smt", - "name": "statement", - "prose": "Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ ac-20.2_prm_1 }}." - }, - { - "id": "ac-20.2_gdn", - "name": "guidance", - "prose": "Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used." - } - ] - } - ] - }, - { - "id": "ac-21", - "class": "SP800-53", - "title": "Information Sharing", - "parameters": [ - { - "id": "ac-21_prm_1", - "label": "organization-defined information sharing circumstances where user discretion is required" - }, - { - "id": "ac-21_prm_2", - "label": "organization-defined automated mechanisms or manual processes" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-21" - }, - { - "name": "sort-id", - "value": "AC-21" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ad3e8f21-07c6-4968-b002-00b64dfa70ae", - "rel": "reference", - "text": "[SP 800-150]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sc-15", - "rel": "related", - "text": "SC-15" - } - ], - "parts": [ - { - "id": "ac-21_smt", - "name": "statement", - "parts": [ - { - "id": "ac-21_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ ac-21_prm_1 }}; and" - }, - { - "id": "ac-21_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ {{ ac-21_prm_2 }} to assist users in making information sharing and collaboration decisions." - } - ] - }, - { - "id": "ac-21_gdn", - "name": "guidance", - "prose": "Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA)." - } - ] - }, - { - "id": "ac-22", - "class": "SP800-53", - "title": "Publicly Accessible Content", - "parameters": [ - { - "id": "ac-22_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-22" - }, - { - "name": "sort-id", - "value": "AC-22" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - } - ], - "parts": [ - { - "id": "ac-22_smt", - "name": "statement", - "parts": [ - { - "id": "ac-22_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Designate individuals authorized to make information publicly accessible;" - }, - { - "id": "ac-22_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" - }, - { - "id": "ac-22_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" - }, - { - "id": "ac-22_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review the content on the publicly accessible system for nonpublic information {{ ac-22_prm_1 }} and remove such information, if discovered." - } - ] - }, - { - "id": "ac-22_gdn", - "name": "guidance", - "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible." - } - ] - } - ] - }, - { - "id": "at", - "class": "family", - "title": "Awareness and Training", - "controls": [ - { - "id": "at-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "at-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "at-1_prm_2" - }, - { - "id": "at-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "at-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "at-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-1" - }, - { - "name": "sort-id", - "value": "AT-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "at-1_smt", - "name": "statement", - "parts": [ - { - "id": "at-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ at-1_prm_1 }}:", - "parts": [ - { - "id": "at-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ at-1_prm_2 }} awareness and training policy that:", - "parts": [ - { - "id": "at-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "at-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "at-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" - } - ] - }, - { - "id": "at-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" - }, - { - "id": "at-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current awareness and training:", - "parts": [ - { - "id": "at-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ at-1_prm_4 }}; and" - }, - { - "id": "at-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ at-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "at-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "at-2", - "class": "SP800-53", - "title": "Awareness Training", - "parameters": [ - { - "id": "at-2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "at-2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-2" - }, - { - "name": "sort-id", - "value": "AT-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-13", - "rel": "related", - "text": "PM-13" - }, - { - "href": "#pm-21", - "rel": "related", - "text": "PM-21" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - } - ], - "parts": [ - { - "id": "at-2_smt", - "name": "statement", - "parts": [ - { - "id": "at-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):", - "parts": [ - { - "id": "at-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and" - }, - { - "id": "at-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "When required by system changes; and" - } - ] - }, - { - "id": "at-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update awareness training {{ at-2_prm_2 }}." - } - ] - }, - { - "id": "at-2_gdn", - "name": "guidance", - "prose": "Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective." - } - ], - "controls": [ - { - "id": "at-2.2", - "class": "SP800-53-enhancement", - "title": "Insider Threat", - "properties": [ - { - "name": "label", - "value": "AT-2(2)" - }, - { - "name": "sort-id", - "value": "AT-02(02)" - } - ], - "links": [ - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - } - ], - "parts": [ - { - "id": "at-2.2_smt", - "name": "statement", - "prose": "Provide awareness training on recognizing and reporting potential indicators of insider threat." - }, - { - "id": "at-2.2_gdn", - "name": "guidance", - "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations." - } - ] - }, - { - "id": "at-2.3", - "class": "SP800-53-enhancement", - "title": "Social Engineering and Mining", - "properties": [ - { - "name": "label", - "value": "AT-2(3)" - }, - { - "name": "sort-id", - "value": "AT-02(03)" - } - ], - "parts": [ - { - "id": "at-2.3_smt", - "name": "statement", - "prose": "Provide awareness training on recognizing and reporting potential and actual instances of social engineering and social mining." - }, - { - "id": "at-2.3_gdn", - "name": "guidance", - "prose": "Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Awareness training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures." - } - ] - } - ] - }, - { - "id": "at-3", - "class": "SP800-53", - "title": "Role-based Training", - "parameters": [ - { - "id": "at-3_prm_1", - "label": "organization-defined roles and responsibilities" - }, - { - "id": "at-3_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "at-3_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-3" - }, - { - "name": "sort-id", - "value": "AT-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#ir-10", - "rel": "related", - "text": "IR-10" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-13", - "rel": "related", - "text": "PM-13" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "at-3_smt", - "name": "statement", - "parts": [ - { - "id": "at-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}:", - "parts": [ - { - "id": "at-3_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and" - }, - { - "id": "at-3_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "When required by system changes; and" - } - ] - }, - { - "id": "at-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update role-based training {{ at-3_prm_3 }}." - } - ] - }, - { - "id": "at-3_gdn", - "name": "guidance", - "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information.\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective." - } - ] - }, - { - "id": "at-4", - "class": "SP800-53", - "title": "Training Records", - "parameters": [ - { - "id": "at-4_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-4" - }, - { - "name": "sort-id", - "value": "AT-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "at-4_smt", - "name": "statement", - "parts": [ - { - "id": "at-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" - }, - { - "id": "at-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain individual training records for {{ at-4_prm_1 }}." - } - ] - }, - { - "id": "at-4_gdn", - "name": "guidance", - "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." - } - ] - } - ] - }, - { - "id": "au", - "class": "family", - "title": "Audit and Accountability", - "controls": [ - { - "id": "au-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "au-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "au-1_prm_2" - }, - { - "id": "au-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "au-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "au-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-1" - }, - { - "name": "sort-id", - "value": "AU-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "au-1_smt", - "name": "statement", - "parts": [ - { - "id": "au-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ au-1_prm_1 }}:", - "parts": [ - { - "id": "au-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ au-1_prm_2 }} audit and accountability policy that:", - "parts": [ - { - "id": "au-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "au-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "au-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" - } - ] - }, - { - "id": "au-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" - }, - { - "id": "au-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current audit and accountability:", - "parts": [ - { - "id": "au-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ au-1_prm_4 }}; and" - }, - { - "id": "au-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ au-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "au-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "au-2", - "class": "SP800-53", - "title": "Event Logging", - "parameters": [ - { - "id": "au-2_prm_1", - "label": "organization-defined event types that the system is capable of logging" - }, - { - "id": "au-2_prm_2", - "label": "organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type" - }, - { - "id": "au-2_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-2" - }, - { - "name": "sort-id", - "value": "AU-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#02d8ec60-6197-43f8-9f47-18732127963e", - "rel": "reference", - "text": "[SP 800-92]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pm-21", - "rel": "related", - "text": "PM-21" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - }, - { - "href": "#si-11", - "rel": "related", - "text": "SI-11" - } - ], - "parts": [ - { - "id": "au-2_smt", - "name": "statement", - "parts": [ - { - "id": "au-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }};" - }, - { - "id": "au-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" - }, - { - "id": "au-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Specify the following event types for logging within the system: {{ au-2_prm_2 }};" - }, - { - "id": "au-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" - }, - { - "id": "au-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Review and update the event types selected for logging {{ au-2_prm_3 }}." - } - ] - }, - { - "id": "au-2_gdn", - "name": "guidance", - "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\nTo balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage.\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." - } - ] - }, - { - "id": "au-3", - "class": "SP800-53", - "title": "Content of Audit Records", - "properties": [ - { - "name": "label", - "value": "AU-3" - }, - { - "name": "sort-id", - "value": "AU-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-8", - "rel": "related", - "text": "AU-8" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-11", - "rel": "related", - "text": "SI-11" - } - ], - "parts": [ - { - "id": "au-3_smt", - "name": "statement", - "prose": "Ensure that audit records contain information that establishes the following:", - "parts": [ - { - "id": "au-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "What type of event occurred;" - }, - { - "id": "au-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "When the event occurred;" - }, - { - "id": "au-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Where the event occurred;" - }, - { - "id": "au-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Source of the event;" - }, - { - "id": "au-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Outcome of the event; and" - }, - { - "id": "au-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." - } - ] - }, - { - "id": "au-3_gdn", - "name": "guidance", - "prose": "Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage." - } - ], - "controls": [ - { - "id": "au-3.1", - "class": "SP800-53-enhancement", - "title": "Additional Audit Information", - "parameters": [ - { - "id": "au-3.1_prm_1", - "label": "organization-defined additional information" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-3(1)" - }, - { - "name": "sort-id", - "value": "AU-03(01)" - } - ], - "parts": [ - { - "id": "au-3.1_smt", - "name": "statement", - "prose": "Generate audit records containing the following additional information: {{ au-3.1_prm_1 }}." - }, - { - "id": "au-3.1_gdn", - "name": "guidance", - "prose": "The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading or that could make it more difficult to locate information of interest." - } - ] - }, - { - "id": "au-3.2", - "class": "SP800-53-enhancement", - "title": "Centralized Management of Planned Audit Record Content", - "parameters": [ - { - "id": "au-3.2_prm_1", - "label": "organization-defined system components" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-3(2)" - }, - { - "name": "sort-id", - "value": "AU-03(02)" - } - ], - "links": [ - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - } - ], - "parts": [ - { - "id": "au-3.2_smt", - "name": "statement", - "prose": "Provide centralized management and configuration of the content to be captured in audit records generated by {{ au-3.2_prm_1 }}." - }, - { - "id": "au-3.2_gdn", - "name": "guidance", - "prose": "Centralized management of planned audit record content requires that the content to be captured in audit records be configured from a central location (necessitating an automated capability). Organizations coordinate the selection of the required audit record content to support the centralized management and configuration capability provided by the system." - } - ] - } - ] - }, - { - "id": "au-4", - "class": "SP800-53", - "title": "Audit Log Storage Capacity", - "parameters": [ - { - "id": "au-4_prm_1", - "label": "organization-defined audit log retention requirements" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-4" - }, - { - "name": "sort-id", - "value": "AU-04" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "au-4_smt", - "name": "statement", - "prose": "Allocate audit log storage capacity to accommodate {{ au-4_prm_1 }}." - }, - { - "id": "au-4_gdn", - "name": "guidance", - "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." - } - ] - }, - { - "id": "au-5", - "class": "SP800-53", - "title": "Response to Audit Logging Process Failures", - "parameters": [ - { - "id": "au-5_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "au-5_prm_2", - "label": "organization-defined time-period" - }, - { - "id": "au-5_prm_3", - "label": "organization-defined additional actions" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-5" - }, - { - "name": "sort-id", - "value": "AU-05" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "au-5_smt", - "name": "statement", - "parts": [ - { - "id": "au-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Alert {{ au-5_prm_1 }} within {{ au-5_prm_2 }} in the event of an audit logging process failure; and" - }, - { - "id": "au-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Take the following additional actions: {{ au-5_prm_3 }}." - } - ] - }, - { - "id": "au-5_gdn", - "name": "guidance", - "prose": "Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." - } - ], - "controls": [ - { - "id": "au-5.1", - "class": "SP800-53-enhancement", - "title": "Storage Capacity Warning", - "parameters": [ - { - "id": "au-5.1_prm_1", - "label": "organization-defined personnel, roles, and/or locations" - }, - { - "id": "au-5.1_prm_2", - "label": "organization-defined time-period" - }, - { - "id": "au-5.1_prm_3", - "label": "organization-defined percentage" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-5(1)" - }, - { - "name": "sort-id", - "value": "AU-05(01)" - } - ], - "parts": [ - { - "id": "au-5.1_smt", - "name": "statement", - "prose": "Provide a warning to {{ au-5.1_prm_1 }} within {{ au-5.1_prm_2 }} when allocated audit log storage volume reaches {{ au-5.1_prm_3 }} of repository maximum audit log storage capacity." - }, - { - "id": "au-5.1_gdn", - "name": "guidance", - "prose": "Organizations may have multiple audit log storage repositories distributed across multiple system components, with each repository having different storage volume capacities." - } - ] - }, - { - "id": "au-5.2", - "class": "SP800-53-enhancement", - "title": "Real-time Alerts", - "parameters": [ - { - "id": "au-5.2_prm_1", - "label": "organization-defined real-time-period" - }, - { - "id": "au-5.2_prm_2", - "label": "organization-defined personnel, roles, and/or locations" - }, - { - "id": "au-5.2_prm_3", - "label": "organization-defined audit logging failure events requiring real-time alerts" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-5(2)" - }, - { - "name": "sort-id", - "value": "AU-05(02)" - } - ], - "parts": [ - { - "id": "au-5.2_smt", - "name": "statement", - "prose": "Provide an alert within {{ au-5.2_prm_1 }} to {{ au-5.2_prm_2 }} when the following audit failure events occur: {{ au-5.2_prm_3 }}." - }, - { - "id": "au-5.2_gdn", - "name": "guidance", - "prose": "Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less)." - } - ] - } - ] - }, - { - "id": "au-6", - "class": "SP800-53", - "title": "Audit Record Review, Analysis, and Reporting", - "parameters": [ - { - "id": "au-6_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "au-6_prm_2", - "label": "organization-defined inappropriate or unusual activity" - }, - { - "id": "au-6_prm_3", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-6" - }, - { - "name": "sort-id", - "value": "AU-06" - } - ], - "links": [ - { - "href": "#35dfd59f-eef2-4f71-bdb5-6d878267456a", - "rel": "reference", - "text": "[SP 800-86]" - }, - { - "href": "#1e2c475a-84ae-4c60-b420-8fb2ea552b71", - "rel": "reference", - "text": "[SP 800-101]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-16", - "rel": "related", - "text": "AU-16" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "au-6_smt", - "name": "statement", - "parts": [ - { - "id": "au-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Review and analyze system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};" - }, - { - "id": "au-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Report findings to {{ au-6_prm_3 }}; and" - }, - { - "id": "au-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." - } - ] - }, - { - "id": "au-6_gdn", - "name": "guidance", - "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." - } - ], - "controls": [ - { - "id": "au-6.1", - "class": "SP800-53-enhancement", - "title": "Automated Process Integration", - "parameters": [ - { - "id": "au-6.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-6(1)" - }, - { - "name": "sort-id", - "value": "AU-06(01)" - } - ], - "links": [ - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - } - ], - "parts": [ - { - "id": "au-6.1_smt", - "name": "statement", - "prose": "Integrate audit record review, analysis, and reporting processes using {{ au-6.1_prm_1 }}." - }, - { - "id": "au-6.1_gdn", - "name": "guidance", - "prose": "Organizational processes benefiting from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits." - } - ] - }, - { - "id": "au-6.3", - "class": "SP800-53-enhancement", - "title": "Correlate Audit Record Repositories", - "properties": [ - { - "name": "label", - "value": "AU-6(3)" - }, - { - "name": "sort-id", - "value": "AU-06(03)" - } - ], - "links": [ - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - } - ], - "parts": [ - { - "id": "au-6.3_smt", - "name": "statement", - "prose": "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness." - }, - { - "id": "au-6.3_gdn", - "name": "guidance", - "prose": "Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness." - } - ] - }, - { - "id": "au-6.5", - "class": "SP800-53-enhancement", - "title": "Integrated Analysis of Audit Records", - "parameters": [ - { - "id": "au-6.5_prm_1" - }, - { - "id": "au-6.5_prm_2", - "depends-on": "au-6.5_prm_1", - "label": "organization-defined data/information collected from other sources" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-6(5)" - }, - { - "name": "sort-id", - "value": "AU-06(05)" - } - ], - "links": [ - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - } - ], - "parts": [ - { - "id": "au-6.5_smt", - "name": "statement", - "prose": "Integrate analysis of audit records with analysis of {{ au-6.5_prm_1 }} to further enhance the ability to identify inappropriate or unusual activity." - }, - { - "id": "au-6.5_gdn", - "name": "guidance", - "prose": "Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial of service attacks or other types of attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations." - } - ] - }, - { - "id": "au-6.6", - "class": "SP800-53-enhancement", - "title": "Correlation with Physical Monitoring", - "properties": [ - { - "name": "label", - "value": "AU-6(6)" - }, - { - "name": "sort-id", - "value": "AU-06(06)" - } - ], - "parts": [ - { - "id": "au-6.6_smt", - "name": "statement", - "prose": "Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity." - }, - { - "id": "au-6.6_gdn", - "name": "guidance", - "prose": "The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred, may be useful in investigations." - } - ] - } - ] - }, - { - "id": "au-7", - "class": "SP800-53", - "title": "Audit Record Reduction and Report Generation", - "properties": [ - { - "name": "label", - "value": "AU-7" - }, - { - "name": "sort-id", - "value": "AU-07" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-16", - "rel": "related", - "text": "AU-16" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "au-7_smt", - "name": "statement", - "prose": "Provide and implement an audit record reduction and report generation capability that:", - "parts": [ - { - "id": "au-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and" - }, - { - "id": "au-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Does not alter the original content or time ordering of audit records." - } - ] - }, - { - "id": "au-7_gdn", - "name": "guidance", - "prose": "Audit record reduction is a process that manipulates collected audit log information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities conducting audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient." - } - ], - "controls": [ - { - "id": "au-7.1", - "class": "SP800-53-enhancement", - "title": "Automatic Processing", - "parameters": [ - { - "id": "au-7.1_prm_1", - "label": "organization-defined fields within audit records" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-7(1)" - }, - { - "name": "sort-id", - "value": "AU-07(01)" - } - ], - "parts": [ - { - "id": "au-7.1_smt", - "name": "statement", - "prose": "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ au-7.1_prm_1 }}." - }, - { - "id": "au-7.1_gdn", - "name": "guidance", - "prose": "Events of interest can be identified by the content of audit records including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, for example, locations selectable by a general networking location or by specific system component." - } - ] - } - ] - }, - { - "id": "au-8", - "class": "SP800-53", - "title": "Time Stamps", - "parameters": [ - { - "id": "au-8_prm_1", - "label": "organization-defined granularity of time measurement" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-8" - }, - { - "name": "sort-id", - "value": "AU-08" - } - ], - "links": [ - { - "href": "#17ca9481-ea11-4ef2-81c1-885fd37d4be5", - "rel": "reference", - "text": "[IETF 5905]" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#sc-45", - "rel": "related", - "text": "SC-45" - } - ], - "parts": [ - { - "id": "au-8_smt", - "name": "statement", - "parts": [ - { - "id": "au-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Use internal system clocks to generate time stamps for audit records; and" - }, - { - "id": "au-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Record time stamps for audit records that meet {{ au-8_prm_1 }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." - } - ] - }, - { - "id": "au-8_gdn", - "name": "guidance", - "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." - } - ], - "controls": [ - { - "id": "au-8.1", - "class": "SP800-53-enhancement", - "title": "Synchronization with Authoritative Time Source", - "parameters": [ - { - "id": "au-8.1_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "au-8.1_prm_2", - "label": "organization-defined authoritative time source" - }, - { - "id": "au-8.1_prm_3", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-8(1)" - }, - { - "name": "sort-id", - "value": "AU-08(01)" - } - ], - "parts": [ - { - "id": "au-8.1_smt", - "name": "statement", - "parts": [ - { - "id": "au-8.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Compare the internal system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and" - }, - { - "id": "au-8.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ au-8.1_prm_3 }}." - } - ] - }, - { - "id": "au-8.1_gdn", - "name": "guidance", - "prose": "Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network." - } - ] - } - ] - }, - { - "id": "au-9", - "class": "SP800-53", - "title": "Protection of Audit Information", - "properties": [ - { - "name": "label", - "value": "AU-9" - }, - { - "name": "sort-id", - "value": "AU-09" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#au-15", - "rel": "related", - "text": "AU-15" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "au-9_smt", - "name": "statement", - "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion." - }, - { - "id": "au-9_gdn", - "name": "guidance", - "prose": "Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." - } - ], - "controls": [ - { - "id": "au-9.2", - "class": "SP800-53-enhancement", - "title": "Store on Separate Physical Systems or Components", - "parameters": [ - { - "id": "au-9.2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-9(2)" - }, - { - "name": "sort-id", - "value": "AU-09(02)" - } - ], - "links": [ - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - } - ], - "parts": [ - { - "id": "au-9.2_smt", - "name": "statement", - "prose": "Store audit records {{ au-9.2_prm_1 }} in a repository that is part of a physically different system or system component than the system or component being audited." - }, - { - "id": "au-9.2_gdn", - "name": "guidance", - "prose": "Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records." - } - ] - }, - { - "id": "au-9.3", - "class": "SP800-53-enhancement", - "title": "Cryptographic Protection", - "properties": [ - { - "name": "label", - "value": "AU-9(3)" - }, - { - "name": "sort-id", - "value": "AU-09(03)" - } - ], - "links": [ - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "au-9.3_smt", - "name": "statement", - "prose": "Implement cryptographic mechanisms to protect the integrity of audit information and audit tools." - }, - { - "id": "au-9.3_gdn", - "name": "guidance", - "prose": "Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash." - } - ] - }, - { - "id": "au-9.4", - "class": "SP800-53-enhancement", - "title": "Access by Subset of Privileged Users", - "parameters": [ - { - "id": "au-9.4_prm_1", - "label": "organization-defined subset of privileged users or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-9(4)" - }, - { - "name": "sort-id", - "value": "AU-09(04)" - } - ], - "links": [ - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - } - ], - "parts": [ - { - "id": "au-9.4_smt", - "name": "statement", - "prose": "Authorize access to management of audit logging functionality to only {{ au-9.4_prm_1 }}." - }, - { - "id": "au-9.4_gdn", - "name": "guidance", - "prose": "Individuals or roles with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges, limits the number of users or roles with audit-related privileges." - } - ] - } - ] - }, - { - "id": "au-10", - "class": "SP800-53", - "title": "Non-repudiation", - "parameters": [ - { - "id": "au-10_prm_1", - "label": "organization-defined actions to be covered by non-repudiation" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-10" - }, - { - "name": "sort-id", - "value": "AU-10" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#64e044e4-b2a9-490f-a079-1106407c812f", - "rel": "reference", - "text": "[SP 800-177]" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-16", - "rel": "related", - "text": "SC-16" - }, - { - "href": "#sc-17", - "rel": "related", - "text": "SC-17" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - } - ], - "parts": [ - { - "id": "au-10_smt", - "name": "statement", - "prose": "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ au-10_prm_1 }}." - }, - { - "id": "au-10_gdn", - "name": "guidance", - "prose": "Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents; senders of not having transmitted messages; receivers of not having received messages; and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, or approving a procurement request, or received specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts." - } - ] - }, - { - "id": "au-11", - "class": "SP800-53", - "title": "Audit Record Retention", - "parameters": [ - { - "id": "au-11_prm_1", - "label": "organization-defined time-period consistent with records retention policy" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-11" - }, - { - "name": "sort-id", - "value": "AU-11" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "au-11_smt", - "name": "statement", - "prose": "Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." - }, - { - "id": "au-11_gdn", - "name": "guidance", - "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention." - } - ] - }, - { - "id": "au-12", - "class": "SP800-53", - "title": "Audit Record Generation", - "parameters": [ - { - "id": "au-12_prm_1", - "label": "organization-defined system components" - }, - { - "id": "au-12_prm_2", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-12" - }, - { - "name": "sort-id", - "value": "AU-12" - } - ], - "links": [ - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - } - ], - "parts": [ - { - "id": "au-12_smt", - "name": "statement", - "parts": [ - { - "id": "au-12_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on {{ au-12_prm_1 }};" - }, - { - "id": "au-12_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Allow {{ au-12_prm_2 }} to select the event types that are to be logged by specific components of the system; and" - }, - { - "id": "au-12_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." - } - ] - }, - { - "id": "au-12_gdn", - "name": "guidance", - "prose": "Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." - } - ], - "controls": [ - { - "id": "au-12.1", - "class": "SP800-53-enhancement", - "title": "System-wide and Time-correlated Audit Trail", - "parameters": [ - { - "id": "au-12.1_prm_1", - "label": "organization-defined system components" - }, - { - "id": "au-12.1_prm_2", - "label": "organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-12(1)" - }, - { - "name": "sort-id", - "value": "AU-12(01)" - } - ], - "links": [ - { - "href": "#au-8", - "rel": "related", - "text": "AU-8" - } - ], - "parts": [ - { - "id": "au-12.1_smt", - "name": "statement", - "prose": "Compile audit records from {{ au-12.1_prm_1 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ au-12.1_prm_2 }}." - }, - { - "id": "au-12.1_gdn", - "name": "guidance", - "prose": "Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances." - } - ] - }, - { - "id": "au-12.3", - "class": "SP800-53-enhancement", - "title": "Changes by Authorized Individuals", - "parameters": [ - { - "id": "au-12.3_prm_1", - "label": "organization-defined individuals or roles" - }, - { - "id": "au-12.3_prm_2", - "label": "organization-defined system components" - }, - { - "id": "au-12.3_prm_3", - "label": "organization-defined selectable event criteria" - }, - { - "id": "au-12.3_prm_4", - "label": "organization-defined time thresholds" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-12(3)" - }, - { - "name": "sort-id", - "value": "AU-12(03)" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - } - ], - "parts": [ - { - "id": "au-12.3_smt", - "name": "statement", - "prose": "Provide and implement the capability for {{ au-12.3_prm_1 }} to change the logging to be performed on {{ au-12.3_prm_2 }} based on {{ au-12.3_prm_3 }} within {{ au-12.3_prm_4 }}." - }, - { - "id": "au-12.3_gdn", - "name": "guidance", - "prose": "Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed, for example, near real-time, within minutes, or within hours." - } - ] - } - ] - } - ] - }, - { - "id": "ca", - "class": "family", - "title": "Assessment, Authorization, and Monitoring", - "controls": [ - { - "id": "ca-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ca-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ca-1_prm_2" - }, - { - "id": "ca-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ca-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ca-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-1" - }, - { - "name": "sort-id", - "value": "CA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-1_smt", - "name": "statement", - "parts": [ - { - "id": "ca-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ca-1_prm_1 }}:", - "parts": [ - { - "id": "ca-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that:", - "parts": [ - { - "id": "ca-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ca-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ca-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" - } - ] - }, - { - "id": "ca-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" - }, - { - "id": "ca-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current assessment, authorization, and monitoring:", - "parts": [ - { - "id": "ca-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ca-1_prm_4 }}; and" - }, - { - "id": "ca-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ca-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ca-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ca-2", - "class": "SP800-53", - "title": "Control Assessments", - "parameters": [ - { - "id": "ca-2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ca-2_prm_2", - "label": "organization-defined individuals or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-2" - }, - { - "name": "sort-id", - "value": "CA-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - } - ], - "parts": [ - { - "id": "ca-2_smt", - "name": "statement", - "parts": [ - { - "id": "ca-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a control assessment plan that describes the scope of the assessment including:", - "parts": [ - { - "id": "ca-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Controls and control enhancements under assessment;" - }, - { - "id": "ca-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Assessment procedures to be used to determine control effectiveness; and" - }, - { - "id": "ca-2_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" - } - ] - }, - { - "id": "ca-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" - }, - { - "id": "ca-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" - }, - { - "id": "ca-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Produce a control assessment report that document the results of the assessment; and" - }, - { - "id": "ca-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Provide the results of the control assessment to {{ ca-2_prm_2 }}." - } - ] - }, - { - "id": "ca-2_gdn", - "name": "guidance", - "prose": "Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\nOrganizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control." - } - ], - "controls": [ - { - "id": "ca-2.1", - "class": "SP800-53-enhancement", - "title": "Independent Assessors", - "properties": [ - { - "name": "label", - "value": "CA-2(1)" - }, - { - "name": "sort-id", - "value": "CA-02(01)" - } - ], - "parts": [ - { - "id": "ca-2.1_smt", - "name": "statement", - "prose": "Employ independent assessors or assessment teams to conduct control assessments." - }, - { - "id": "ca-2.1_gdn", - "name": "guidance", - "prose": "Independent assessors or assessment teams are individuals or groups conducting impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in positions of advocacy for the organizations acquiring their services.\nIndependent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination also includes whether contracted assessment services have sufficient independence, for example, when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, the analogy to independent assessors is having independent SMEs involved in design reviews.\nWhen organizations that own the systems are small or the structures of the organizations require that assessments are conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions, are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." - } - ] - }, - { - "id": "ca-2.2", - "class": "SP800-53-enhancement", - "title": "Specialized Assessments", - "parameters": [ - { - "id": "ca-2.2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ca-2.2_prm_2" - }, - { - "id": "ca-2.2_prm_3" - }, - { - "id": "ca-2.2_prm_4", - "depends-on": "ca-2.2_prm_3", - "label": "organization-defined other forms of assessment" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-2(2)" - }, - { - "name": "sort-id", - "value": "CA-02(02)" - } - ], - "links": [ - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - } - ], - "parts": [ - { - "id": "ca-2.2_smt", - "name": "statement", - "prose": "Include as part of control assessments, {{ ca-2.2_prm_1 }}, {{ ca-2.2_prm_2 }}, {{ ca-2.2_prm_3 }}." - }, - { - "id": "ca-2.2_gdn", - "name": "guidance", - "prose": "Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle, for example, during design, development, and unit testing." - } - ] - } - ] - }, - { - "id": "ca-3", - "class": "SP800-53", - "title": "Information Exchange", - "parameters": [ - { - "id": "ca-3_prm_1" - }, - { - "id": "ca-3_prm_2", - "depends-on": "ca-3_prm_1", - "label": "organization-defined type of agreement" - }, - { - "id": "ca-3_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-3" - }, - { - "name": "sort-id", - "value": "CA-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#2e66c31a-190e-49ad-8e00-f306f8a0df17", - "rel": "reference", - "text": "[SP 800-47]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#au-16", - "rel": "related", - "text": "AU-16" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-3_smt", - "name": "statement", - "parts": [ - { - "id": "ca-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Approve and manage the exchange of information between the system and other systems using {{ ca-3_prm_1 }};" - }, - { - "id": "ca-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" - }, - { - "id": "ca-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the agreements {{ ca-3_prm_3 }}." - } - ] - }, - { - "id": "ca-3_gdn", - "name": "guidance", - "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk.\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks." - } - ], - "controls": [ - { - "id": "ca-3.6", - "class": "SP800-53-enhancement", - "title": "Transfer Authorizations", - "properties": [ - { - "name": "label", - "value": "CA-3(6)" - }, - { - "name": "sort-id", - "value": "CA-03(06)" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - } - ], - "parts": [ - { - "id": "ca-3.6_smt", - "name": "statement", - "prose": "Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data." - }, - { - "id": "ca-3.6_gdn", - "name": "guidance", - "prose": "To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies via independent means, whether the individual or system attempting to transfer information is authorized to do so. This control enhancement also applies to control plane traffic (e.g., routing and DNS) and services such as authenticated SMTP relays." - } - ] - } - ] - }, - { - "id": "ca-5", - "class": "SP800-53", - "title": "Plan of Action and Milestones", - "parameters": [ - { - "id": "ca-5_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-5" - }, - { - "name": "sort-id", - "value": "CA-05" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-5_smt", - "name": "statement", - "parts": [ - { - "id": "ca-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" - }, - { - "id": "ca-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities." - } - ] - }, - { - "id": "ca-5_gdn", - "name": "guidance", - "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB." - } - ] - }, - { - "id": "ca-6", - "class": "SP800-53", - "title": "Authorization", - "parameters": [ - { - "id": "ca-6_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-6" - }, - { - "name": "sort-id", - "value": "CA-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-6_smt", - "name": "statement", - "parts": [ - { - "id": "ca-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Assign a senior official as the authorizing official for the system;" - }, - { - "id": "ca-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" - }, - { - "id": "ca-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ensure that the authorizing official for the system, before commencing operations:", - "parts": [ - { - "id": "ca-6_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Accepts the use of common controls inherited by the system; and" - }, - { - "id": "ca-6_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Authorizes the system to operate;" - } - ] - }, - { - "id": "ca-6_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" - }, - { - "id": "ca-6_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Update the authorizations {{ ca-6_prm_1 }}." - } - ] - }, - { - "id": "ca-6_gdn", - "name": "guidance", - "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." - } - ] - }, - { - "id": "ca-7", - "class": "SP800-53", - "title": "Continuous Monitoring", - "parameters": [ - { - "id": "ca-7_prm_1", - "label": "organization-defined system-level metrics" - }, - { - "id": "ca-7_prm_2", - "label": "organization-defined frequencies" - }, - { - "id": "ca-7_prm_3", - "label": "organization-defined frequencies" - }, - { - "id": "ca-7_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "ca-7_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-7" - }, - { - "name": "sort-id", - "value": "CA-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#851b5ba4-6aa0-4583-857c-4c360cbdf2a0", - "rel": "reference", - "text": "[IR 8011 v1]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pe-14", - "rel": "related", - "text": "PE-14" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-6", - "rel": "related", - "text": "PM-6" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#pm-31", - "rel": "related", - "text": "PM-31" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - } - ], - "parts": [ - { - "id": "ca-7_smt", - "name": "statement", - "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", - "parts": [ - { - "id": "ca-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }};" - }, - { - "id": "ca-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness;" - }, - { - "id": "ca-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" - }, - { - "id": "ca-7_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" - }, - { - "id": "ca-7_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Correlation and analysis of information generated by control assessments and monitoring;" - }, - { - "id": "ca-7_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" - }, - { - "id": "ca-7_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Reporting the security and privacy status of the system to {{ ca-7_prm_4 }}\n {{ ca-7_prm_5 }}." - } - ] - }, - { - "id": "ca-7_gdn", - "name": "guidance", - "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4." - } - ], - "controls": [ - { - "id": "ca-7.1", - "class": "SP800-53-enhancement", - "title": "Independent Assessment", - "properties": [ - { - "name": "label", - "value": "CA-7(1)" - }, - { - "name": "sort-id", - "value": "CA-07(01)" - } - ], - "parts": [ - { - "id": "ca-7.1_smt", - "name": "statement", - "prose": "Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis." - }, - { - "id": "ca-7.1_gdn", - "name": "guidance", - "prose": "Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in advocacy positions for the organizations acquiring their services." - } - ] - }, - { - "id": "ca-7.4", - "class": "SP800-53-enhancement", - "title": "Risk Monitoring", - "properties": [ - { - "name": "label", - "value": "CA-7(4)" - }, - { - "name": "sort-id", - "value": "CA-07(04)" - } - ], - "parts": [ - { - "id": "ca-7.4_smt", - "name": "statement", - "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", - "parts": [ - { - "id": "ca-7.4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Effectiveness monitoring;" - }, - { - "id": "ca-7.4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Compliance monitoring; and" - }, - { - "id": "ca-7.4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Change monitoring." - } - ] - }, - { - "id": "ca-7.4_gdn", - "name": "guidance", - "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." - } - ] - } - ] - }, - { - "id": "ca-8", - "class": "SP800-53", - "title": "Penetration Testing", - "parameters": [ - { - "id": "ca-8_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ca-8_prm_2", - "label": "organization-defined systems or system components" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-8" - }, - { - "name": "sort-id", - "value": "CA-08" - } - ], - "links": [ - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - } - ], - "parts": [ - { - "id": "ca-8_smt", - "name": "statement", - "prose": "Conduct penetration testing {{ ca-8_prm_1 }} on {{ ca-8_prm_2 }}." - }, - { - "id": "ca-8_gdn", - "name": "guidance", - "prose": "Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries in carrying out attacks and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes pretest analysis based on full knowledge of the system; pretest identification of potential vulnerabilities based on pretest analysis; and testing designed to determine exploitability of vulnerabilities. All parties agree to the rules of engagement before commencement of penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing." - } - ], - "controls": [ - { - "id": "ca-8.1", - "class": "SP800-53-enhancement", - "title": "Independent Penetration Testing Agent or Team", - "properties": [ - { - "name": "label", - "value": "CA-8(1)" - }, - { - "name": "sort-id", - "value": "CA-08(01)" - } - ], - "links": [ - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - } - ], - "parts": [ - { - "id": "ca-8.1_smt", - "name": "statement", - "prose": "Employ an independent penetration testing agent or team to perform penetration testing on the system or system components." - }, - { - "id": "ca-8.1_gdn", - "name": "guidance", - "prose": "Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. CA-2(1) provides additional information on independent assessments that can be applied to penetration testing." - } - ] - } - ] - }, - { - "id": "ca-9", - "class": "SP800-53", - "title": "Internal System Connections", - "parameters": [ - { - "id": "ca-9_prm_1", - "label": "organization-defined system components or classes of components" - }, - { - "id": "ca-9_prm_2", - "label": "organization-defined conditions" - }, - { - "id": "ca-9_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-9" - }, - { - "name": "sort-id", - "value": "CA-09" - } - ], - "links": [ - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-9_smt", - "name": "statement", - "parts": [ - { - "id": "ca-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Authorize internal connections of {{ ca-9_prm_1 }} to the system;" - }, - { - "id": "ca-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" - }, - { - "id": "ca-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Terminate internal system connections after {{ ca-9_prm_2 }}; and" - }, - { - "id": "ca-9_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review {{ ca-9_prm_3 }} the continued need for each internal connection." - } - ] - }, - { - "id": "ca-9_gdn", - "name": "guidance", - "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." - } - ] - } - ] - }, - { - "id": "cm", - "class": "family", - "title": "Configuration Management", - "controls": [ - { - "id": "cm-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "cm-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "cm-1_prm_2" - }, - { - "id": "cm-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "cm-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "cm-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-1" - }, - { - "name": "sort-id", - "value": "CM-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cm-1_smt", - "name": "statement", - "parts": [ - { - "id": "cm-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ cm-1_prm_1 }}:", - "parts": [ - { - "id": "cm-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ cm-1_prm_2 }} configuration management policy that:", - "parts": [ - { - "id": "cm-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "cm-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "cm-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" - } - ] - }, - { - "id": "cm-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" - }, - { - "id": "cm-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current configuration management:", - "parts": [ - { - "id": "cm-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ cm-1_prm_4 }}; and" - }, - { - "id": "cm-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ cm-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "cm-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "cm-2", - "class": "SP800-53", - "title": "Baseline Configuration", - "parameters": [ - { - "id": "cm-2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "cm-2_prm_2", - "label": "Assignment organization-defined circumstances" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-2" - }, - { - "name": "sort-id", - "value": "CM-02" - } - ], - "links": [ - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#cp-12", - "rel": "related", - "text": "CP-12" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - } - ], - "parts": [ - { - "id": "cm-2_smt", - "name": "statement", - "parts": [ - { - "id": "cm-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" - }, - { - "id": "cm-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the baseline configuration of the system:", - "parts": [ - { - "id": "cm-2_smt.b.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ cm-2_prm_1 }};" - }, - { - "id": "cm-2_smt.b.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "When required due to {{ cm-2_prm_2 }}; and" - }, - { - "id": "cm-2_smt.b.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "When system components are installed or upgraded." - } - ] - } - ] - }, - { - "id": "cm-2_gdn", - "name": "guidance", - "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." - } - ], - "controls": [ - { - "id": "cm-2.2", - "class": "SP800-53-enhancement", - "title": "Automation Support for Accuracy and Currency", - "parameters": [ - { - "id": "cm-2.2_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-2(2)" - }, - { - "name": "sort-id", - "value": "CM-02(02)" - } - ], - "links": [ - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - } - ], - "parts": [ - { - "id": "cm-2.2_smt", - "name": "statement", - "prose": "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ cm-2.2_prm_1 }}." - }, - { - "id": "cm-2.2_gdn", - "name": "guidance", - "prose": "Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, and firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission/business process level or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities." - } - ] - }, - { - "id": "cm-2.3", - "class": "SP800-53-enhancement", - "title": "Retention of Previous Configurations", - "parameters": [ - { - "id": "cm-2.3_prm_1", - "label": "organization-defined number" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-2(3)" - }, - { - "name": "sort-id", - "value": "CM-02(03)" - } - ], - "parts": [ - { - "id": "cm-2.3_smt", - "name": "statement", - "prose": "Retain {{ cm-2.3_prm_1 }} of previous versions of baseline configurations of the system to support rollback." - }, - { - "id": "cm-2.3_gdn", - "name": "guidance", - "prose": "Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, and configuration records." - } - ] - }, - { - "id": "cm-2.7", - "class": "SP800-53-enhancement", - "title": "Configure Systems and Components for High-risk Areas", - "parameters": [ - { - "id": "cm-2.7_prm_1", - "label": "organization-defined systems or system components" - }, - { - "id": "cm-2.7_prm_2", - "label": "organization-defined configurations" - }, - { - "id": "cm-2.7_prm_3", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-2(7)" - }, - { - "name": "sort-id", - "value": "CM-02(07)" - } - ], - "links": [ - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - } - ], - "parts": [ - { - "id": "cm-2.7_smt", - "name": "statement", - "parts": [ - { - "id": "cm-2.7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Issue {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems to be of significant risk; and" - }, - { - "id": "cm-2.7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Apply the following controls to the systems or components when the individuals return from travel: {{ cm-2.7_prm_3 }}." - } - ] - }, - { - "id": "cm-2.7_gdn", - "name": "guidance", - "prose": "When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family." - } - ] - } - ] - }, - { - "id": "cm-3", - "class": "SP800-53", - "title": "Configuration Change Control", - "parameters": [ - { - "id": "cm-3_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "cm-3_prm_2", - "label": "organization-defined configuration change control element" - }, - { - "id": "cm-3_prm_3" - }, - { - "id": "cm-3_prm_4", - "depends-on": "cm-3_prm_3", - "label": "organization-defined frequency" - }, - { - "id": "cm-3_prm_5", - "depends-on": "cm-3_prm_3", - "label": "organization-defined configuration change conditions" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-3" - }, - { - "name": "sort-id", - "value": "CM-03" - } - ], - "links": [ - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pt-7", - "rel": "related", - "text": "PT-7" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "cm-3_smt", - "name": "statement", - "parts": [ - { - "id": "cm-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Determine and document the types of changes to the system that are configuration-controlled;" - }, - { - "id": "cm-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;" - }, - { - "id": "cm-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document configuration change decisions associated with the system;" - }, - { - "id": "cm-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Implement approved configuration-controlled changes to the system;" - }, - { - "id": "cm-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Retain records of configuration-controlled changes to the system for {{ cm-3_prm_1 }};" - }, - { - "id": "cm-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Monitor and review activities associated with configuration-controlled changes to the system; and" - }, - { - "id": "cm-3_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Coordinate and provide oversight for configuration change control activities through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}." - } - ] - }, - { - "id": "cm-3_gdn", - "name": "guidance", - "prose": "Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations and configuration items of systems; changes to operational procedures; changes to configuration settings for system components; unscheduled or unauthorized changes; and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes impacting privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10." - } - ], - "controls": [ - { - "id": "cm-3.1", - "class": "SP800-53-enhancement", - "title": "Automated Documentation, Notification, and Prohibition of Changes", - "parameters": [ - { - "id": "cm-3.1_prm_1", - "label": "organization-defined automated mechanisms" - }, - { - "id": "cm-3.1_prm_2", - "label": "organization-defined approval authorities" - }, - { - "id": "cm-3.1_prm_3", - "label": "organization-defined time-period" - }, - { - "id": "cm-3.1_prm_4", - "label": "organization-defined personnel" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-3(1)" - }, - { - "name": "sort-id", - "value": "CM-03(01)" - } - ], - "parts": [ - { - "id": "cm-3.1_smt", - "name": "statement", - "prose": "Use {{ cm-3.1_prm_1 }} to:", - "parts": [ - { - "id": "cm-3.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Document proposed changes to the system;" - }, - { - "id": "cm-3.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Notify {{ cm-3.1_prm_2 }} of proposed changes to the system and request change approval;" - }, - { - "id": "cm-3.1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Highlight proposed changes to the system that have not been approved or disapproved within {{ cm-3.1_prm_3 }};" - }, - { - "id": "cm-3.1_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(d)" - } - ], - "prose": "Prohibit changes to the system until designated approvals are received;" - }, - { - "id": "cm-3.1_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(e)" - } - ], - "prose": "Document all changes to the system; and" - }, - { - "id": "cm-3.1_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(f)" - } - ], - "prose": "Notify {{ cm-3.1_prm_4 }} when approved changes to the system are completed." - } - ] - }, - { - "id": "cm-3.1_gdn", - "name": "guidance", - "prose": "None." - } - ] - }, - { - "id": "cm-3.2", - "class": "SP800-53-enhancement", - "title": "Testing, Validation, and Documentation of Changes", - "properties": [ - { - "name": "label", - "value": "CM-3(2)" - }, - { - "name": "sort-id", - "value": "CM-03(02)" - } - ], - "parts": [ - { - "id": "cm-3.2_smt", - "name": "statement", - "prose": "Test, validate, and document changes to the system before finalizing the implementation of the changes." - }, - { - "id": "cm-3.2_gdn", - "name": "guidance", - "prose": "Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with system operations supporting organizational missions and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls." - } - ] - }, - { - "id": "cm-3.4", - "class": "SP800-53-enhancement", - "title": "Security and Privacy Representatives", - "parameters": [ - { - "id": "cm-3.4_prm_1", - "label": "organization-defined security and privacy representatives" - }, - { - "id": "cm-3.4_prm_2", - "label": "organization-defined configuration change control element" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-3(4)" - }, - { - "name": "sort-id", - "value": "CM-03(04)" - } - ], - "parts": [ - { - "id": "cm-3.4_smt", - "name": "statement", - "prose": "Require {{ cm-3.4_prm_1 }} to be members of the {{ cm-3.4_prm_2 }}." - }, - { - "id": "cm-3.4_gdn", - "name": "guidance", - "prose": "Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3." - } - ] - }, - { - "id": "cm-3.6", - "class": "SP800-53-enhancement", - "title": "Cryptography Management", - "parameters": [ - { - "id": "cm-3.6_prm_1", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-3(6)" - }, - { - "name": "sort-id", - "value": "CM-03(06)" - } - ], - "links": [ - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - } - ], - "parts": [ - { - "id": "cm-3.6_smt", - "name": "statement", - "prose": "Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ cm-3.6_prm_1 }}." - }, - { - "id": "cm-3.6_gdn", - "name": "guidance", - "prose": "The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates." - } - ] - } - ] - }, - { - "id": "cm-4", - "class": "SP800-53", - "title": "Impact Analyses", - "properties": [ - { - "name": "label", - "value": "CM-4" - }, - { - "name": "sort-id", - "value": "CM-04" - } - ], - "links": [ - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - } - ], - "parts": [ - { - "id": "cm-4_smt", - "name": "statement", - "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." - }, - { - "id": "cm-4_gdn", - "name": "guidance", - "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required." - } - ], - "controls": [ - { - "id": "cm-4.1", - "class": "SP800-53-enhancement", - "title": "Separate Test Environments", - "properties": [ - { - "name": "label", - "value": "CM-4(1)" - }, - { - "name": "sort-id", - "value": "CM-04(01)" - } - ], - "links": [ - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - } - ], - "parts": [ - { - "id": "cm-4.1_smt", - "name": "statement", - "prose": "Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice." - }, - { - "id": "cm-4.1_gdn", - "name": "guidance", - "prose": "A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation." - } - ] - }, - { - "id": "cm-4.2", - "class": "SP800-53-enhancement", - "title": "Verification of Controls", - "properties": [ - { - "name": "label", - "value": "CM-4(2)" - }, - { - "name": "sort-id", - "value": "CM-04(02)" - } - ], - "links": [ - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#si-6", - "rel": "related", - "text": "SI-6" - } - ], - "parts": [ - { - "id": "cm-4.2_smt", - "name": "statement", - "prose": "After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system." - }, - { - "id": "cm-4.2_gdn", - "name": "guidance", - "prose": "Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls." - } - ] - } - ] - }, - { - "id": "cm-5", - "class": "SP800-53", - "title": "Access Restrictions for Change", - "properties": [ - { - "name": "label", - "value": "CM-5" - }, - { - "name": "sort-id", - "value": "CM-05" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - } - ], - "parts": [ - { - "id": "cm-5_smt", - "name": "statement", - "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." - }, - { - "id": "cm-5_gdn", - "name": "guidance", - "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." - } - ], - "controls": [ - { - "id": "cm-5.1", - "class": "SP800-53-enhancement", - "title": "Automated Access Enforcement and Audit Records", - "parameters": [ - { - "id": "cm-5.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-5(1)" - }, - { - "name": "sort-id", - "value": "CM-05(01)" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cm-5.1_smt", - "name": "statement", - "parts": [ - { - "id": "cm-5.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Enforce access restrictions using {{ cm-5.1_prm_1 }}; and" - }, - { - "id": "cm-5.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Automatically generate audit records of the enforcement actions." - } - ] - }, - { - "id": "cm-5.1_gdn", - "name": "guidance", - "prose": "Organizations log access records associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes." - } - ] - }, - { - "id": "cm-5.3", - "class": "SP800-53-enhancement", - "title": "Signed Components", - "parameters": [ - { - "id": "cm-5.3_prm_1", - "label": "organization-defined software and firmware components" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-5(3)" - }, - { - "name": "sort-id", - "value": "CM-05(03)" - } - ], - "links": [ - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "cm-5.3_smt", - "name": "statement", - "prose": "Prevent the installation of {{ cm-5.3_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization." - }, - { - "id": "cm-5.3_gdn", - "name": "guidance", - "prose": "Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication." - } - ] - } - ] - }, - { - "id": "cm-6", - "class": "SP800-53", - "title": "Configuration Settings", - "parameters": [ - { - "id": "cm-6_prm_1", - "label": "organization-defined common secure configurations" - }, - { - "id": "cm-6_prm_2", - "label": "organization-defined system components" - }, - { - "id": "cm-6_prm_3", - "label": "organization-defined operational requirements" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-6" - }, - { - "name": "sort-id", - "value": "CM-06" - } - ], - "links": [ - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f", - "rel": "reference", - "text": "[SP 800-126]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#06842bea-64c9-4e20-807a-b8fc003fa737", - "rel": "reference", - "text": "[USGCB]" - }, - { - "href": "#5cc04a1c-5489-4751-a493-746a9639067b", - "rel": "reference", - "text": "[NCPR]" - }, - { - "href": "#294eed19-7471-4517-9480-2ec73e7c6a78", - "rel": "reference", - "text": "[DOD STIG]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-6", - "rel": "related", - "text": "SI-6" - } - ], - "parts": [ - { - "id": "cm-6_smt", - "name": "statement", - "parts": [ - { - "id": "cm-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish and document configuration settings for components employed within the system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;" - }, - { - "id": "cm-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the configuration settings;" - }, - { - "id": "cm-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Identify, document, and approve any deviations from established configuration settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and" - }, - { - "id": "cm-6_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." - } - ] - }, - { - "id": "cm-6_gdn", - "name": "guidance", - "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\nImplementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." - } - ], - "controls": [ - { - "id": "cm-6.1", - "class": "SP800-53-enhancement", - "title": "Automated Management, Application, and Verification", - "parameters": [ - { - "id": "cm-6.1_prm_1", - "label": "organization-defined system components" - }, - { - "id": "cm-6.1_prm_2", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-6(1)" - }, - { - "name": "sort-id", - "value": "CM-06(01)" - } - ], - "links": [ - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - } - ], - "parts": [ - { - "id": "cm-6.1_smt", - "name": "statement", - "prose": "Centrally manage, apply, and verify configuration settings for {{ cm-6.1_prm_1 }} using {{ cm-6.1_prm_2 }}." - }, - { - "id": "cm-6.1_gdn", - "name": "guidance", - "prose": "Automated tools (e.g., security information and event management tools or enterprise security monitoring tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision making within the organization." - } - ] - }, - { - "id": "cm-6.2", - "class": "SP800-53-enhancement", - "title": "Respond to Unauthorized Changes", - "parameters": [ - { - "id": "cm-6.2_prm_1", - "label": "organization-defined configuration settings" - }, - { - "id": "cm-6.2_prm_2", - "label": "organization-defined actions" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-6(2)" - }, - { - "name": "sort-id", - "value": "CM-06(02)" - } - ], - "links": [ - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "cm-6.2_smt", - "name": "statement", - "prose": "Take the following actions in response to unauthorized changes to {{ cm-6.2_prm_1 }}: {{ cm-6.2_prm_2 }}." - }, - { - "id": "cm-6.2_gdn", - "name": "guidance", - "prose": "Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected system processing." - } - ] - } - ] - }, - { - "id": "cm-7", - "class": "SP800-53", - "title": "Least Functionality", - "parameters": [ - { - "id": "cm-7_prm_1", - "label": "organization-defined mission essential capabilities" - }, - { - "id": "cm-7_prm_2", - "label": "organization-defined prohibited or restricted functions, ports, protocols, software, and/or services" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-7" - }, - { - "name": "sort-id", - "value": "CM-07" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#893d1736-324c-41d6-a5f4-d526b5ca981a", - "rel": "reference", - "text": "[SP 800-167]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "cm-7_smt", - "name": "statement", - "parts": [ - { - "id": "cm-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Configure the system to provide only {{ cm-7_prm_1 }}; and" - }, - { - "id": "cm-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ cm-7_prm_2 }}." - } - ] - }, - { - "id": "cm-7_gdn", - "name": "guidance", - "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3)." - } - ], - "controls": [ - { - "id": "cm-7.1", - "class": "SP800-53-enhancement", - "title": "Periodic Review", - "parameters": [ - { - "id": "cm-7.1_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "cm-7.1_prm_2", - "label": "organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-7(1)" - }, - { - "name": "sort-id", - "value": "CM-07(01)" - } - ], - "links": [ - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - } - ], - "parts": [ - { - "id": "cm-7.1_smt", - "name": "statement", - "parts": [ - { - "id": "cm-7.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Review the system {{ cm-7.1_prm_1 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and" - }, - { - "id": "cm-7.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Disable or remove {{ cm-7.1_prm_2 }}." - } - ] - }, - { - "id": "cm-7.1_gdn", - "name": "guidance", - "prose": "Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking." - } - ] - }, - { - "id": "cm-7.2", - "class": "SP800-53-enhancement", - "title": "Prevent Program Execution", - "parameters": [ - { - "id": "cm-7.2_prm_1" - }, - { - "id": "cm-7.2_prm_2", - "depends-on": "cm-7.2_prm_1", - "label": "organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-7(2)" - }, - { - "name": "sort-id", - "value": "CM-07(02)" - } - ], - "links": [ - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - } - ], - "parts": [ - { - "id": "cm-7.2_smt", - "name": "statement", - "prose": "Prevent program execution in accordance with {{ cm-7.2_prm_1 }}." - }, - { - "id": "cm-7.2_gdn", - "name": "guidance", - "prose": "Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements restricting software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features; restricting roles allowed to approve program execution; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time." - } - ] - }, - { - "id": "cm-7.5", - "class": "SP800-53-enhancement", - "title": "Authorized Software — Whitelisting", - "parameters": [ - { - "id": "cm-7.5_prm_1", - "label": "organization-defined software programs authorized to execute on the system" - }, - { - "id": "cm-7.5_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-7(5)" - }, - { - "name": "sort-id", - "value": "CM-07(05)" - } - ], - "links": [ - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "cm-7.5_smt", - "name": "statement", - "parts": [ - { - "id": "cm-7.5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Identify {{ cm-7.5_prm_1 }};" - }, - { - "id": "cm-7.5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and" - }, - { - "id": "cm-7.5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Review and update the list of authorized software programs {{ cm-7.5_prm_2 }}." - } - ] - }, - { - "id": "cm-7.5_gdn", - "name": "guidance", - "prose": "The process used to identify specific software programs or entire categories of software programs that are authorized to execute on organizational systems is commonly referred to as whitelisting. Software programs identified can be limited to specific versions or from a specific source. To facilitate comprehensive whitelisting and increase the strength of protection for attacks that bypass application level whitelisting, software programs may be decomposed into and monitored at different levels of detail. Software program levels of detail include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of whitelisting may also be applied to user actions, ports, IP addresses, and media access control (MAC) addresses. Organizations consider verifying the integrity of white-listed software programs using, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Whitelisting of URLs for websites is addressed in CA-3(5) and SC-7." - } - ] - } - ] - }, - { - "id": "cm-8", - "class": "SP800-53", - "title": "System Component Inventory", - "parameters": [ - { - "id": "cm-8_prm_1", - "label": "organization-defined information deemed necessary to achieve effective system component accountability" - }, - { - "id": "cm-8_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-8" - }, - { - "name": "sort-id", - "value": "CM-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "cm-8_smt", - "name": "statement", - "parts": [ - { - "id": "cm-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and document an inventory of system components that:", - "parts": [ - { - "id": "cm-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Accurately reflects the system;" - }, - { - "id": "cm-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Includes all components within the system;" - }, - { - "id": "cm-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" - }, - { - "id": "cm-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Includes the following information to achieve system component accountability: {{ cm-8_prm_1 }}; and" - } - ] - }, - { - "id": "cm-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the system component inventory {{ cm-8_prm_2 }}." - } - ] - }, - { - "id": "cm-8_gdn", - "name": "guidance", - "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location." - } - ], - "controls": [ - { - "id": "cm-8.1", - "class": "SP800-53-enhancement", - "title": "Updates During Installation and Removal", - "properties": [ - { - "name": "label", - "value": "CM-8(1)" - }, - { - "name": "sort-id", - "value": "CM-08(01)" - } - ], - "links": [ - { - "href": "#pm-16", - "rel": "related", - "text": "PM-16" - } - ], - "parts": [ - { - "id": "cm-8.1_smt", - "name": "statement", - "prose": "Update the inventory of system components as part of component installations, removals, and system updates." - }, - { - "id": "cm-8.1_gdn", - "name": "guidance", - "prose": "Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated routinely as part of component installations or removals, or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components." - } - ] - }, - { - "id": "cm-8.2", - "class": "SP800-53-enhancement", - "title": "Automated Maintenance", - "parameters": [ - { - "id": "cm-8.2_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-8(2)" - }, - { - "name": "sort-id", - "value": "CM-08(02)" - } - ], - "parts": [ - { - "id": "cm-8.2_smt", - "name": "statement", - "prose": "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ cm-8.2_prm_1 }}." - }, - { - "id": "cm-8.2_gdn", - "name": "guidance", - "prose": "Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of CM-2(2) for organizations that combine system component inventory and baseline configuration activities." - } - ] - }, - { - "id": "cm-8.3", - "class": "SP800-53-enhancement", - "title": "Automated Unauthorized Component Detection", - "parameters": [ - { - "id": "cm-8.3_prm_1", - "label": "organization-defined automated mechanisms" - }, - { - "id": "cm-8.3_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "cm-8.3_prm_3" - }, - { - "id": "cm-8.3_prm_4", - "depends-on": "cm-8.3_prm_3", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-8(3)" - }, - { - "name": "sort-id", - "value": "CM-08(03)" - } - ], - "links": [ - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-39", - "rel": "related", - "text": "SC-39" - }, - { - "href": "#sc-44", - "rel": "related", - "text": "SC-44" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "cm-8.3_smt", - "name": "statement", - "parts": [ - { - "id": "cm-8.3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ cm-8.3_prm_1 }}\n {{ cm-8.3_prm_2 }}; and" - }, - { - "id": "cm-8.3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Take the following actions when unauthorized components are detected: {{ cm-8.3_prm_3 }}." - } - ] - }, - { - "id": "cm-8.3_gdn", - "name": "guidance", - "prose": "Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices). Isolation can be achieved, for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing." - } - ] - }, - { - "id": "cm-8.4", - "class": "SP800-53-enhancement", - "title": "Accountability Information", - "parameters": [ - { - "id": "cm-8.4_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-8(4)" - }, - { - "name": "sort-id", - "value": "CM-08(04)" - } - ], - "parts": [ - { - "id": "cm-8.4_smt", - "name": "statement", - "prose": "Include in the system component inventory information, a means for identifying by {{ cm-8.4_prm_1 }}, individuals responsible and accountable for administering those components." - }, - { - "id": "cm-8.4_gdn", - "name": "guidance", - "prose": "Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required, for example, the component is determined to be the source of a breach; the component needs to be recalled or replaced; or the component needs to be relocated." - } - ] - } - ] - }, - { - "id": "cm-9", - "class": "SP800-53", - "title": "Configuration Management Plan", - "parameters": [ - { - "id": "cm-9_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-9" - }, - { - "name": "sort-id", - "value": "CM-09" - } - ], - "links": [ - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cm-9_smt", - "name": "statement", - "prose": "Develop, document, and implement a configuration management plan for the system that:", - "parts": [ - { - "id": "cm-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Addresses roles, responsibilities, and configuration management processes and procedures;" - }, - { - "id": "cm-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;" - }, - { - "id": "cm-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Defines the configuration items for the system and places the configuration items under configuration management;" - }, - { - "id": "cm-9_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Is reviewed and approved by {{ cm-9_prm_1 }}; and" - }, - { - "id": "cm-9_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Protects the configuration management plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "cm-9_gdn", - "name": "guidance", - "prose": "Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes, how to update configuration settings and baselines, how to maintain component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents.\nOrganizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Templates can represent a master configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, for example, the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control." - } - ] - }, - { - "id": "cm-10", - "class": "SP800-53", - "title": "Software Usage Restrictions", - "properties": [ - { - "name": "label", - "value": "CM-10" - }, - { - "name": "sort-id", - "value": "CM-10" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - } - ], - "parts": [ - { - "id": "cm-10_smt", - "name": "statement", - "parts": [ - { - "id": "cm-10_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" - }, - { - "id": "cm-10_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" - }, - { - "id": "cm-10_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." - } - ] - }, - { - "id": "cm-10_gdn", - "name": "guidance", - "prose": "Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement." - } - ] - }, - { - "id": "cm-11", - "class": "SP800-53", - "title": "User-installed Software", - "parameters": [ - { - "id": "cm-11_prm_1", - "label": "organization-defined policies" - }, - { - "id": "cm-11_prm_2", - "label": "organization-defined methods" - }, - { - "id": "cm-11_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-11" - }, - { - "name": "sort-id", - "value": "CM-11" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "cm-11_smt", - "name": "statement", - "parts": [ - { - "id": "cm-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish {{ cm-11_prm_1 }} governing the installation of software by users;" - }, - { - "id": "cm-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Enforce software installation policies through the following methods: {{ cm-11_prm_2 }}; and" - }, - { - "id": "cm-11_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Monitor policy compliance {{ cm-11_prm_3 }}." - } - ] - }, - { - "id": "cm-11_gdn", - "name": "guidance", - "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." - } - ] - }, - { - "id": "cm-12", - "class": "SP800-53", - "title": "Information Location", - "parameters": [ - { - "id": "cm-12_prm_1", - "label": "organization-defined information" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-12" - }, - { - "name": "sort-id", - "value": "CM-12" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-23", - "rel": "related", - "text": "AC-23" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sc-4", - "rel": "related", - "text": "SC-4" - }, - { - "href": "#sc-16", - "rel": "related", - "text": "SC-16" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "cm-12_smt", - "name": "statement", - "parts": [ - { - "id": "cm-12_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify and document the location of {{ cm-12_prm_1 }} and the specific system components on which the information is processed and stored;" - }, - { - "id": "cm-12_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Identify and document the users who have access to the system and system components where the information is processed and stored; and" - }, - { - "id": "cm-12_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document changes to the location (i.e., system or system components) where the information is processed and stored." - } - ] - }, - { - "id": "cm-12_gdn", - "name": "guidance", - "prose": "Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and associated information reside in the system components; and how information is being processed so that information flow can be understood, and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17)." - } - ], - "controls": [ - { - "id": "cm-12.1", - "class": "SP800-53-enhancement", - "title": "Automated Tools to Support Information Location", - "parameters": [ - { - "id": "cm-12.1_prm_1", - "label": "organization-defined information by information type" - }, - { - "id": "cm-12.1_prm_2", - "label": "organization-defined system components" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-12(1)" - }, - { - "name": "sort-id", - "value": "CM-12(01)" - } - ], - "parts": [ - { - "id": "cm-12.1_smt", - "name": "statement", - "prose": "Use automated tools to identify {{ cm-12.1_prm_1 }} on {{ cm-12.1_prm_2 }} to ensure controls are in place to protect organizational information and individual privacy." - }, - { - "id": "cm-12.1_gdn", - "name": "guidance", - "prose": "The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information organization-wide. The output of automated information location tools can be used to guide and inform system architecture and design decisions." - } - ] - } - ] - } - ] - }, - { - "id": "cp", - "class": "family", - "title": "Contingency Planning", - "controls": [ - { - "id": "cp-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "cp-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "cp-1_prm_2" - }, - { - "id": "cp-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "cp-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "cp-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-1" - }, - { - "name": "sort-id", - "value": "CP-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cp-1_smt", - "name": "statement", - "parts": [ - { - "id": "cp-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ cp-1_prm_1 }}:", - "parts": [ - { - "id": "cp-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ cp-1_prm_2 }} contingency planning policy that:", - "parts": [ - { - "id": "cp-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "cp-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "cp-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" - } - ] - }, - { - "id": "cp-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ cp-1_prm_3 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" - }, - { - "id": "cp-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current contingency planning:", - "parts": [ - { - "id": "cp-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ cp-1_prm_4 }}; and" - }, - { - "id": "cp-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ cp-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "cp-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "cp-2", - "class": "SP800-53", - "title": "Contingency Plan", - "parameters": [ - { - "id": "cp-2_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "cp-2_prm_2", - "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - }, - { - "id": "cp-2_prm_3", - "label": "organization-defined frequency" - }, - { - "id": "cp-2_prm_4", - "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-2" - }, - { - "name": "sort-id", - "value": "CP-02" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#7a93e915-fd58-4147-be12-e48044c367e6", - "rel": "reference", - "text": "[IR 8179]" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#cp-11", - "rel": "related", - "text": "CP-11" - }, - { - "href": "#cp-13", - "rel": "related", - "text": "CP-13" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-20", - "rel": "related", - "text": "SA-20" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cp-2_smt", - "name": "statement", - "parts": [ - { - "id": "cp-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a contingency plan for the system that:", - "parts": [ - { - "id": "cp-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Identifies essential missions and business functions and associated contingency requirements;" - }, - { - "id": "cp-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Provides recovery objectives, restoration priorities, and metrics;" - }, - { - "id": "cp-2_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" - }, - { - "id": "cp-2_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure;" - }, - { - "id": "cp-2_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and" - }, - { - "id": "cp-2_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Is reviewed and approved by {{ cp-2_prm_1 }};" - } - ] - }, - { - "id": "cp-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute copies of the contingency plan to {{ cp-2_prm_2 }};" - }, - { - "id": "cp-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Coordinate contingency planning activities with incident handling activities;" - }, - { - "id": "cp-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review the contingency plan for the system {{ cp-2_prm_3 }};" - }, - { - "id": "cp-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" - }, - { - "id": "cp-2_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Communicate contingency plan changes to {{ cp-2_prm_4 }}; and" - }, - { - "id": "cp-2_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Protect the contingency plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "cp-2_gdn", - "name": "guidance", - "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.\nIn addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family." - } - ], - "controls": [ - { - "id": "cp-2.1", - "class": "SP800-53-enhancement", - "title": "Coordinate with Related Plans", - "properties": [ - { - "name": "label", - "value": "CP-2(1)" - }, - { - "name": "sort-id", - "value": "CP-02(01)" - } - ], - "parts": [ - { - "id": "cp-2.1_smt", - "name": "statement", - "prose": "Coordinate contingency plan development with organizational elements responsible for related plans." - }, - { - "id": "cp-2.1_gdn", - "name": "guidance", - "prose": "Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Cyber Incident Response Plans, and Occupant Emergency Plans." - } - ] - }, - { - "id": "cp-2.2", - "class": "SP800-53-enhancement", - "title": "Capacity Planning", - "properties": [ - { - "name": "label", - "value": "CP-2(2)" - }, - { - "name": "sort-id", - "value": "CP-02(02)" - } - ], - "links": [ - { - "href": "#pe-11", - "rel": "related", - "text": "PE-11" - }, - { - "href": "#pe-12", - "rel": "related", - "text": "PE-12" - }, - { - "href": "#pe-13", - "rel": "related", - "text": "PE-13" - }, - { - "href": "#pe-14", - "rel": "related", - "text": "PE-14" - }, - { - "href": "#pe-18", - "rel": "related", - "text": "PE-18" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - } - ], - "parts": [ - { - "id": "cp-2.2_smt", - "name": "statement", - "prose": "Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations." - }, - { - "id": "cp-2.2_gdn", - "name": "guidance", - "prose": "Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential missions and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance." - } - ] - }, - { - "id": "cp-2.3", - "class": "SP800-53-enhancement", - "title": "Resume Missions and Business Functions", - "parameters": [ - { - "id": "cp-2.3_prm_1" - }, - { - "id": "cp-2.3_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-2(3)" - }, - { - "name": "sort-id", - "value": "CP-02(03)" - } - ], - "parts": [ - { - "id": "cp-2.3_smt", - "name": "statement", - "prose": "Plan for the resumption of {{ cp-2.3_prm_1 }} missions and business functions within {{ cp-2.3_prm_2 }} of contingency plan activation." - }, - { - "id": "cp-2.3_gdn", - "name": "guidance", - "prose": "Organizations may choose to conduct contingency planning activities to resume missions and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of missions and business functions. The time-period for the resumption of missions and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure." - } - ] - }, - { - "id": "cp-2.5", - "class": "SP800-53-enhancement", - "title": "Continue Missions and Business Functions", - "parameters": [ - { - "id": "cp-2.5_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-2(5)" - }, - { - "name": "sort-id", - "value": "CP-02(05)" - } - ], - "parts": [ - { - "id": "cp-2.5_smt", - "name": "statement", - "prose": "Plan for the continuance of {{ cp-2.5_prm_1 }} missions and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites." - }, - { - "id": "cp-2.5_gdn", - "name": "guidance", - "prose": "Organizations may choose to conduct the contingency planning activities to continue missions and business functions as part of business continuity planning or as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency." - } - ] - }, - { - "id": "cp-2.8", - "class": "SP800-53-enhancement", - "title": "Identify Critical Assets", - "parameters": [ - { - "id": "cp-2.8_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-2(8)" - }, - { - "name": "sort-id", - "value": "CP-02(08)" - } - ], - "links": [ - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - } - ], - "parts": [ - { - "id": "cp-2.8_smt", - "name": "statement", - "prose": "Identify critical system assets supporting {{ cp-2.8_prm_1 }} missions and business functions." - }, - { - "id": "cp-2.8_gdn", - "name": "guidance", - "prose": "Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational missions and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (manually executed operations) and personnel (individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement." - } - ] - } - ] - }, - { - "id": "cp-3", - "class": "SP800-53", - "title": "Contingency Training", - "parameters": [ - { - "id": "cp-3_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "cp-3_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-3" - }, - { - "name": "sort-id", - "value": "CP-03" - } - ], - "links": [ - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - } - ], - "parts": [ - { - "id": "cp-3_smt", - "name": "statement", - "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", - "parts": [ - { - "id": "cp-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Within {{ cp-3_prm_1 }} of assuming a contingency role or responsibility;" - }, - { - "id": "cp-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "When required by system changes; and" - }, - { - "id": "cp-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "\n {{ cp-3_prm_2 }} thereafter." - } - ] - }, - { - "id": "cp-3_gdn", - "name": "guidance", - "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan." - } - ], - "controls": [ - { - "id": "cp-3.1", - "class": "SP800-53-enhancement", - "title": "Simulated Events", - "properties": [ - { - "name": "label", - "value": "CP-3(1)" - }, - { - "name": "sort-id", - "value": "CP-03(01)" - } - ], - "parts": [ - { - "id": "cp-3.1_smt", - "name": "statement", - "prose": "Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations." - }, - { - "id": "cp-3.1_gdn", - "name": "guidance", - "prose": "The use of simulated events creates an environment for personnel to experience actual threat events including cyber-attacks that disable web sites, ransom-ware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures." - } - ] - } - ] - }, - { - "id": "cp-4", - "class": "SP800-53", - "title": "Contingency Plan Testing", - "parameters": [ - { - "id": "cp-4_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "cp-4_prm_2", - "label": "organization-defined tests" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-4" - }, - { - "name": "sort-id", - "value": "CP-04" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#20bf433b-074c-47a0-8fca-cd591772ccd6", - "rel": "reference", - "text": "[SP 800-84]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "cp-4_smt", - "name": "statement", - "parts": [ - { - "id": "cp-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Test the contingency plan for the system {{ cp-4_prm_1 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ cp-4_prm_2 }}." - }, - { - "id": "cp-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review the contingency plan test results; and" - }, - { - "id": "cp-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Initiate corrective actions, if needed." - } - ] - }, - { - "id": "cp-4_gdn", - "name": "guidance", - "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." - } - ], - "controls": [ - { - "id": "cp-4.1", - "class": "SP800-53-enhancement", - "title": "Coordinate with Related Plans", - "properties": [ - { - "name": "label", - "value": "CP-4(1)" - }, - { - "name": "sort-id", - "value": "CP-04(01)" - } - ], - "links": [ - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - } - ], - "parts": [ - { - "id": "cp-4.1_smt", - "name": "statement", - "prose": "Coordinate contingency plan testing with organizational elements responsible for related plans." - }, - { - "id": "cp-4.1_gdn", - "name": "guidance", - "prose": "Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations coordinate with those elements." - } - ] - }, - { - "id": "cp-4.2", - "class": "SP800-53-enhancement", - "title": "Alternate Processing Site", - "properties": [ - { - "name": "label", - "value": "CP-4(2)" - }, - { - "name": "sort-id", - "value": "CP-04(02)" - } - ], - "links": [ - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - } - ], - "parts": [ - { - "id": "cp-4.2_smt", - "name": "statement", - "prose": "Test the contingency plan at the alternate processing site:", - "parts": [ - { - "id": "cp-4.2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "To familiarize contingency personnel with the facility and available resources; and" - }, - { - "id": "cp-4.2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "To evaluate the capabilities of the alternate processing site to support contingency operations." - } - ] - }, - { - "id": "cp-4.2_gdn", - "name": "guidance", - "prose": "Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience, firsthand, the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational missions and functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing." - } - ] - } - ] - }, - { - "id": "cp-6", - "class": "SP800-53", - "title": "Alternate Storage Site", - "properties": [ - { - "name": "label", - "value": "CP-6" - }, - { - "name": "sort-id", - "value": "CP-06" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sc-36", - "rel": "related", - "text": "SC-36" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - } - ], - "parts": [ - { - "id": "cp-6_smt", - "name": "statement", - "parts": [ - { - "id": "cp-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and" - }, - { - "id": "cp-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Ensure that the alternate storage site provides controls equivalent to that of the primary site." - } - ] - }, - { - "id": "cp-6_gdn", - "name": "guidance", - "prose": "Alternate storage sites are sites that are geographically distinct from primary storage sites and that maintain duplicate copies of information and data if the primary storage site is not available. In contrast to alternate storage sites, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may also be considered as alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems." - } - ], - "controls": [ - { - "id": "cp-6.1", - "class": "SP800-53-enhancement", - "title": "Separation from Primary Site", - "properties": [ - { - "name": "label", - "value": "CP-6(1)" - }, - { - "name": "sort-id", - "value": "CP-06(01)" - } - ], - "links": [ - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "cp-6.1_smt", - "name": "statement", - "prose": "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats." - }, - { - "id": "cp-6.1_gdn", - "name": "guidance", - "prose": "Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." - } - ] - }, - { - "id": "cp-6.2", - "class": "SP800-53-enhancement", - "title": "Recovery Time and Recovery Point Objectives", - "properties": [ - { - "name": "label", - "value": "CP-6(2)" - }, - { - "name": "sort-id", - "value": "CP-06(02)" - } - ], - "parts": [ - { - "id": "cp-6.2_smt", - "name": "statement", - "prose": "Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives." - }, - { - "id": "cp-6.2_gdn", - "name": "guidance", - "prose": "Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations ensuring accessibility and correct execution." - } - ] - }, - { - "id": "cp-6.3", - "class": "SP800-53-enhancement", - "title": "Accessibility", - "properties": [ - { - "name": "label", - "value": "CP-6(3)" - }, - { - "name": "sort-id", - "value": "CP-06(03)" - } - ], - "links": [ - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "cp-6.3_smt", - "name": "statement", - "prose": "Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions." - }, - { - "id": "cp-6.3_gdn", - "name": "guidance", - "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted." - } - ] - } - ] - }, - { - "id": "cp-7", - "class": "SP800-53", - "title": "Alternate Processing Site", - "parameters": [ - { - "id": "cp-7_prm_1", - "label": "organization-defined system operations" - }, - { - "id": "cp-7_prm_2", - "label": "organization-defined time-period consistent with recovery time and recovery point objectives" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-7" - }, - { - "name": "sort-id", - "value": "CP-07" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-11", - "rel": "related", - "text": "PE-11" - }, - { - "href": "#pe-12", - "rel": "related", - "text": "PE-12" - }, - { - "href": "#pe-17", - "rel": "related", - "text": "PE-17" - }, - { - "href": "#sc-36", - "rel": "related", - "text": "SC-36" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - } - ], - "parts": [ - { - "id": "cp-7_smt", - "name": "statement", - "parts": [ - { - "id": "cp-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ cp-7_prm_1 }} for essential missions and business functions within {{ cp-7_prm_2 }} when the primary processing capabilities are unavailable;" - }, - { - "id": "cp-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time-period for transfer and resumption; and" - }, - { - "id": "cp-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Provide controls at the alternate processing site that are equivalent to those at the primary site." - } - ] - }, - { - "id": "cp-7_gdn", - "name": "guidance", - "prose": "Alternate processing sites are sites that are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives such as failover to a cloud-based service provider or other internally- or externally-provided processing service. Geographically distributed architectures that support contingency requirements may also be considered as alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites; access rules; physical and environmental protection requirements; and the coordination for the transfer and assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems." - } - ], - "controls": [ - { - "id": "cp-7.1", - "class": "SP800-53-enhancement", - "title": "Separation from Primary Site", - "properties": [ - { - "name": "label", - "value": "CP-7(1)" - }, - { - "name": "sort-id", - "value": "CP-07(01)" - } - ], - "links": [ - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "cp-7.1_smt", - "name": "statement", - "prose": "Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats." - }, - { - "id": "cp-7.1_gdn", - "name": "guidance", - "prose": "Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." - } - ] - }, - { - "id": "cp-7.2", - "class": "SP800-53-enhancement", - "title": "Accessibility", - "properties": [ - { - "name": "label", - "value": "CP-7(2)" - }, - { - "name": "sort-id", - "value": "CP-07(02)" - } - ], - "links": [ - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "cp-7.2_smt", - "name": "statement", - "prose": "Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions." - }, - { - "id": "cp-7.2_gdn", - "name": "guidance", - "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk." - } - ] - }, - { - "id": "cp-7.3", - "class": "SP800-53-enhancement", - "title": "Priority of Service", - "properties": [ - { - "name": "label", - "value": "CP-7(3)" - }, - { - "name": "sort-id", - "value": "CP-07(03)" - } - ], - "parts": [ - { - "id": "cp-7.3_smt", - "name": "statement", - "prose": "Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)." - }, - { - "id": "cp-7.3_gdn", - "name": "guidance", - "prose": "Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning." - } - ] - }, - { - "id": "cp-7.4", - "class": "SP800-53-enhancement", - "title": "Preparation for Use", - "properties": [ - { - "name": "label", - "value": "CP-7(4)" - }, - { - "name": "sort-id", - "value": "CP-07(04)" - } - ], - "links": [ - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - } - ], - "parts": [ - { - "id": "cp-7.4_smt", - "name": "statement", - "prose": "Prepare the alternate processing site so that the site can serve as the operational site supporting essential missions and business functions." - }, - { - "id": "cp-7.4_gdn", - "name": "guidance", - "prose": "Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place." - } - ] - } - ] - }, - { - "id": "cp-8", - "class": "SP800-53", - "title": "Telecommunications Services", - "parameters": [ - { - "id": "cp-8_prm_1", - "label": "organization-defined system operations" - }, - { - "id": "cp-8_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-8" - }, - { - "name": "sort-id", - "value": "CP-08" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-11", - "rel": "related", - "text": "CP-11" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - } - ], - "parts": [ - { - "id": "cp-8_smt", - "name": "statement", - "prose": "Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for essential missions and business functions within {{ cp-8_prm_2 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites." - }, - { - "id": "cp-8_gdn", - "name": "guidance", - "prose": "This control applies to telecommunications services (for data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions and business functions despite the loss of primary telecommunications services. Organizations may specify different time-periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines or the use of satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements." - } - ], - "controls": [ - { - "id": "cp-8.1", - "class": "SP800-53-enhancement", - "title": "Priority of Service Provisions", - "properties": [ - { - "name": "label", - "value": "CP-8(1)" - }, - { - "name": "sort-id", - "value": "CP-08(01)" - } - ], - "parts": [ - { - "id": "cp-8.1_smt", - "name": "statement", - "parts": [ - { - "id": "cp-8.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and" - }, - { - "id": "cp-8.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier." - } - ] - }, - { - "id": "cp-8.1_gdn", - "name": "guidance", - "prose": "Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program and the Department of Homeland Security, manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program." - } - ] - }, - { - "id": "cp-8.2", - "class": "SP800-53-enhancement", - "title": "Single Points of Failure", - "properties": [ - { - "name": "label", - "value": "CP-8(2)" - }, - { - "name": "sort-id", - "value": "CP-08(02)" - } - ], - "parts": [ - { - "id": "cp-8.2_smt", - "name": "statement", - "prose": "Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services." - }, - { - "id": "cp-8.2_gdn", - "name": "guidance", - "prose": "In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services." - } - ] - }, - { - "id": "cp-8.3", - "class": "SP800-53-enhancement", - "title": "Separation of Primary and Alternate Providers", - "properties": [ - { - "name": "label", - "value": "CP-8(3)" - }, - { - "name": "sort-id", - "value": "CP-08(03)" - } - ], - "parts": [ - { - "id": "cp-8.3_smt", - "name": "statement", - "prose": "Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats." - }, - { - "id": "cp-8.3_gdn", - "name": "guidance", - "prose": "Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment." - } - ] - }, - { - "id": "cp-8.4", - "class": "SP800-53-enhancement", - "title": "Provider Contingency Plan", - "parameters": [ - { - "id": "cp-8.4_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-8(4)" - }, - { - "name": "sort-id", - "value": "CP-08(04)" - } - ], - "links": [ - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - } - ], - "parts": [ - { - "id": "cp-8.4_smt", - "name": "statement", - "parts": [ - { - "id": "cp-8.4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Require primary and alternate telecommunications service providers to have contingency plans;" - }, - { - "id": "cp-8.4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and" - }, - { - "id": "cp-8.4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Obtain evidence of contingency testing and training by providers {{ cp-8.4_prm_1 }}." - } - ] - }, - { - "id": "cp-8.4_gdn", - "name": "guidance", - "prose": "Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training." - } - ] - } - ] - }, - { - "id": "cp-9", - "class": "SP800-53", - "title": "System Backup", - "parameters": [ - { - "id": "cp-9_prm_1", - "label": "organization-defined system components" - }, - { - "id": "cp-9_prm_2", - "label": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "id": "cp-9_prm_3", - "label": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "id": "cp-9_prm_4", - "label": "organization-defined frequency consistent with recovery time and recovery point objectives" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-9" - }, - { - "name": "sort-id", - "value": "CP-09" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#ae412317-c2b4-47bb-b47b-c329ce0d7a0b", - "rel": "reference", - "text": "[SP 800-130]" - }, - { - "href": "#38dbdf55-9a14-446f-b563-c48e4e3d37fb", - "rel": "reference", - "text": "[SP 800-152]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - } - ], - "parts": [ - { - "id": "cp-9_smt", - "name": "statement", - "parts": [ - { - "id": "cp-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Conduct backups of user-level information contained in {{ cp-9_prm_1 }}\n {{ cp-9_prm_2 }};" - }, - { - "id": "cp-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Conduct backups of system-level information contained in the system {{ cp-9_prm_3 }};" - }, - { - "id": "cp-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Conduct backups of system documentation, including security and privacy-related documentation {{ cp-9_prm_4 }}; and" - }, - { - "id": "cp-9_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect the confidentiality, integrity, and availability of backup information." - } - ] - }, - { - "id": "cp-9_gdn", - "name": "guidance", - "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." - } - ], - "controls": [ - { - "id": "cp-9.1", - "class": "SP800-53-enhancement", - "title": "Testing for Reliability and Integrity", - "parameters": [ - { - "id": "cp-9.1_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-9(1)" - }, - { - "name": "sort-id", - "value": "CP-09(01)" - } - ], - "links": [ - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - } - ], - "parts": [ - { - "id": "cp-9.1_smt", - "name": "statement", - "prose": "Test backup information {{ cp-9.1_prm_1 }} to verify media reliability and information integrity." - }, - { - "id": "cp-9.1_gdn", - "name": "guidance", - "prose": "Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance." - } - ] - }, - { - "id": "cp-9.2", - "class": "SP800-53-enhancement", - "title": "Test Restoration Using Sampling", - "properties": [ - { - "name": "label", - "value": "CP-9(2)" - }, - { - "name": "sort-id", - "value": "CP-09(02)" - } - ], - "links": [ - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - } - ], - "parts": [ - { - "id": "cp-9.2_smt", - "name": "statement", - "prose": "Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing." - }, - { - "id": "cp-9.2_gdn", - "name": "guidance", - "prose": "Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is used to determine if the functions operate as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed." - } - ] - }, - { - "id": "cp-9.3", - "class": "SP800-53-enhancement", - "title": "Separate Storage for Critical Information", - "parameters": [ - { - "id": "cp-9.3_prm_1", - "label": "organization-defined critical system software and other security-related information" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-9(3)" - }, - { - "name": "sort-id", - "value": "CP-09(03)" - } - ], - "links": [ - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - } - ], - "parts": [ - { - "id": "cp-9.3_smt", - "name": "statement", - "prose": "Store backup copies of {{ cp-9.3_prm_1 }} in a separate facility or in a fire-rated container that is not collocated with the operational system." - }, - { - "id": "cp-9.3_gdn", - "name": "guidance", - "prose": "Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire-rated containers." - } - ] - }, - { - "id": "cp-9.5", - "class": "SP800-53-enhancement", - "title": "Transfer to Alternate Storage Site", - "parameters": [ - { - "id": "cp-9.5_prm_1", - "label": "organization-defined time-period and transfer rate consistent with the recovery time and recovery point objectives" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-9(5)" - }, - { - "name": "sort-id", - "value": "CP-09(05)" - } - ], - "links": [ - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#mp-3", - "rel": "related", - "text": "MP-3" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - } - ], - "parts": [ - { - "id": "cp-9.5_smt", - "name": "statement", - "prose": "Transfer system backup information to the alternate storage site {{ cp-9.5_prm_1 }}." - }, - { - "id": "cp-9.5_gdn", - "name": "guidance", - "prose": "System backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media." - } - ] - }, - { - "id": "cp-9.8", - "class": "SP800-53-enhancement", - "title": "Cryptographic Protection", - "parameters": [ - { - "id": "cp-9.8_prm_1", - "label": "organization-defined backup information" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-9(8)" - }, - { - "name": "sort-id", - "value": "CP-09(08)" - } - ], - "links": [ - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - } - ], - "parts": [ - { - "id": "cp-9.8_smt", - "name": "statement", - "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ cp-9.8_prm_1 }}." - }, - { - "id": "cp-9.8_gdn", - "name": "guidance", - "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. This control enhancement applies to system backup information in storage at primary and alternate locations. Organizations implementing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions." - } - ] - } - ] - }, - { - "id": "cp-10", - "class": "SP800-53", - "title": "System Recovery and Reconstitution", - "parameters": [ - { - "id": "cp-10_prm_1", - "label": "organization-defined time-period consistent with recovery time and recovery point objectives" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-10" - }, - { - "name": "sort-id", - "value": "CP-10" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-24", - "rel": "related", - "text": "SC-24" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - } - ], - "parts": [ - { - "id": "cp-10_smt", - "name": "statement", - "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ cp-10_prm_1 }} after a disruption, compromise, or failure." - }, - { - "id": "cp-10_gdn", - "name": "guidance", - "prose": "Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." - } - ], - "controls": [ - { - "id": "cp-10.2", - "class": "SP800-53-enhancement", - "title": "Transaction Recovery", - "properties": [ - { - "name": "label", - "value": "CP-10(2)" - }, - { - "name": "sort-id", - "value": "CP-10(02)" - } - ], - "parts": [ - { - "id": "cp-10.2_smt", - "name": "statement", - "prose": "Implement transaction recovery for systems that are transaction-based." - }, - { - "id": "cp-10.2_gdn", - "name": "guidance", - "prose": "Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling." - } - ] - }, - { - "id": "cp-10.4", - "class": "SP800-53-enhancement", - "title": "Restore Within Time-period", - "parameters": [ - { - "id": "cp-10.4_prm_1", - "label": "organization-defined restoration time-periods" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-10(4)" - }, - { - "name": "sort-id", - "value": "CP-10(04)" - } - ], - "links": [ - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - } - ], - "parts": [ - { - "id": "cp-10.4_smt", - "name": "statement", - "prose": "Provide the capability to restore system components within {{ cp-10.4_prm_1 }} from configuration-controlled and integrity-protected information representing a known, operational state for the components." - }, - { - "id": "cp-10.4_gdn", - "name": "guidance", - "prose": "Restoration of system components includes reimaging which restores the components to known, operational states." - } - ] - } - ] - } - ] - }, - { - "id": "ia", - "class": "family", - "title": "Identification and Authentication", - "controls": [ - { - "id": "ia-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ia-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ia-1_prm_2" - }, - { - "id": "ia-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ia-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ia-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-1" - }, - { - "name": "sort-id", - "value": "IA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ia-1_smt", - "name": "statement", - "parts": [ - { - "id": "ia-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ia-1_prm_1 }}:", - "parts": [ - { - "id": "ia-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ia-1_prm_2 }} identification and authentication policy that:", - "parts": [ - { - "id": "ia-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ia-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ia-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" - } - ] - }, - { - "id": "ia-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ia-1_prm_3 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" - }, - { - "id": "ia-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current identification and authentication:", - "parts": [ - { - "id": "ia-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ia-1_prm_4 }}; and" - }, - { - "id": "ia-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ia-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ia-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ia-2", - "class": "SP800-53", - "title": "Identification and Authentication (organizational Users)", - "properties": [ - { - "name": "label", - "value": "IA-2" - }, - { - "name": "sort-id", - "value": "IA-02" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#bb55e71a-e059-4263-8dd8-bc96fd3f063d", - "rel": "reference", - "text": "[SP 800-79-2]" - }, - { - "href": "#f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa", - "rel": "reference", - "text": "[SP 800-156]" - }, - { - "href": "#a8f55663-86c5-415b-aabe-d2a126981d65", - "rel": "reference", - "text": "[SP 800-166]" - }, - { - "href": "#d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "rel": "reference", - "text": "[IR 7539]" - }, - { - "href": "#daf69edb-a0ef-4447-9880-8c4bf553181f", - "rel": "reference", - "text": "[IR 7676]" - }, - { - "href": "#a49f67fc-827c-40e6-9a37-2b1cbe8142fd", - "rel": "reference", - "text": "[IR 7817]" - }, - { - "href": "#972c10bd-aedf-485f-b0db-f46a402127e2", - "rel": "reference", - "text": "[IR 7849]" - }, - { - "href": "#197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "rel": "reference", - "text": "[IR 7870]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#30213e10-2aca-47b3-8cdb-61303e0959f5", - "rel": "reference", - "text": "[IR 7966]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "ia-2_smt", - "name": "statement", - "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users." - }, - { - "id": "ia-2_gdn", - "name": "guidance", - "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8." - } - ], - "controls": [ - { - "id": "ia-2.1", - "class": "SP800-53-enhancement", - "title": "Multifactor Authentication to Privileged Accounts", - "properties": [ - { - "name": "label", - "value": "IA-2(1)" - }, - { - "name": "sort-id", - "value": "IA-02(01)" - } - ], - "links": [ - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - } - ], - "parts": [ - { - "id": "ia-2.1_smt", - "name": "statement", - "prose": "Implement multifactor authentication for access to privileged accounts." - }, - { - "id": "ia-2.1_gdn", - "name": "guidance", - "prose": "Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." - } - ] - }, - { - "id": "ia-2.2", - "class": "SP800-53-enhancement", - "title": "Multifactor Authentication to Non-privileged Accounts", - "properties": [ - { - "name": "label", - "value": "IA-2(2)" - }, - { - "name": "sort-id", - "value": "IA-02(02)" - } - ], - "links": [ - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - } - ], - "parts": [ - { - "id": "ia-2.2_smt", - "name": "statement", - "prose": "Implement multifactor authentication for access to non-privileged accounts." - }, - { - "id": "ia-2.2_gdn", - "name": "guidance", - "prose": "Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." - } - ] - }, - { - "id": "ia-2.5", - "class": "SP800-53-enhancement", - "title": "Individual Authentication with Group Authentication", - "properties": [ - { - "name": "label", - "value": "IA-2(5)" - }, - { - "name": "sort-id", - "value": "IA-02(05)" - } - ], - "parts": [ - { - "id": "ia-2.5_smt", - "name": "statement", - "prose": "When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources." - }, - { - "id": "ia-2.5_gdn", - "name": "guidance", - "prose": "Individual authentication prior to shared group authentication helps to mitigate the risk of using group accounts or authenticators." - } - ] - }, - { - "id": "ia-2.8", - "class": "SP800-53-enhancement", - "title": "Access to Accounts — Replay Resistant", - "parameters": [ - { - "id": "ia-2.8_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-2(8)" - }, - { - "name": "sort-id", - "value": "IA-02(08)" - } - ], - "parts": [ - { - "id": "ia-2.8_smt", - "name": "statement", - "prose": "Implement replay-resistant authentication mechanisms for access to {{ ia-2.8_prm_1 }}." - }, - { - "id": "ia-2.8_gdn", - "name": "guidance", - "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators." - } - ] - }, - { - "id": "ia-2.12", - "class": "SP800-53-enhancement", - "title": "Acceptance of PIV Credentials", - "properties": [ - { - "name": "label", - "value": "IA-2(12)" - }, - { - "name": "sort-id", - "value": "IA-02(12)" - } - ], - "parts": [ - { - "id": "ia-2.12_smt", - "name": "statement", - "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials." - }, - { - "id": "ia-2.12_gdn", - "name": "guidance", - "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential." - } - ] - } - ] - }, - { - "id": "ia-3", - "class": "SP800-53", - "title": "Device Identification and Authentication", - "parameters": [ - { - "id": "ia-3_prm_1", - "label": "organization-defined devices and/or types of devices" - }, - { - "id": "ia-3_prm_2" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-3" - }, - { - "name": "sort-id", - "value": "IA-03" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-9", - "rel": "related", - "text": "IA-9" - }, - { - "href": "#ia-11", - "rel": "related", - "text": "IA-11" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ia-3_smt", - "name": "statement", - "prose": "Uniquely identify and authenticate {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }} connection." - }, - { - "id": "ia-3_gdn", - "name": "guidance", - "prose": "Devices that require unique device-to-device identification and authentication are defined by type, by device, or by a combination of type and device. Organization-defined device types can include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on large scale, organizations can restrict the application of the control to a limited number (and type) of devices based on need." - } - ] - }, - { - "id": "ia-4", - "class": "SP800-53", - "title": "Identifier Management", - "parameters": [ - { - "id": "ia-4_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ia-4_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-4" - }, - { - "name": "sort-id", - "value": "IA-04" - } - ], - "links": [ - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ia-9", - "rel": "related", - "text": "IA-9" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - } - ], - "parts": [ - { - "id": "ia-4_smt", - "name": "statement", - "prose": "Manage system identifiers by:", - "parts": [ - { - "id": "ia-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Receiving authorization from {{ ia-4_prm_1 }} to assign an individual, group, role, service, or device identifier;" - }, - { - "id": "ia-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" - }, - { - "id": "ia-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" - }, - { - "id": "ia-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Preventing reuse of identifiers for {{ ia-4_prm_2 }}." - } - ] - }, - { - "id": "ia-4_gdn", - "name": "guidance", - "prose": "Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." - } - ], - "controls": [ - { - "id": "ia-4.4", - "class": "SP800-53-enhancement", - "title": "Identify User Status", - "parameters": [ - { - "id": "ia-4.4_prm_1", - "label": "organization-defined characteristic identifying individual status" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-4(4)" - }, - { - "name": "sort-id", - "value": "IA-04(04)" - } - ], - "parts": [ - { - "id": "ia-4.4_smt", - "name": "statement", - "prose": "Manage individual identifiers by uniquely identifying each individual as {{ ia-4.4_prm_1 }}." - }, - { - "id": "ia-4.4_gdn", - "name": "guidance", - "prose": "Characteristics identifying the status of individuals include contractors and foreign nationals. Identifying the status of individuals by characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor." - } - ] - } - ] - }, - { - "id": "ia-5", - "class": "SP800-53", - "title": "Authenticator Management", - "parameters": [ - { - "id": "ia-5_prm_1", - "label": "organization-defined time-period by authenticator type" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-5" - }, - { - "name": "sort-id", - "value": "IA-05" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "rel": "reference", - "text": "[IR 7539]" - }, - { - "href": "#a49f67fc-827c-40e6-9a37-2b1cbe8142fd", - "rel": "reference", - "text": "[IR 7817]" - }, - { - "href": "#972c10bd-aedf-485f-b0db-f46a402127e2", - "rel": "reference", - "text": "[IR 7849]" - }, - { - "href": "#197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "rel": "reference", - "text": "[IR 7870]" - }, - { - "href": "#24738ee6-b3f3-4e37-825b-58775846bdbc", - "rel": "reference", - "text": "[IR 8040]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ia-9", - "rel": "related", - "text": "IA-9" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - } - ], - "parts": [ - { - "id": "ia-5_smt", - "name": "statement", - "prose": "Manage system authenticators by:", - "parts": [ - { - "id": "ia-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" - }, - { - "id": "ia-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" - }, - { - "id": "ia-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" - }, - { - "id": "ia-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" - }, - { - "id": "ia-5_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;" - }, - { - "id": "ia-5_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Changing default authenticators prior to first use;" - }, - { - "id": "ia-5_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Changing or refreshing authenticators {{ ia-5_prm_1 }};" - }, - { - "id": "ia-5_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "h." - } - ], - "prose": "Protecting authenticator content from unauthorized disclosure and modification;" - }, - { - "id": "ia-5_smt.i", - "name": "item", - "properties": [ - { - "name": "label", - "value": "i." - } - ], - "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" - }, - { - "id": "ia-5_smt.j", - "name": "item", - "properties": [ - { - "name": "label", - "value": "j." - } - ], - "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." - } - ] - }, - { - "id": "ia-5_gdn", - "name": "guidance", - "prose": "Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." - } - ], - "controls": [ - { - "id": "ia-5.1", - "class": "SP800-53-enhancement", - "title": "Password-based Authentication", - "parameters": [ - { - "id": "ia-5.1_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ia-5.1_prm_2", - "label": "organization-defined composition and complexity rules" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-5(1)" - }, - { - "name": "sort-id", - "value": "IA-05(01)" - } - ], - "links": [ - { - "href": "#ia-6", - "rel": "related", - "text": "IA-6" - } - ], - "parts": [ - { - "id": "ia-5.1_smt", - "name": "statement", - "prose": "For password-based authentication:", - "parts": [ - { - "id": "ia-5.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ ia-5.1_prm_1 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" - }, - { - "id": "ia-5.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords;" - }, - { - "id": "ia-5.1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Transmit only cryptographically-protected passwords;" - }, - { - "id": "ia-5.1_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(d)" - } - ], - "prose": "Store passwords using an approved hash algorithm and salt, preferably using a keyed hash;" - }, - { - "id": "ia-5.1_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(e)" - } - ], - "prose": "Require immediate selection of a new password upon account recovery;" - }, - { - "id": "ia-5.1_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(f)" - } - ], - "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" - }, - { - "id": "ia-5.1_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(g)" - } - ], - "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" - }, - { - "id": "ia-5.1_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(h)" - } - ], - "prose": "Enforce the following composition and complexity rules: {{ ia-5.1_prm_2 }}." - } - ] - }, - { - "id": "ia-5.1_gdn", - "name": "guidance", - "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof." - } - ] - }, - { - "id": "ia-5.2", - "class": "SP800-53-enhancement", - "title": "Implement a local cache of revocation data to support path discovery and validation.", - "properties": [ - { - "name": "label", - "value": "IA-5(2)" - }, - { - "name": "sort-id", - "value": "IA-05(02)" - } - ], - "links": [ - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#sc-17", - "rel": "related", - "text": "SC-17" - } - ], - "parts": [ - { - "id": "ia-5.2_smt", - "name": "statement", - "prose": "Discussion: Public key cryptography is a valid authentication mechanism for individuals and machines or devices. When PKI is implemented, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation supports system availability in situations where organizations are unable to access revocation information via the network." - }, - { - "id": "ia-5.2_gdn", - "name": "guidance" - } - ] - }, - { - "id": "ia-5.6", - "class": "SP800-53-enhancement", - "title": "Protection of Authenticators", - "properties": [ - { - "name": "label", - "value": "IA-5(6)" - }, - { - "name": "sort-id", - "value": "IA-05(06)" - } - ], - "links": [ - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - } - ], - "parts": [ - { - "id": "ia-5.6_smt", - "name": "statement", - "prose": "Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access." - }, - { - "id": "ia-5.6_gdn", - "name": "guidance", - "prose": "For systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process." - } - ] - } - ] - }, - { - "id": "ia-6", - "class": "SP800-53", - "title": "Authenticator Feedback", - "properties": [ - { - "name": "label", - "value": "IA-6" - }, - { - "name": "sort-id", - "value": "IA-06" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - } - ], - "parts": [ - { - "id": "ia-6_smt", - "name": "statement", - "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." - }, - { - "id": "ia-6_gdn", - "name": "guidance", - "prose": "Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it." - } - ] - }, - { - "id": "ia-7", - "class": "SP800-53", - "title": "Cryptographic Module Authentication", - "properties": [ - { - "name": "label", - "value": "IA-7" - }, - { - "name": "sort-id", - "value": "IA-07" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "ia-7_smt", - "name": "statement", - "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." - }, - { - "id": "ia-7_gdn", - "name": "guidance", - "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." - } - ] - }, - { - "id": "ia-8", - "class": "SP800-53", - "title": "Identification and Authentication (non-organizational Users)", - "properties": [ - { - "name": "label", - "value": "IA-8" - }, - { - "name": "sort-id", - "value": "IA-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#bb55e71a-e059-4263-8dd8-bc96fd3f063d", - "rel": "reference", - "text": "[SP 800-79-2]" - }, - { - "href": "#ad7d575f-b5fe-489b-8d48-36a93d964a5f", - "rel": "reference", - "text": "[SP 800-116]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-10", - "rel": "related", - "text": "IA-10" - }, - { - "href": "#ia-11", - "rel": "related", - "text": "IA-11" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - } - ], - "parts": [ - { - "id": "ia-8_smt", - "name": "statement", - "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." - }, - { - "id": "ia-8_gdn", - "name": "guidance", - "prose": "Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." - } - ], - "controls": [ - { - "id": "ia-8.1", - "class": "SP800-53-enhancement", - "title": "Acceptance of PIV Credentials from Other Agencies", - "properties": [ - { - "name": "label", - "value": "IA-8(1)" - }, - { - "name": "sort-id", - "value": "IA-08(01)" - } - ], - "links": [ - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - } - ], - "parts": [ - { - "id": "ia-8.1_smt", - "name": "statement", - "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." - }, - { - "id": "ia-8.1_gdn", - "name": "guidance", - "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2]." - } - ] - }, - { - "id": "ia-8.2", - "class": "SP800-53-enhancement", - "title": "Acceptance of External Credentials", - "properties": [ - { - "name": "label", - "value": "IA-8(2)" - }, - { - "name": "sort-id", - "value": "IA-08(02)" - } - ], - "parts": [ - { - "id": "ia-8.2_smt", - "name": "statement", - "prose": "Accept only external credentials that are NIST-compliant." - }, - { - "id": "ia-8.2_gdn", - "name": "guidance", - "prose": "Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels." - } - ] - }, - { - "id": "ia-8.4", - "class": "SP800-53-enhancement", - "title": "Use of Nist-issued Profiles", - "properties": [ - { - "name": "label", - "value": "IA-8(4)" - }, - { - "name": "sort-id", - "value": "IA-08(04)" - } - ], - "parts": [ - { - "id": "ia-8.4_smt", - "name": "statement", - "prose": "Conform to NIST-issued profiles for identity management." - }, - { - "id": "ia-8.4_gdn", - "name": "guidance", - "prose": "Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols." - } - ] - } - ] - }, - { - "id": "ia-11", - "class": "SP800-53", - "title": "Re-authentication", - "parameters": [ - { - "id": "ia-11_prm_1", - "label": "organization-defined circumstances or situations requiring re-authentication" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-11" - }, - { - "name": "sort-id", - "value": "IA-11" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-11", - "rel": "related", - "text": "AC-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - } - ], - "parts": [ - { - "id": "ia-11_smt", - "name": "statement", - "prose": "Require users to re-authenticate when {{ ia-11_prm_1 }}." - }, - { - "id": "ia-11_gdn", - "name": "guidance", - "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically." - } - ] - }, - { - "id": "ia-12", - "class": "SP800-53", - "title": "Identity Proofing", - "properties": [ - { - "name": "label", - "value": "IA-12" - }, - { - "name": "sort-id", - "value": "IA-12" - } - ], - "links": [ - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3c50fa31-7f4d-4d30-91d7-27ee87cd5f75", - "rel": "reference", - "text": "[SP 800-63A]" - }, - { - "href": "#bb55e71a-e059-4263-8dd8-bc96fd3f063d", - "rel": "reference", - "text": "[SP 800-79-2]" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-6", - "rel": "related", - "text": "IA-6" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - } - ], - "parts": [ - { - "id": "ia-12_smt", - "name": "statement", - "parts": [ - { - "id": "ia-12_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;" - }, - { - "id": "ia-12_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Resolve user identities to a unique individual; and" - }, - { - "id": "ia-12_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Collect, validate, and verify identity evidence." - } - ] - }, - { - "id": "ia-12_gdn", - "name": "guidance", - "prose": "Identity proofing is the process of collecting, validating, and verifying user’s identity information for the purposes of issuing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3] and [SP 800-63A]." - } - ], - "controls": [ - { - "id": "ia-12.2", - "class": "SP800-53-enhancement", - "title": "Identity Evidence", - "properties": [ - { - "name": "label", - "value": "IA-12(2)" - }, - { - "name": "sort-id", - "value": "IA-12(02)" - } - ], - "parts": [ - { - "id": "ia-12.2_smt", - "name": "statement", - "prose": "Require evidence of individual identification be presented to the registration authority." - }, - { - "id": "ia-12.2_gdn", - "name": "guidance", - "prose": "Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risk to the systems, roles, and privileges associated with the user’s account." - } - ] - }, - { - "id": "ia-12.3", - "class": "SP800-53-enhancement", - "title": "Identity Evidence Validation and Verification", - "parameters": [ - { - "id": "ia-12.3_prm_1", - "label": "organizational defined methods of validation and verification" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-12(3)" - }, - { - "name": "sort-id", - "value": "IA-12(03)" - } - ], - "parts": [ - { - "id": "ia-12.3_smt", - "name": "statement", - "prose": "Require that the presented identity evidence be validated and verified through {{ ia-12.3_prm_1 }}." - }, - { - "id": "ia-12.3_gdn", - "name": "guidance", - "prose": "Validating and verifying identity evidence increases the assurance that accounts, identifiers, and authenticators are being issued to the correct user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an actual person or individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risk to the systems, roles, and privileges associated with the users account" - } - ] - }, - { - "id": "ia-12.4", - "class": "SP800-53-enhancement", - "title": "In-person Validation and Verification", - "properties": [ - { - "name": "label", - "value": "IA-12(4)" - }, - { - "name": "sort-id", - "value": "IA-12(04)" - } - ], - "parts": [ - { - "id": "ia-12.4_smt", - "name": "statement", - "prose": "Require that the validation and verification of identity evidence be conducted in person before a designated registration authority." - }, - { - "id": "ia-12.4_gdn", - "name": "guidance", - "prose": "In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities." - } - ] - }, - { - "id": "ia-12.5", - "class": "SP800-53-enhancement", - "title": "Address Confirmation", - "parameters": [ - { - "id": "ia-12.5_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-12(5)" - }, - { - "name": "sort-id", - "value": "IA-12(05)" - } - ], - "links": [ - { - "href": "#ia-12", - "rel": "related", - "text": "IA-12" - } - ], - "parts": [ - { - "id": "ia-12.5_smt", - "name": "statement", - "prose": "Require that a {{ ia-12.5_prm_1 }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record." - }, - { - "id": "ia-12.5_gdn", - "name": "guidance", - "prose": "To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to increase assurance that the individual associated with an address of record is the same person that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts are obtained from records and not self-asserted by the user. The address can include a physical or a digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses." - } - ] - } - ] - } - ] - }, - { - "id": "ir", - "class": "family", - "title": "Incident Response", - "controls": [ - { - "id": "ir-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ir-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ir-1_prm_2" - }, - { - "id": "ir-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ir-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ir-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-1" - }, - { - "name": "sort-id", - "value": "IR-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "rel": "reference", - "text": "[SP 800-83]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ir-1_smt", - "name": "statement", - "parts": [ - { - "id": "ir-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ir-1_prm_1 }}:", - "parts": [ - { - "id": "ir-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ir-1_prm_2 }} incident response policy that:", - "parts": [ - { - "id": "ir-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ir-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ir-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" - } - ] - }, - { - "id": "ir-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" - }, - { - "id": "ir-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current incident response:", - "parts": [ - { - "id": "ir-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ir-1_prm_4 }}; and" - }, - { - "id": "ir-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ir-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ir-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ir-2", - "class": "SP800-53", - "title": "Incident Response Training", - "parameters": [ - { - "id": "ir-2_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ir-2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-2" - }, - { - "name": "sort-id", - "value": "IR-02" - } - ], - "links": [ - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - } - ], - "parts": [ - { - "id": "ir-2_smt", - "name": "statement", - "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", - "parts": [ - { - "id": "ir-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Within {{ ir-2_prm_1 }} of assuming an incident response role or responsibility or acquiring system access;" - }, - { - "id": "ir-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "When required by system changes; and" - }, - { - "id": "ir-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "\n {{ ir-2_prm_2 }} thereafter." - } - ] - }, - { - "id": "ir-2_gdn", - "name": "guidance", - "prose": "Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3." - } - ], - "controls": [ - { - "id": "ir-2.1", - "class": "SP800-53-enhancement", - "title": "Simulated Events", - "properties": [ - { - "name": "label", - "value": "IR-2(1)" - }, - { - "name": "sort-id", - "value": "IR-02(01)" - } - ], - "parts": [ - { - "id": "ir-2.1_smt", - "name": "statement", - "prose": "Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations." - }, - { - "id": "ir-2.1_gdn", - "name": "guidance", - "prose": "Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations." - } - ] - }, - { - "id": "ir-2.2", - "class": "SP800-53-enhancement", - "title": "Automated Training Environments", - "parameters": [ - { - "id": "ir-2.2_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-2(2)" - }, - { - "name": "sort-id", - "value": "IR-02(02)" - } - ], - "parts": [ - { - "id": "ir-2.2_smt", - "name": "statement", - "prose": "Provide an incident response training environment using {{ ir-2.2_prm_1 }}." - }, - { - "id": "ir-2.2_gdn", - "name": "guidance", - "prose": "Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues; by selecting more realistic training scenarios and training environments; and by stressing the response capability." - } - ] - } - ] - }, - { - "id": "ir-3", - "class": "SP800-53", - "title": "Incident Response Testing", - "parameters": [ - { - "id": "ir-3_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ir-3_prm_2", - "label": "organization-defined tests" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-3" - }, - { - "name": "sort-id", - "value": "IR-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#20bf433b-074c-47a0-8fca-cd591772ccd6", - "rel": "reference", - "text": "[SP 800-84]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - } - ], - "parts": [ - { - "id": "ir-3_smt", - "name": "statement", - "prose": "Test the effectiveness of the incident response capability for the system {{ ir-3_prm_1 }} using the following tests: {{ ir-3_prm_2 }}." - }, - { - "id": "ir-3_gdn", - "name": "guidance", - "prose": "Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes." - } - ], - "controls": [ - { - "id": "ir-3.2", - "class": "SP800-53-enhancement", - "title": "Coordination with Related Plans", - "properties": [ - { - "name": "label", - "value": "IR-3(2)" - }, - { - "name": "sort-id", - "value": "IR-03(02)" - } - ], - "parts": [ - { - "id": "ir-3.2_smt", - "name": "statement", - "prose": "Coordinate incident response testing with organizational elements responsible for related plans." - }, - { - "id": "ir-3.2_gdn", - "name": "guidance", - "prose": "Organizational plans related to incident response testing include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Contingency Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans." - } - ] - } - ] - }, - { - "id": "ir-4", - "class": "SP800-53", - "title": "Incident Handling", - "properties": [ - { - "name": "label", - "value": "IR-4" - }, - { - "name": "sort-id", - "value": "IR-04" - } - ], - "links": [ - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#35dfd59f-eef2-4f71-bdb5-6d878267456a", - "rel": "reference", - "text": "[SP 800-86]" - }, - { - "href": "#1e2c475a-84ae-4c60-b420-8fb2ea552b71", - "rel": "reference", - "text": "[SP 800-101]" - }, - { - "href": "#ad3e8f21-07c6-4968-b002-00b64dfa70ae", - "rel": "reference", - "text": "[SP 800-150]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#08f518f7-f9b9-4bee-8986-860214f46b16", - "rel": "reference", - "text": "[SP 800-184]" - }, - { - "href": "#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "rel": "reference", - "text": "[IR 7559]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-10", - "rel": "related", - "text": "IR-10" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "ir-4_smt", - "name": "statement", - "parts": [ - { - "id": "ir-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" - }, - { - "id": "ir-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Coordinate incident handling activities with contingency planning activities;" - }, - { - "id": "ir-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" - }, - { - "id": "ir-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." - } - ] - }, - { - "id": "ir-4_gdn", - "name": "guidance", - "prose": "Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk." - } - ], - "controls": [ - { - "id": "ir-4.1", - "class": "SP800-53-enhancement", - "title": "Automated Incident Handling Processes", - "parameters": [ - { - "id": "ir-4.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-4(1)" - }, - { - "name": "sort-id", - "value": "IR-04(01)" - } - ], - "parts": [ - { - "id": "ir-4.1_smt", - "name": "statement", - "prose": "Support the incident handling process using {{ ir-4.1_prm_1 }}." - }, - { - "id": "ir-4.1_gdn", - "name": "guidance", - "prose": "Automated mechanisms supporting incident handling processes include online incident management systems; and tools that support the collection of live response data, full network packet capture, and forensic analysis." - } - ] - }, - { - "id": "ir-4.4", - "class": "SP800-53-enhancement", - "title": "Information Correlation", - "properties": [ - { - "name": "label", - "value": "IR-4(4)" - }, - { - "name": "sort-id", - "value": "IR-04(04)" - } - ], - "parts": [ - { - "id": "ir-4.4_smt", - "name": "statement", - "prose": "Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response." - }, - { - "id": "ir-4.4_gdn", - "name": "guidance", - "prose": "Sometimes a threat event, for example, a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations." - } - ] - } - ] - }, - { - "id": "ir-5", - "class": "SP800-53", - "title": "Incident Monitoring", - "properties": [ - { - "name": "label", - "value": "IR-5" - }, - { - "name": "sort-id", - "value": "IR-05" - } - ], - "links": [ - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "ir-5_smt", - "name": "statement", - "prose": "Track and document security, privacy, and supply chain incidents." - }, - { - "id": "ir-5_gdn", - "name": "guidance", - "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports." - } - ], - "controls": [ - { - "id": "ir-5.1", - "class": "SP800-53-enhancement", - "title": "Automated Tracking, Data Collection, and Analysis", - "parameters": [ - { - "id": "ir-5.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-5(1)" - }, - { - "name": "sort-id", - "value": "IR-05(01)" - } - ], - "links": [ - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - } - ], - "parts": [ - { - "id": "ir-5.1_smt", - "name": "statement", - "prose": "Track security and privacy incidents and collect and analyze incident information using {{ ir-5.1_prm_1 }}." - }, - { - "id": "ir-5.1_gdn", - "name": "guidance", - "prose": "Automated mechanisms for tracking incidents and for collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices." - } - ] - } - ] - }, - { - "id": "ir-6", - "class": "SP800-53", - "title": "Incident Reporting", - "parameters": [ - { - "id": "ir-6_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ir-6_prm_2", - "label": "organization-defined authorities" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-6" - }, - { - "name": "sort-id", - "value": "IR-06" - } - ], - "links": [ - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - } - ], - "parts": [ - { - "id": "ir-6_smt", - "name": "statement", - "parts": [ - { - "id": "ir-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and" - }, - { - "id": "ir-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}." - } - ] - }, - { - "id": "ir-6_gdn", - "name": "guidance", - "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ], - "controls": [ - { - "id": "ir-6.1", - "class": "SP800-53-enhancement", - "title": "Automated Reporting", - "parameters": [ - { - "id": "ir-6.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-6(1)" - }, - { - "name": "sort-id", - "value": "IR-06(01)" - } - ], - "links": [ - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - } - ], - "parts": [ - { - "id": "ir-6.1_smt", - "name": "statement", - "prose": "Report incidents using {{ ir-6.1_prm_1 }}." - }, - { - "id": "ir-6.1_gdn", - "name": "guidance", - "prose": "Reporting recipients are as specified in IR-6b. Automated reporting mechanisms include email, posting on web sites, and automated incident response tools and programs." - } - ] - }, - { - "id": "ir-6.3", - "class": "SP800-53-enhancement", - "title": "Supply Chain Coordination", - "properties": [ - { - "name": "label", - "value": "IR-6(3)" - }, - { - "name": "sort-id", - "value": "IR-06(03)" - } - ], - "links": [ - { - "href": "#sr-8", - "rel": "related", - "text": "SR-8" - } - ], - "parts": [ - { - "id": "ir-6.3_smt", - "name": "statement", - "prose": "Provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident." - }, - { - "id": "ir-6.3_gdn", - "name": "guidance", - "prose": "Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents including the ability to improve processes or to identify the root cause of an incident." - } - ] - } - ] - }, - { - "id": "ir-7", - "class": "SP800-53", - "title": "Incident Response Assistance", - "properties": [ - { - "name": "label", - "value": "IR-7" - }, - { - "name": "sort-id", - "value": "IR-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "rel": "reference", - "text": "[IR 7559]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pm-26", - "rel": "related", - "text": "PM-26" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "ir-7_smt", - "name": "statement", - "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents." - }, - { - "id": "ir-7_gdn", - "name": "guidance", - "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." - } - ], - "controls": [ - { - "id": "ir-7.1", - "class": "SP800-53-enhancement", - "title": "Automation Support for Availability of Information and Support", - "parameters": [ - { - "id": "ir-7.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-7(1)" - }, - { - "name": "sort-id", - "value": "IR-07(01)" - } - ], - "parts": [ - { - "id": "ir-7.1_smt", - "name": "statement", - "prose": "Increase the availability of incident response information and support using {{ ir-7.1_prm_1 }}." - }, - { - "id": "ir-7.1_gdn", - "name": "guidance", - "prose": "Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support." - } - ] - } - ] - }, - { - "id": "ir-8", - "class": "SP800-53", - "title": "Incident Response Plan", - "parameters": [ - { - "id": "ir-8_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ir-8_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "ir-8_prm_3", - "label": "organization-defined entities, personnel, or roles" - }, - { - "id": "ir-8_prm_4", - "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - }, - { - "id": "ir-8_prm_5", - "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-8" - }, - { - "name": "sort-id", - "value": "IR-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#389fe193-866e-46b1-bf1d-38904b56aa7b", - "rel": "reference", - "text": "[OMB M-17-12]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-8", - "rel": "related", - "text": "SR-8" - } - ], - "parts": [ - { - "id": "ir-8_smt", - "name": "statement", - "parts": [ - { - "id": "ir-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop an incident response plan that:", - "parts": [ - { - "id": "ir-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Provides the organization with a roadmap for implementing its incident response capability;" - }, - { - "id": "ir-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Describes the structure and organization of the incident response capability;" - }, - { - "id": "ir-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" - }, - { - "id": "ir-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" - }, - { - "id": "ir-8_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Defines reportable incidents;" - }, - { - "id": "ir-8_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Provides metrics for measuring the incident response capability within the organization;" - }, - { - "id": "ir-8_smt.a.7", - "name": "item", - "properties": [ - { - "name": "label", - "value": "7." - } - ], - "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" - }, - { - "id": "ir-8_smt.a.8", - "name": "item", - "properties": [ - { - "name": "label", - "value": "8." - } - ], - "prose": "Is reviewed and approved by {{ ir-8_prm_1 }}\n {{ ir-8_prm_2 }}; and" - }, - { - "id": "ir-8_smt.a.9", - "name": "item", - "properties": [ - { - "name": "label", - "value": "9." - } - ], - "prose": "Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}." - } - ] - }, - { - "id": "ir-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute copies of the incident response plan to {{ ir-8_prm_4 }};" - }, - { - "id": "ir-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" - }, - { - "id": "ir-8_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Communicate incident response plan changes to {{ ir-8_prm_5 }}; and" - }, - { - "id": "ir-8_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Protect the incident response plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "ir-8_gdn", - "name": "guidance", - "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." - } - ] - }, - { - "id": "ir-10", - "class": "SP800-53", - "title": "Incident Analysis", - "properties": [ - { - "name": "label", - "value": "IR-10" - }, - { - "name": "status", - "value": "Withdrawn" - }, - { - "name": "sort-id", - "value": "IR-10" - } - ], - "links": [ - { - "href": "#ir-4.11", - "rel": "incorporated-into", - "text": "IR-4(11)" - } - ] - } - ] - }, - { - "id": "ma", - "class": "family", - "title": "Maintenance", - "controls": [ - { - "id": "ma-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ma-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ma-1_prm_2" - }, - { - "id": "ma-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ma-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ma-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-1" - }, - { - "name": "sort-id", - "value": "MA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ma-1_smt", - "name": "statement", - "parts": [ - { - "id": "ma-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ma-1_prm_1 }}:", - "parts": [ - { - "id": "ma-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ma-1_prm_2 }} maintenance policy that:", - "parts": [ - { - "id": "ma-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ma-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ma-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" - } - ] - }, - { - "id": "ma-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ma-1_prm_3 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" - }, - { - "id": "ma-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current maintenance:", - "parts": [ - { - "id": "ma-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ma-1_prm_4 }}; and" - }, - { - "id": "ma-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ma-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ma-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ma-2", - "class": "SP800-53", - "title": "Controlled Maintenance", - "parameters": [ - { - "id": "ma-2_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ma-2_prm_2", - "label": "organization-defined information" - }, - { - "id": "ma-2_prm_3", - "label": "organization-defined information" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-2" - }, - { - "name": "sort-id", - "value": "MA-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "ma-2_smt", - "name": "statement", - "parts": [ - { - "id": "ma-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" - }, - { - "id": "ma-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" - }, - { - "id": "ma-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Require that {{ ma-2_prm_1 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" - }, - { - "id": "ma-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ ma-2_prm_2 }};" - }, - { - "id": "ma-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" - }, - { - "id": "ma-2_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Include the following information in organizational maintenance records: {{ ma-2_prm_3 }}." - } - ] - }, - { - "id": "ma-2_gdn", - "name": "guidance", - "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems." - } - ], - "controls": [ - { - "id": "ma-2.2", - "class": "SP800-53-enhancement", - "title": "Automated Maintenance Activities", - "parameters": [ - { - "id": "ma-2.2_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-2(2)" - }, - { - "name": "sort-id", - "value": "MA-02(02)" - } - ], - "links": [ - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - } - ], - "parts": [ - { - "id": "ma-2.2_smt", - "name": "statement", - "parts": [ - { - "id": "ma-2.2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ ma-2.2_prm_1 }}; and" - }, - { - "id": "ma-2.2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed." - } - ] - }, - { - "id": "ma-2.2_gdn", - "name": "guidance", - "prose": "The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records." - } - ] - } - ] - }, - { - "id": "ma-3", - "class": "SP800-53", - "title": "Maintenance Tools", - "parameters": [ - { - "id": "ma-3_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-3" - }, - { - "name": "sort-id", - "value": "MA-03" - } - ], - "links": [ - { - "href": "#fed6a3b5-2b74-499f-9172-46671f7c24c8", - "rel": "reference", - "text": "[SP 800-88]" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - } - ], - "parts": [ - { - "id": "ma-3_smt", - "name": "statement", - "parts": [ - { - "id": "ma-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Approve, control, and monitor the use of system maintenance tools; and" - }, - { - "id": "ma-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review previously approved system maintenance tools {{ ma-3_prm_1 }}." - } - ] - }, - { - "id": "ma-3_gdn", - "name": "guidance", - "prose": "Approving, controlling, monitoring, and reviewing maintenance tools are intended to address security-related issues associated with maintenance tools that are not within system boundaries but are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for approval of maintenance tools and how that approval is documented. Periodic review of maintenance tools facilitates withdrawal of the approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items. Such tools can be vehicles for transporting malicious code, intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support system maintenance and are a part of the system, including the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch, are not addressed by maintenance tools." - } - ], - "controls": [ - { - "id": "ma-3.1", - "class": "SP800-53-enhancement", - "title": "Inspect Tools", - "properties": [ - { - "name": "label", - "value": "MA-3(1)" - }, - { - "name": "sort-id", - "value": "MA-03(01)" - } - ], - "links": [ - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "ma-3.1_smt", - "name": "statement", - "prose": "Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications." - }, - { - "id": "ma-3.1_gdn", - "name": "guidance", - "prose": "Maintenance tools can be brought into a facility directly by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling." - } - ] - }, - { - "id": "ma-3.2", - "class": "SP800-53-enhancement", - "title": "Inspect Media", - "properties": [ - { - "name": "label", - "value": "MA-3(2)" - }, - { - "name": "sort-id", - "value": "MA-03(02)" - } - ], - "links": [ - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - } - ], - "parts": [ - { - "id": "ma-3.2_smt", - "name": "statement", - "prose": "Check media containing diagnostic and test programs for malicious code before the media are used in the system." - }, - { - "id": "ma-3.2_gdn", - "name": "guidance", - "prose": "If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures." - } - ] - }, - { - "id": "ma-3.3", - "class": "SP800-53-enhancement", - "title": "Prevent Unauthorized Removal", - "parameters": [ - { - "id": "ma-3.3_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-3(3)" - }, - { - "name": "sort-id", - "value": "MA-03(03)" - } - ], - "links": [ - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - } - ], - "parts": [ - { - "id": "ma-3.3_smt", - "name": "statement", - "prose": "Prevent the removal of maintenance equipment containing organizational information by:", - "parts": [ - { - "id": "ma-3.3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Verifying that there is no organizational information contained on the equipment;" - }, - { - "id": "ma-3.3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Sanitizing or destroying the equipment;" - }, - { - "id": "ma-3.3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Retaining the equipment within the facility; or" - }, - { - "id": "ma-3.3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(d)" - } - ], - "prose": "Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly authorizing removal of the equipment from the facility." - } - ] - }, - { - "id": "ma-3.3_gdn", - "name": "guidance", - "prose": "Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards." - } - ] - } - ] - }, - { - "id": "ma-4", - "class": "SP800-53", - "title": "Nonlocal Maintenance", - "properties": [ - { - "name": "label", - "value": "MA-4" - }, - { - "name": "sort-id", - "value": "MA-04" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#bbc7085f-b383-444e-af74-722a55cccc0f", - "rel": "reference", - "text": "[FIPS 197]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#fed6a3b5-2b74-499f-9172-46671f7c24c8", - "rel": "reference", - "text": "[SP 800-88]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-10", - "rel": "related", - "text": "SC-10" - } - ], - "parts": [ - { - "id": "ma-4_smt", - "name": "statement", - "parts": [ - { - "id": "ma-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" - }, - { - "id": "ma-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" - }, - { - "id": "ma-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;" - }, - { - "id": "ma-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" - }, - { - "id": "ma-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Terminate session and network connections when nonlocal maintenance is completed." - } - ] - }, - { - "id": "ma-4_gdn", - "name": "guidance", - "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls." - } - ], - "controls": [ - { - "id": "ma-4.3", - "class": "SP800-53-enhancement", - "title": "Comparable Security and Sanitization", - "properties": [ - { - "name": "label", - "value": "MA-4(3)" - }, - { - "name": "sort-id", - "value": "MA-04(03)" - } - ], - "links": [ - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "ma-4.3_smt", - "name": "statement", - "parts": [ - { - "id": "ma-4.3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or" - }, - { - "id": "ma-4.3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system." - } - ] - }, - { - "id": "ma-4.3_gdn", - "name": "guidance", - "prose": "Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced." - } - ] - } - ] - }, - { - "id": "ma-5", - "class": "SP800-53", - "title": "Maintenance Personnel", - "properties": [ - { - "name": "label", - "value": "MA-5" - }, - { - "name": "sort-id", - "value": "MA-05" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "ma-5_smt", - "name": "statement", - "parts": [ - { - "id": "ma-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" - }, - { - "id": "ma-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" - }, - { - "id": "ma-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." - } - ] - }, - { - "id": "ma-5_gdn", - "name": "guidance", - "prose": "Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods." - } - ], - "controls": [ - { - "id": "ma-5.1", - "class": "SP800-53-enhancement", - "title": "Individuals Without Appropriate Access", - "parameters": [ - { - "id": "ma-5.1_prm_1", - "label": "organization-defined alternate controls" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-5(1)" - }, - { - "name": "sort-id", - "value": "MA-05(01)" - } - ], - "links": [ - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - } - ], - "parts": [ - { - "id": "ma-5.1_smt", - "name": "statement", - "parts": [ - { - "id": "ma-5.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:", - "parts": [ - { - "id": "ma-5.1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(1)" - } - ], - "prose": "Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;" - }, - { - "id": "ma-5.1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(2)" - } - ], - "prose": "Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and" - } - ] - }, - { - "id": "ma-5.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Develop and implement {{ ma-5.1_prm_1 }} in the event a system component cannot be sanitized, removed, or disconnected from the system." - } - ] - }, - { - "id": "ma-5.1_gdn", - "name": "guidance", - "prose": "Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems." - } - ] - } - ] - }, - { - "id": "ma-6", - "class": "SP800-53", - "title": "Timely Maintenance", - "parameters": [ - { - "id": "ma-6_prm_1", - "label": "organization-defined system components" - }, - { - "id": "ma-6_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-6" - }, - { - "name": "sort-id", - "value": "MA-06" - } - ], - "links": [ - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "ma-6_smt", - "name": "statement", - "prose": "Obtain maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure." - }, - { - "id": "ma-6_gdn", - "name": "guidance", - "prose": "Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place." - } - ] - } - ] - }, - { - "id": "mp", - "class": "family", - "title": "Media Protection", - "controls": [ - { - "id": "mp-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "mp-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "mp-1_prm_2" - }, - { - "id": "mp-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "mp-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "mp-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-1" - }, - { - "name": "sort-id", - "value": "MP-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "mp-1_smt", - "name": "statement", - "parts": [ - { - "id": "mp-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ mp-1_prm_1 }}:", - "parts": [ - { - "id": "mp-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ mp-1_prm_2 }} media protection policy that:", - "parts": [ - { - "id": "mp-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "mp-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "mp-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" - } - ] - }, - { - "id": "mp-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" - }, - { - "id": "mp-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current media protection:", - "parts": [ - { - "id": "mp-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ mp-1_prm_4 }}; and" - }, - { - "id": "mp-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ mp-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "mp-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "mp-2", - "class": "SP800-53", - "title": "Media Access", - "parameters": [ - { - "id": "mp-2_prm_1", - "label": "organization-defined types of digital and/or non-digital media" - }, - { - "id": "mp-2_prm_2", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-2" - }, - { - "name": "sort-id", - "value": "MP-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#1b14b50f-7154-4226-958c-7dfff8276755", - "rel": "reference", - "text": "[SP 800-111]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "mp-2_smt", - "name": "statement", - "prose": "Restrict access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}." - }, - { - "id": "mp-2_gdn", - "name": "guidance", - "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media." - } - ] - }, - { - "id": "mp-3", - "class": "SP800-53", - "title": "Media Marking", - "parameters": [ - { - "id": "mp-3_prm_1", - "label": "organization-defined types of system media" - }, - { - "id": "mp-3_prm_2", - "label": "organization-defined controlled areas" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-3" - }, - { - "name": "sort-id", - "value": "MP-03" - } - ], - "links": [ - { - "href": "#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc", - "rel": "reference", - "text": "[32 CFR 2002]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pe-22", - "rel": "related", - "text": "PE-22" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "mp-3_smt", - "name": "statement", - "parts": [ - { - "id": "mp-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and" - }, - { - "id": "mp-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Exempt {{ mp-3_prm_1 }} from marking if the media remain within {{ mp-3_prm_2 }}." - } - ] - }, - { - "id": "mp-3_gdn", - "name": "guidance", - "prose": "Security marking refers to the application or use of human-readable security attributes. Security labeling refers to the application or use of security attributes regarding internal data structures within systems. System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002]. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." - } - ] - }, - { - "id": "mp-4", - "class": "SP800-53", - "title": "Media Storage", - "parameters": [ - { - "id": "mp-4_prm_1", - "label": "organization-defined types of digital and/or non-digital media" - }, - { - "id": "mp-4_prm_2", - "label": "organization-defined controlled areas" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-4" - }, - { - "name": "sort-id", - "value": "MP-04" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#77dc1838-3664-4faa-bc6e-4e2a16e52f35", - "rel": "reference", - "text": "[SP 800-56A]" - }, - { - "href": "#f417e4ec-cadb-47a8-a363-6006b32c28ad", - "rel": "reference", - "text": "[SP 800-56B]" - }, - { - "href": "#7c3ba335-62bd-4f03-888f-960790409b11", - "rel": "reference", - "text": "[SP 800-56C]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#1b14b50f-7154-4226-958c-7dfff8276755", - "rel": "reference", - "text": "[SP 800-111]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "mp-4_smt", - "name": "statement", - "parts": [ - { - "id": "mp-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Physically control and securely store {{ mp-4_prm_1 }} within {{ mp-4_prm_2 }}; and" - }, - { - "id": "mp-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures." - } - ] - }, - { - "id": "mp-4_gdn", - "name": "guidance", - "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet; or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. For media containing information determined to be in the public domain, to be publicly releasable, or to have limited adverse impact on organizations, operations, or individuals if accessed by other than authorized personnel, fewer controls may be needed. In these situations, physical access controls provide adequate protection." - } - ] - }, - { - "id": "mp-5", - "class": "SP800-53", - "title": "Media Transport", - "parameters": [ - { - "id": "mp-5_prm_1", - "label": "organization-defined types of system media" - }, - { - "id": "mp-5_prm_2", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-5" - }, - { - "name": "sort-id", - "value": "MP-05" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#mp-3", - "rel": "related", - "text": "MP-3" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - } - ], - "parts": [ - { - "id": "mp-5_smt", - "name": "statement", - "parts": [ - { - "id": "mp-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Protect and control {{ mp-5_prm_1 }} during transport outside of controlled areas using {{ mp-5_prm_2 }};" - }, - { - "id": "mp-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Maintain accountability for system media during transport outside of controlled areas;" - }, - { - "id": "mp-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document activities associated with the transport of system media; and" - }, - { - "id": "mp-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Restrict the activities associated with the transport of system media to authorized personnel." - } - ] - }, - { - "id": "mp-5_gdn", - "name": "guidance", - "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state and magnetic), compact disks, and digital video disks. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel, and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records." - } - ] - }, - { - "id": "mp-6", - "class": "SP800-53", - "title": "Media Sanitization", - "parameters": [ - { - "id": "mp-6_prm_1", - "label": "organization-defined system media" - }, - { - "id": "mp-6_prm_2", - "label": "organization-defined sanitization techniques and procedures" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-6" - }, - { - "name": "sort-id", - "value": "MP-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#fed6a3b5-2b74-499f-9172-46671f7c24c8", - "rel": "reference", - "text": "[SP 800-88]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#a52271dc-11b5-423a-8b6f-14867bd94259", - "rel": "reference", - "text": "[NSA MEDIA]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - }, - { - "href": "#si-19", - "rel": "related", - "text": "SI-19" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "mp-6_smt", - "name": "statement", - "parts": [ - { - "id": "mp-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and" - }, - { - "id": "mp-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." - } - ] - }, - { - "id": "mp-6_gdn", - "name": "guidance", - "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information." - } - ], - "controls": [ - { - "id": "mp-6.1", - "class": "SP800-53-enhancement", - "title": "Review, Approve, Track, Document, and Verify", - "properties": [ - { - "name": "label", - "value": "MP-6(1)" - }, - { - "name": "sort-id", - "value": "MP-06(01)" - } - ], - "parts": [ - { - "id": "mp-6.1_smt", - "name": "statement", - "prose": "Review, approve, track, document, and verify media sanitization and disposal actions." - }, - { - "id": "mp-6.1_gdn", - "name": "guidance", - "prose": "Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions; types of media sanitized; files stored on the media; sanitization methods used; date and time of the sanitization actions; personnel who performed the sanitization; verification actions taken and personnel who performed the verification; and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal." - } - ] - }, - { - "id": "mp-6.2", - "class": "SP800-53-enhancement", - "title": "Equipment Testing", - "parameters": [ - { - "id": "mp-6.2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-6(2)" - }, - { - "name": "sort-id", - "value": "MP-06(02)" - } - ], - "parts": [ - { - "id": "mp-6.2_smt", - "name": "statement", - "prose": "Test sanitization equipment and procedures {{ mp-6.2_prm_1 }} to verify that the intended sanitization is being achieved." - }, - { - "id": "mp-6.2_gdn", - "name": "guidance", - "prose": "Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers." - } - ] - }, - { - "id": "mp-6.3", - "class": "SP800-53-enhancement", - "title": "Nondestructive Techniques", - "parameters": [ - { - "id": "mp-6.3_prm_1", - "label": "organization-defined circumstances requiring sanitization of portable storage devices" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-6(3)" - }, - { - "name": "sort-id", - "value": "MP-06(03)" - } - ], - "parts": [ - { - "id": "mp-6.3_smt", - "name": "statement", - "prose": "Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ mp-6.3_prm_1 }}." - }, - { - "id": "mp-6.3_gdn", - "name": "guidance", - "prose": "Portable storage devices include external or removable hard disk drives (solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and can contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices." - } - ] - } - ] - }, - { - "id": "mp-7", - "class": "SP800-53", - "title": "Media Use", - "parameters": [ - { - "id": "mp-7_prm_1" - }, - { - "id": "mp-7_prm_2", - "label": "organization-defined types of system media" - }, - { - "id": "mp-7_prm_3", - "label": "organization-defined systems or system components" - }, - { - "id": "mp-7_prm_4", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-7" - }, - { - "name": "sort-id", - "value": "MP-07" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#1b14b50f-7154-4226-958c-7dfff8276755", - "rel": "reference", - "text": "[SP 800-111]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#sc-41", - "rel": "related", - "text": "SC-41" - } - ], - "parts": [ - { - "id": "mp-7_smt", - "name": "statement", - "parts": [ - { - "id": "mp-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "\n {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}; and" - }, - { - "id": "mp-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." - } - ] - }, - { - "id": "mp-7_gdn", - "name": "guidance", - "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." - } - ] - } - ] - }, - { - "id": "pe", - "class": "family", - "title": "Physical and Environmental Protection", - "controls": [ - { - "id": "pe-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "pe-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pe-1_prm_2" - }, - { - "id": "pe-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "pe-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "pe-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-1" - }, - { - "name": "sort-id", - "value": "PE-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pe-1_smt", - "name": "statement", - "parts": [ - { - "id": "pe-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ pe-1_prm_1 }}:", - "parts": [ - { - "id": "pe-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ pe-1_prm_2 }} physical and environmental protection policy that:", - "parts": [ - { - "id": "pe-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "pe-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "pe-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" - } - ] - }, - { - "id": "pe-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ pe-1_prm_3 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" - }, - { - "id": "pe-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current physical and environmental protection:", - "parts": [ - { - "id": "pe-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ pe-1_prm_4 }}; and" - }, - { - "id": "pe-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ pe-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "pe-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "pe-2", - "class": "SP800-53", - "title": "Physical Access Authorizations", - "parameters": [ - { - "id": "pe-2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-2" - }, - { - "name": "sort-id", - "value": "PE-02" - } - ], - "links": [ - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#pe-5", - "rel": "related", - "text": "PE-5" - }, - { - "href": "#pe-8", - "rel": "related", - "text": "PE-8" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - } - ], - "parts": [ - { - "id": "pe-2_smt", - "name": "statement", - "parts": [ - { - "id": "pe-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" - }, - { - "id": "pe-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Issue authorization credentials for facility access;" - }, - { - "id": "pe-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review the access list detailing authorized facility access by individuals {{ pe-2_prm_1 }}; and" - }, - { - "id": "pe-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Remove individuals from the facility access list when access is no longer required." - } - ] - }, - { - "id": "pe-2_gdn", - "name": "guidance", - "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible." - } - ] - }, - { - "id": "pe-3", - "class": "SP800-53", - "title": "Physical Access Control", - "parameters": [ - { - "id": "pe-3_prm_1", - "label": "organization-defined entry and exit points to the facility where the system resides" - }, - { - "id": "pe-3_prm_2" - }, - { - "id": "pe-3_prm_3", - "depends-on": "pe-3_prm_2", - "label": "organization-defined physical access control systems or devices" - }, - { - "id": "pe-3_prm_4", - "label": "organization-defined entry or exit points" - }, - { - "id": "pe-3_prm_5", - "label": "organization-defined controls" - }, - { - "id": "pe-3_prm_6", - "label": "organization-defined circumstances requiring visitor escorts and monitoring" - }, - { - "id": "pe-3_prm_7", - "label": "organization-defined physical access devices" - }, - { - "id": "pe-3_prm_8", - "label": "organization-defined frequency" - }, - { - "id": "pe-3_prm_9", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-3" - }, - { - "name": "sort-id", - "value": "PE-03" - } - ], - "links": [ - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#ad7d575f-b5fe-489b-8d48-36a93d964a5f", - "rel": "reference", - "text": "[SP 800-116]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#pe-5", - "rel": "related", - "text": "PE-5" - }, - { - "href": "#pe-8", - "rel": "related", - "text": "PE-8" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - } - ], - "parts": [ - { - "id": "pe-3_smt", - "name": "statement", - "parts": [ - { - "id": "pe-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Enforce physical access authorizations at {{ pe-3_prm_1 }} by:", - "parts": [ - { - "id": "pe-3_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Verifying individual access authorizations before granting access to the facility; and" - }, - { - "id": "pe-3_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Controlling ingress and egress to the facility using {{ pe-3_prm_2 }};" - } - ] - }, - { - "id": "pe-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Maintain physical access audit logs for {{ pe-3_prm_4 }};" - }, - { - "id": "pe-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ pe-3_prm_5 }};" - }, - { - "id": "pe-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Escort visitors and monitor visitor activity {{ pe-3_prm_6 }};" - }, - { - "id": "pe-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Secure keys, combinations, and other physical access devices;" - }, - { - "id": "pe-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Inventory {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }}; and" - }, - { - "id": "pe-3_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Change combinations and keys {{ pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." - } - ] - }, - { - "id": "pe-3_gdn", - "name": "guidance", - "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." - } - ], - "controls": [ - { - "id": "pe-3.1", - "class": "SP800-53-enhancement", - "title": "System Access", - "parameters": [ - { - "id": "pe-3.1_prm_1", - "label": "organization-defined physical spaces containing one or more components of the system" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-3(1)" - }, - { - "name": "sort-id", - "value": "PE-03(01)" - } - ], - "parts": [ - { - "id": "pe-3.1_smt", - "name": "statement", - "prose": "Enforce physical access authorizations to the system in addition to the physical access controls for the facility at {{ pe-3.1_prm_1 }}." - }, - { - "id": "pe-3.1_gdn", - "name": "guidance", - "prose": "Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components." - } - ] - } - ] - }, - { - "id": "pe-4", - "class": "SP800-53", - "title": "Access Control for Transmission", - "parameters": [ - { - "id": "pe-4_prm_1", - "label": "organization-defined system distribution and transmission lines" - }, - { - "id": "pe-4_prm_2", - "label": "organization-defined security controls" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-4" - }, - { - "name": "sort-id", - "value": "PE-04" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-5", - "rel": "related", - "text": "PE-5" - }, - { - "href": "#pe-9", - "rel": "related", - "text": "PE-9" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - } - ], - "parts": [ - { - "id": "pe-4_smt", - "name": "statement", - "prose": "Control physical access to {{ pe-4_prm_1 }} within organizational facilities using {{ pe-4_prm_2 }}." - }, - { - "id": "pe-4_gdn", - "name": "guidance", - "prose": "Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors." - } - ] - }, - { - "id": "pe-5", - "class": "SP800-53", - "title": "Access Control for Output Devices", - "parameters": [ - { - "id": "pe-5_prm_1", - "label": "organization-defined output devices" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-5" - }, - { - "name": "sort-id", - "value": "PE-05" - } - ], - "links": [ - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#pe-18", - "rel": "related", - "text": "PE-18" - } - ], - "parts": [ - { - "id": "pe-5_smt", - "name": "statement", - "prose": "Control physical access to output from {{ pe-5_prm_1 }} to prevent unauthorized individuals from obtaining the output." - }, - { - "id": "pe-5_gdn", - "name": "guidance", - "prose": "Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only; placing output devices in locations that can be monitored by personnel; installing monitor or screen filters; and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers." - } - ] - }, - { - "id": "pe-6", - "class": "SP800-53", - "title": "Monitoring Physical Access", - "parameters": [ - { - "id": "pe-6_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "pe-6_prm_2", - "label": "organization-defined events or potential indications of events" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-6" - }, - { - "name": "sort-id", - "value": "PE-06" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - } - ], - "parts": [ - { - "id": "pe-6_smt", - "name": "statement", - "parts": [ - { - "id": "pe-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" - }, - { - "id": "pe-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review physical access logs {{ pe-6_prm_1 }} and upon occurrence of {{ pe-6_prm_2 }}; and" - }, - { - "id": "pe-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." - } - ] - }, - { - "id": "pe-6_gdn", - "name": "guidance", - "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses." - } - ], - "controls": [ - { - "id": "pe-6.1", - "class": "SP800-53-enhancement", - "title": "Intrusion Alarms and Surveillance Equipment", - "properties": [ - { - "name": "label", - "value": "PE-6(1)" - }, - { - "name": "sort-id", - "value": "PE-06(01)" - } - ], - "parts": [ - { - "id": "pe-6.1_smt", - "name": "statement", - "prose": "Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment." - }, - { - "id": "pe-6.1_gdn", - "name": "guidance", - "prose": "Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards, triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, for example, motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility." - } - ] - }, - { - "id": "pe-6.4", - "class": "SP800-53-enhancement", - "title": "Monitoring Physical Access to Systems", - "parameters": [ - { - "id": "pe-6.4_prm_1", - "label": "organization-defined physical spaces containing one or more components of the system" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-6(4)" - }, - { - "name": "sort-id", - "value": "PE-06(04)" - } - ], - "parts": [ - { - "id": "pe-6.4_smt", - "name": "statement", - "prose": "Monitor physical access to the system in addition to the physical access monitoring of the facility at {{ pe-6.4_prm_1 }}." - }, - { - "id": "pe-6.4_gdn", - "name": "guidance", - "prose": "Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization." - } - ] - } - ] - }, - { - "id": "pe-8", - "class": "SP800-53", - "title": "Visitor Access Records", - "parameters": [ - { - "id": "pe-8_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "pe-8_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "pe-8_prm_3", - "label": "organization-defined personnel" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-8" - }, - { - "name": "sort-id", - "value": "PE-08" - } - ], - "links": [ - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - } - ], - "parts": [ - { - "id": "pe-8_smt", - "name": "statement", - "parts": [ - { - "id": "pe-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Maintain visitor access records to the facility where the system resides for {{ pe-8_prm_1 }};" - }, - { - "id": "pe-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review visitor access records {{ pe-8_prm_2 }}; and" - }, - { - "id": "pe-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Report anomalies in visitor access records to {{ pe-8_prm_3 }}." - } - ] - }, - { - "id": "pe-8_gdn", - "name": "guidance", - "prose": "Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas." - } - ], - "controls": [ - { - "id": "pe-8.1", - "class": "SP800-53-enhancement", - "title": "Automated Records Maintenance and Review", - "parameters": [ - { - "id": "pe-8.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-8(1)" - }, - { - "name": "sort-id", - "value": "PE-08(01)" - } - ], - "parts": [ - { - "id": "pe-8.1_smt", - "name": "statement", - "prose": "Maintain and review visitor access records using {{ pe-8.1_prm_1 }}." - }, - { - "id": "pe-8.1_gdn", - "name": "guidance", - "prose": "Visitor access records can be stored and maintained, for example, in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on regular basis to determine if access authorizations are current and still required to support organizational missions and business functions." - } - ] - } - ] - }, - { - "id": "pe-9", - "class": "SP800-53", - "title": "Power Equipment and Cabling", - "properties": [ - { - "name": "label", - "value": "PE-9" - }, - { - "name": "sort-id", - "value": "PE-09" - } - ], - "links": [ - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - } - ], - "parts": [ - { - "id": "pe-9_smt", - "name": "statement", - "prose": "Protect power equipment and power cabling for the system from damage and destruction." - }, - { - "id": "pe-9_gdn", - "name": "guidance", - "prose": "Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. Power equipment and cabling includes generators and power cabling outside of buildings; internal cabling and uninterruptable power sources in offices or data centers; and power sources for self-contained components such as satellites, vehicles, and other deployable systems." - } - ] - }, - { - "id": "pe-10", - "class": "SP800-53", - "title": "Emergency Shutoff", - "parameters": [ - { - "id": "pe-10_prm_1", - "label": "organization-defined system or individual system components" - }, - { - "id": "pe-10_prm_2", - "label": "organization-defined location by system or system component" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-10" - }, - { - "name": "sort-id", - "value": "PE-10" - } - ], - "links": [ - { - "href": "#pe-15", - "rel": "related", - "text": "PE-15" - } - ], - "parts": [ - { - "id": "pe-10_smt", - "name": "statement", - "parts": [ - { - "id": "pe-10_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide the capability of shutting off power to {{ pe-10_prm_1 }} in emergency situations;" - }, - { - "id": "pe-10_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Place emergency shutoff switches or devices in {{ pe-10_prm_2 }} to facilitate access for authorized personnel; and" - }, - { - "id": "pe-10_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Protect emergency power shutoff capability from unauthorized activation." - } - ] - }, - { - "id": "pe-10_gdn", - "name": "guidance", - "prose": "Emergency power shutoff applies primarily to organizational facilities containing concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery." - } - ] - }, - { - "id": "pe-11", - "class": "SP800-53", - "title": "Emergency Power", - "parameters": [ - { - "id": "pe-11_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-11" - }, - { - "name": "sort-id", - "value": "PE-11" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - } - ], - "parts": [ - { - "id": "pe-11_smt", - "name": "statement", - "prose": "Provide an uninterruptible power supply to facilitate {{ pe-11_prm_1 }} in the event of a primary power source loss." - }, - { - "id": "pe-11_gdn", - "name": "guidance", - "prose": "An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of most UPS is relatively short but provides sufficient time to start a standby power source such as a backup generator or properly shut down the system." - } - ], - "controls": [ - { - "id": "pe-11.1", - "class": "SP800-53-enhancement", - "title": "Alternate Power Supply — Minimal Operational Capability", - "parameters": [ - { - "id": "pe-11.1_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-11(1)" - }, - { - "name": "sort-id", - "value": "PE-11(01)" - } - ], - "parts": [ - { - "id": "pe-11.1_smt", - "name": "statement", - "prose": "Provide an alternate power supply for the system that is activated {{ pe-11.1_prm_1 }} and that can maintain minimally required operational capability in the event of an extended loss of the primary power source." - }, - { - "id": "pe-11.1_gdn", - "name": "guidance", - "prose": "Provision of an alternate power supply with minimal operating capability can be satisfied, for example, by accessing a secondary commercial power supply or other external power supply." - } - ] - } - ] - }, - { - "id": "pe-12", - "class": "SP800-53", - "title": "Emergency Lighting", - "properties": [ - { - "name": "label", - "value": "PE-12" - }, - { - "name": "sort-id", - "value": "PE-12" - } - ], - "links": [ - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - } - ], - "parts": [ - { - "id": "pe-12_smt", - "name": "statement", - "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." - }, - { - "id": "pe-12_gdn", - "name": "guidance", - "prose": "The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites." - } - ] - }, - { - "id": "pe-13", - "class": "SP800-53", - "title": "Fire Protection", - "properties": [ - { - "name": "label", - "value": "PE-13" - }, - { - "name": "sort-id", - "value": "PE-13" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - } - ], - "parts": [ - { - "id": "pe-13_smt", - "name": "statement", - "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." - }, - { - "id": "pe-13_gdn", - "name": "guidance", - "prose": "The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors." - } - ], - "controls": [ - { - "id": "pe-13.1", - "class": "SP800-53-enhancement", - "title": "Detection Systems – Automatic Activation and Notification", - "parameters": [ - { - "id": "pe-13.1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pe-13.1_prm_2", - "label": "organization-defined emergency responders" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-13(1)" - }, - { - "name": "sort-id", - "value": "PE-13(01)" - } - ], - "parts": [ - { - "id": "pe-13.1_smt", - "name": "statement", - "prose": "Employ fire detection systems that activate automatically and notify {{ pe-13.1_prm_1 }} and {{ pe-13.1_prm_2 }} in the event of a fire." - }, - { - "id": "pe-13.1_gdn", - "name": "guidance", - "prose": "Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances, for example, to enter to facilities where access is restricted due to the classification or impact level of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire." - } - ] - }, - { - "id": "pe-13.2", - "class": "SP800-53-enhancement", - "title": "Suppression Systems – Automatic Activation and Notification", - "parameters": [ - { - "id": "pe-13.2_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pe-13.2_prm_2", - "label": "organization-defined emergency responders" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-13(2)" - }, - { - "name": "sort-id", - "value": "PE-13(02)" - } - ], - "parts": [ - { - "id": "pe-13.2_smt", - "name": "statement", - "parts": [ - { - "id": "pe-13.2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Employ fire suppression systems that activate automatically and notify {{ pe-13.2_prm_1 }} and {{ pe-13.2_prm_2 }}; and" - }, - { - "id": "pe-13.2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis." - } - ] - }, - { - "id": "pe-13.2_gdn", - "name": "guidance", - "prose": "Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances, for example, to enter to facilities where access is restricted due to the impact level or classification of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire." - } - ] - } - ] - }, - { - "id": "pe-14", - "class": "SP800-53", - "title": "Environmental Controls", - "parameters": [ - { - "id": "pe-14_prm_1" - }, - { - "id": "pe-14_prm_2", - "depends-on": "pe-14_prm_1", - "label": "organization-defined environmental control" - }, - { - "id": "pe-14_prm_3", - "label": "organization-defined acceptable levels" - }, - { - "id": "pe-14_prm_4", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-14" - }, - { - "name": "sort-id", - "value": "PE-14" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#pe-21", - "rel": "related", - "text": "PE-21" - } - ], - "parts": [ - { - "id": "pe-14_smt", - "name": "statement", - "parts": [ - { - "id": "pe-14_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Maintain {{ pe-14_prm_1 }} levels within the facility where the system resides at {{ pe-14_prm_3 }}; and" - }, - { - "id": "pe-14_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Monitor environmental control levels {{ pe-14_prm_4 }}." - } - ] - }, - { - "id": "pe-14_gdn", - "name": "guidance", - "prose": "The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure." - } - ] - }, - { - "id": "pe-15", - "class": "SP800-53", - "title": "Water Damage Protection", - "properties": [ - { - "name": "label", - "value": "PE-15" - }, - { - "name": "sort-id", - "value": "PE-15" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pe-10", - "rel": "related", - "text": "PE-10" - } - ], - "parts": [ - { - "id": "pe-15_smt", - "name": "statement", - "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." - }, - { - "id": "pe-15_gdn", - "name": "guidance", - "prose": "The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations." - } - ], - "controls": [ - { - "id": "pe-15.1", - "class": "SP800-53-enhancement", - "title": "Automation Support", - "parameters": [ - { - "id": "pe-15.1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pe-15.1_prm_2", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-15(1)" - }, - { - "name": "sort-id", - "value": "PE-15(01)" - } - ], - "parts": [ - { - "id": "pe-15.1_smt", - "name": "statement", - "prose": "Detect the presence of water near the system and alert {{ pe-15.1_prm_1 }} using {{ pe-15.1_prm_2 }}." - }, - { - "id": "pe-15.1_gdn", - "name": "guidance", - "prose": "Automated mechanisms include notification systems, water detection sensors, and alarms." - } - ] - } - ] - }, - { - "id": "pe-16", - "class": "SP800-53", - "title": "Delivery and Removal", - "parameters": [ - { - "id": "pe-16_prm_1", - "label": "organization-defined types of system components" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-16" - }, - { - "name": "sort-id", - "value": "PE-16" - } - ], - "links": [ - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - } - ], - "parts": [ - { - "id": "pe-16_smt", - "name": "statement", - "parts": [ - { - "id": "pe-16_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Authorize and control {{ pe-16_prm_1 }} entering and exiting the facility; and" - }, - { - "id": "pe-16_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Maintain records of the system components." - } - ] - }, - { - "id": "pe-16_gdn", - "name": "guidance", - "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." - } - ] - }, - { - "id": "pe-17", - "class": "SP800-53", - "title": "Alternate Work Site", - "parameters": [ - { - "id": "pe-17_prm_1", - "label": "organization-defined alternate work sites" - }, - { - "id": "pe-17_prm_2", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-17" - }, - { - "name": "sort-id", - "value": "PE-17" - } - ], - "links": [ - { - "href": "#7768c184-088d-4ee8-a316-f9286b52df7f", - "rel": "reference", - "text": "[SP 800-46]" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - } - ], - "parts": [ - { - "id": "pe-17_smt", - "name": "statement", - "parts": [ - { - "id": "pe-17_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Determine and document the {{ pe-17_prm_1 }} allowed for use by employees;" - }, - { - "id": "pe-17_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ the following controls at alternate work sites: {{ pe-17_prm_2 }};" - }, - { - "id": "pe-17_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Assess the effectiveness of controls at alternate work sites; and" - }, - { - "id": "pe-17_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Provide a means for employees to communicate with information security and privacy personnel in case of incidents." - } - ] - }, - { - "id": "pe-17_gdn", - "name": "guidance", - "prose": "Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations." - } - ] - }, - { - "id": "pe-18", - "class": "SP800-53", - "title": "Location of System Components", - "parameters": [ - { - "id": "pe-18_prm_1", - "label": "organization-defined physical and environmental hazards" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-18" - }, - { - "name": "sort-id", - "value": "PE-18" - } - ], - "links": [ - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#pe-5", - "rel": "related", - "text": "PE-5" - }, - { - "href": "#pe-19", - "rel": "related", - "text": "PE-19" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "pe-18_smt", - "name": "statement", - "prose": "Position system components within the facility to minimize potential damage from {{ pe-18_prm_1 }} and to minimize the opportunity for unauthorized access." - }, - { - "id": "pe-18_gdn", - "name": "guidance", - "prose": "Physical and environmental hazards include floods, fires, tornados, earthquakes, hurricanes, terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications, including using wireless sniffers or microphones." - } - ] - } - ] - }, - { - "id": "pl", - "class": "family", - "title": "Planning", - "controls": [ - { - "id": "pl-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "pl-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pl-1_prm_2" - }, - { - "id": "pl-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "pl-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "pl-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-1" - }, - { - "name": "sort-id", - "value": "PL-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pl-1_smt", - "name": "statement", - "parts": [ - { - "id": "pl-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ pl-1_prm_1 }}:", - "parts": [ - { - "id": "pl-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ pl-1_prm_2 }} planning policy that:", - "parts": [ - { - "id": "pl-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "pl-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "pl-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" - } - ] - }, - { - "id": "pl-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" - }, - { - "id": "pl-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current planning:", - "parts": [ - { - "id": "pl-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ pl-1_prm_4 }}; and" - }, - { - "id": "pl-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ pl-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "pl-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "pl-2", - "class": "SP800-53", - "title": "System Security and Privacy Plans", - "parameters": [ - { - "id": "pl-2_prm_1", - "label": "organization-defined individuals or groups" - }, - { - "id": "pl-2_prm_2", - "label": "organization-defined personnel or roles" - }, - { - "id": "pl-2_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-2" - }, - { - "name": "sort-id", - "value": "PL-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pl-7", - "rel": "related", - "text": "PL-7" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-22", - "rel": "related", - "text": "SA-22" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "pl-2_smt", - "name": "statement", - "parts": [ - { - "id": "pl-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop security and privacy plans for the system that:", - "parts": [ - { - "id": "pl-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are consistent with the organization’s enterprise architecture;" - }, - { - "id": "pl-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Explicitly define the constituent system components;" - }, - { - "id": "pl-2_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Describe the operational context of the system in terms of missions and business processes;" - }, - { - "id": "pl-2_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Provide the security categorization of the system, including supporting rationale;" - }, - { - "id": "pl-2_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Describe any specific threats to the system that are of concern to the organization;" - }, - { - "id": "pl-2_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" - }, - { - "id": "pl-2_smt.a.7", - "name": "item", - "properties": [ - { - "name": "label", - "value": "7." - } - ], - "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" - }, - { - "id": "pl-2_smt.a.8", - "name": "item", - "properties": [ - { - "name": "label", - "value": "8." - } - ], - "prose": "Provide an overview of the security and privacy requirements for the system;" - }, - { - "id": "pl-2_smt.a.9", - "name": "item", - "properties": [ - { - "name": "label", - "value": "9." - } - ], - "prose": "Identify any relevant control baselines or overlays, if applicable;" - }, - { - "id": "pl-2_smt.a.10", - "name": "item", - "properties": [ - { - "name": "label", - "value": "10." - } - ], - "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" - }, - { - "id": "pl-2_smt.a.11", - "name": "item", - "properties": [ - { - "name": "label", - "value": "11." - } - ], - "prose": "Include risk determinations for security and privacy architecture and design decisions;" - }, - { - "id": "pl-2_smt.a.12", - "name": "item", - "properties": [ - { - "name": "label", - "value": "12." - } - ], - "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and" - }, - { - "id": "pl-2_smt.a.13", - "name": "item", - "properties": [ - { - "name": "label", - "value": "13." - } - ], - "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." - } - ] - }, - { - "id": "pl-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }};" - }, - { - "id": "pl-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review the plans {{ pl-2_prm_3 }};" - }, - { - "id": "pl-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" - }, - { - "id": "pl-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Protect the plans from unauthorized disclosure and modification." - } - ] - }, - { - "id": "pl-2_gdn", - "name": "guidance", - "prose": "System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation.\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate." - } - ] - }, - { - "id": "pl-4", - "class": "SP800-53", - "title": "Rules of Behavior", - "parameters": [ - { - "id": "pl-4_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "pl-4_prm_2" - }, - { - "id": "pl-4_prm_3", - "depends-on": "pl-4_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-4" - }, - { - "name": "sort-id", - "value": "PL-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ac-9", - "rel": "related", - "text": "AC-9" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pl-4_smt", - "name": "statement", - "parts": [ - { - "id": "pl-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" - }, - { - "id": "pl-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" - }, - { - "id": "pl-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the rules of behavior {{ pl-4_prm_1 }}; and" - }, - { - "id": "pl-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}." - } - ] - }, - { - "id": "pl-4_gdn", - "name": "guidance", - "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons." - } - ], - "controls": [ - { - "id": "pl-4.1", - "class": "SP800-53-enhancement", - "title": "Social Media and External Site/application Usage Restrictions", - "properties": [ - { - "name": "label", - "value": "PL-4(1)" - }, - { - "name": "sort-id", - "value": "PL-04(01)" - } - ], - "links": [ - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - } - ], - "parts": [ - { - "id": "pl-4.1_smt", - "name": "statement", - "prose": "Include in the rules of behavior, restrictions on:", - "parts": [ - { - "id": "pl-4.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Use of social media, social networking sites, and external sites/applications;" - }, - { - "id": "pl-4.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Posting organizational information on public websites; and" - }, - { - "id": "pl-4.1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications." - } - ] - }, - { - "id": "pl-4.1_gdn", - "name": "guidance", - "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information." - } - ] - } - ] - }, - { - "id": "pl-8", - "class": "SP800-53", - "title": "Security and Privacy Architectures", - "parameters": [ - { - "id": "pl-8_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-8" - }, - { - "name": "sort-id", - "value": "PL-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-7", - "rel": "related", - "text": "PL-7" - }, - { - "href": "#pl-9", - "rel": "related", - "text": "PL-9" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - } - ], - "parts": [ - { - "id": "pl-8_smt", - "name": "statement", - "parts": [ - { - "id": "pl-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop security and privacy architectures for the system that:", - "parts": [ - { - "id": "pl-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" - }, - { - "id": "pl-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" - }, - { - "id": "pl-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" - }, - { - "id": "pl-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Describe any assumptions about, and dependencies on, external systems and services;" - } - ] - }, - { - "id": "pl-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the architectures {{ pl-8_prm_1 }} to reflect changes in the enterprise architecture; and" - }, - { - "id": "pl-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions." - } - ] - }, - { - "id": "pl-8_gdn", - "name": "guidance", - "prose": "The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs.\n[SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented.\nPL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures." - } - ] - }, - { - "id": "pl-10", - "class": "SP800-53", - "title": "Baseline Selection", - "properties": [ - { - "name": "label", - "value": "PL-10" - }, - { - "name": "sort-id", - "value": "PL-10" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#31f3c9de-c57c-4281-929b-f9951f9640f1", - "rel": "reference", - "text": "[SP 800-53B]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ee96f130-3f91-46ed-a4d8-57e5f220a623", - "rel": "reference", - "text": "[CNSSI 1253]" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "pl-10_smt", - "name": "statement", - "prose": "Select a control baseline for the system." - }, - { - "id": "pl-10_gdn", - "name": "guidance", - "prose": "Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments." - } - ] - }, - { - "id": "pl-11", - "class": "SP800-53", - "title": "Baseline Tailoring", - "properties": [ - { - "name": "label", - "value": "PL-11" - }, - { - "name": "sort-id", - "value": "PL-11" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#31f3c9de-c57c-4281-929b-f9951f9640f1", - "rel": "reference", - "text": "[SP 800-53B]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ee96f130-3f91-46ed-a4d8-57e5f220a623", - "rel": "reference", - "text": "[CNSSI 1253]" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "pl-11_smt", - "name": "statement", - "prose": "Tailor the selected control baseline by applying specified tailoring actions." - }, - { - "id": "pl-11_gdn", - "name": "guidance", - "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities." - } - ] - } - ] - }, - { - "id": "pm", - "class": "family", - "title": "Program Management", - "controls": [ - { - "id": "pm-1", - "class": "SP800-53", - "title": "Information Security Program Plan", - "parameters": [ - { - "id": "pm-1_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-1" - }, - { - "name": "sort-id", - "value": "PM-01" - } - ], - "links": [ - { - "href": "#14958422-54f6-471f-a345-802dca594dd8", - "rel": "reference", - "text": "[FISMA]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "pm-1_smt", - "name": "statement", - "parts": [ - { - "id": "pm-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and disseminate an organization-wide information security program plan that:", - "parts": [ - { - "id": "pm-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;" - }, - { - "id": "pm-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;" - }, - { - "id": "pm-1_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Reflects the coordination among organizational entities responsible for information security; and" - }, - { - "id": "pm-1_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;" - } - ] - }, - { - "id": "pm-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review the organization-wide information security program plan {{ pm-1_prm_1 }};" - }, - { - "id": "pm-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and" - }, - { - "id": "pm-1_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect the information security program plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "pm-1_gdn", - "name": "guidance", - "prose": "An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents.\nInformation security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls." - } - ] - }, - { - "id": "pm-2", - "class": "SP800-53", - "title": "Information Security Program Leadership Role", - "properties": [ - { - "name": "label", - "value": "PM-2" - }, - { - "name": "sort-id", - "value": "PM-02" - } - ], - "links": [ - { - "href": "#ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3", - "rel": "reference", - "text": "[OMB M-17-25]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - } - ], - "parts": [ - { - "id": "pm-2_smt", - "name": "statement", - "prose": "Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program." - }, - { - "id": "pm-2_gdn", - "name": "guidance", - "prose": "The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer." - } - ] - }, - { - "id": "pm-3", - "class": "SP800-53", - "title": "Information Security and Privacy Resources", - "properties": [ - { - "name": "label", - "value": "PM-3" - }, - { - "name": "sort-id", - "value": "PM-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - } - ], - "parts": [ - { - "id": "pm-3_smt", - "name": "statement", - "parts": [ - { - "id": "pm-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;" - }, - { - "id": "pm-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and" - }, - { - "id": "pm-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Make available for expenditure, the planned information security and privacy resources." - } - ] - }, - { - "id": "pm-3_gdn", - "name": "guidance", - "prose": "Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process." - } - ] - }, - { - "id": "pm-4", - "class": "SP800-53", - "title": "Plan of Action and Milestones Process", - "properties": [ - { - "name": "label", - "value": "PM-4" - }, - { - "name": "sort-id", - "value": "PM-04" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-3", - "rel": "related", - "text": "PM-3" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pm-4_smt", - "name": "statement", - "parts": [ - { - "id": "pm-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:", - "parts": [ - { - "id": "pm-4_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are developed and maintained;" - }, - { - "id": "pm-4_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and" - }, - { - "id": "pm-4_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Are reported in accordance with established reporting requirements." - } - ] - }, - { - "id": "pm-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." - } - ] - }, - { - "id": "pm-4_gdn", - "name": "guidance", - "prose": "The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5." - } - ] - }, - { - "id": "pm-5", - "class": "SP800-53", - "title": "System Inventory", - "parameters": [ - { - "id": "pm-5_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-5" - }, - { - "name": "sort-id", - "value": "PM-05" - } - ], - "links": [ - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - } - ], - "parts": [ - { - "id": "pm-5_smt", - "name": "statement", - "prose": "Develop and update {{ pm-5_prm_1 }} an inventory of organizational systems." - }, - { - "id": "pm-5_gdn", - "name": "guidance", - "prose": "[OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8." - } - ], - "controls": [ - { - "id": "pm-5.1", - "class": "SP800-53-enhancement", - "title": "Inventory of Personally Identifiable Information", - "parameters": [ - { - "id": "pm-5.1_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-5(1)" - }, - { - "name": "sort-id", - "value": "PM-05(01)" - } - ], - "links": [ - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-12", - "rel": "related", - "text": "CM-12" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pm-5.1_smt", - "name": "statement", - "prose": "Establish, maintain, and update {{ pm-5.1_prm_1 }} an inventory of all systems, applications, and projects that process personally identifiable information." - }, - { - "id": "pm-5.1_gdn", - "name": "guidance", - "prose": "An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein." - } - ] - } - ] - }, - { - "id": "pm-6", - "class": "SP800-53", - "title": "Measures of Performance", - "properties": [ - { - "name": "label", - "value": "PM-6" - }, - { - "name": "sort-id", - "value": "PM-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#8ba0d54e-fa16-4f5d-baa1-763ec3e33e26", - "rel": "reference", - "text": "[SP 800-55]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - } - ], - "parts": [ - { - "id": "pm-6_smt", - "name": "statement", - "prose": "Develop, monitor, and report on the results of information security and privacy measures of performance." - }, - { - "id": "pm-6_gdn", - "name": "guidance", - "prose": "Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program." - } - ] - }, - { - "id": "pm-7", - "class": "SP800-53", - "title": "Enterprise Architecture", - "properties": [ - { - "name": "label", - "value": "PM-7" - }, - { - "name": "sort-id", - "value": "PM-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - } - ], - "parts": [ - { - "id": "pm-7_smt", - "name": "statement", - "prose": "Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation." - }, - { - "id": "pm-7_gdn", - "name": "guidance", - "prose": "The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines." - } - ], - "controls": [ - { - "id": "pm-7.1", - "class": "SP800-53-enhancement", - "title": "Offloading", - "parameters": [ - { - "id": "pm-7.1_prm_1", - "label": "organization-defined non-essential functions or services" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-7(1)" - }, - { - "name": "sort-id", - "value": "PM-07(01)" - } - ], - "links": [ - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "pm-7.1_smt", - "name": "statement", - "prose": "Offload {{ pm-7.1_prm_1 }} to other systems, system components, or an external provider." - }, - { - "id": "pm-7.1_gdn", - "name": "guidance", - "prose": "Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services." - } - ] - } - ] - }, - { - "id": "pm-8", - "class": "SP800-53", - "title": "Critical Infrastructure Plan", - "properties": [ - { - "name": "label", - "value": "PM-8" - }, - { - "name": "sort-id", - "value": "PM-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#cde25174-38e0-4a00-8919-8ee3674b8088", - "rel": "reference", - "text": "[HSPD 7]" - }, - { - "href": "#24b7b1ec-6430-41de-9353-29fdb1b488fc", - "rel": "reference", - "text": "[DHS NIPP]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#pe-18", - "rel": "related", - "text": "PE-18" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pm-8_smt", - "name": "statement", - "prose": "Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan." - }, - { - "id": "pm-8_gdn", - "name": "guidance", - "prose": "Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." - } - ] - }, - { - "id": "pm-9", - "class": "SP800-53", - "title": "Risk Management Strategy", - "parameters": [ - { - "id": "pm-9_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-9" - }, - { - "name": "sort-id", - "value": "PM-09" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#at-1", - "rel": "related", - "text": "AT-1" - }, - { - "href": "#ca-1", - "rel": "related", - "text": "CA-1" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cp-1", - "rel": "related", - "text": "CP-1" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ma-1", - "rel": "related", - "text": "MA-1" - }, - { - "href": "#mp-1", - "rel": "related", - "text": "MP-1" - }, - { - "href": "#pe-1", - "rel": "related", - "text": "PE-1" - }, - { - "href": "#pl-1", - "rel": "related", - "text": "PL-1" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-2", - "rel": "related", - "text": "PM-2" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#ps-1", - "rel": "related", - "text": "PS-1" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-1", - "rel": "related", - "text": "SA-1" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sc-1", - "rel": "related", - "text": "SC-1" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-1", - "rel": "related", - "text": "SI-1" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "pm-9_smt", - "name": "statement", - "parts": [ - { - "id": "pm-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develops a comprehensive strategy to manage:", - "parts": [ - { - "id": "pm-9_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and" - }, - { - "id": "pm-9_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Privacy risk to individuals resulting from the authorized processing of personally identifiable information;" - } - ] - }, - { - "id": "pm-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the risk management strategy consistently across the organization; and" - }, - { - "id": "pm-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes." - } - ] - }, - { - "id": "pm-9_gdn", - "name": "guidance", - "prose": "An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive." - } - ] - }, - { - "id": "pm-10", - "class": "SP800-53", - "title": "Authorization Process", - "properties": [ - { - "name": "label", - "value": "PM-10" - }, - { - "name": "sort-id", - "value": "PM-10" - } - ], - "links": [ - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - } - ], - "parts": [ - { - "id": "pm-10_smt", - "name": "statement", - "parts": [ - { - "id": "pm-10_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;" - }, - { - "id": "pm-10_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and" - }, - { - "id": "pm-10_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Integrate the authorization processes into an organization-wide risk management program." - } - ] - }, - { - "id": "pm-10_gdn", - "name": "guidance", - "prose": "Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation." - } - ] - }, - { - "id": "pm-11", - "class": "SP800-53", - "title": "Mission and Business Process Definition", - "parameters": [ - { - "id": "pm-11_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-11" - }, - { - "name": "sort-id", - "value": "PM-11" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - } - ], - "parts": [ - { - "id": "pm-11_smt", - "name": "statement", - "parts": [ - { - "id": "pm-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and" - }, - { - "id": "pm-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and" - }, - { - "id": "pm-11_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and revise the mission and business processes {{ pm-11_prm_1 }}." - } - ] - }, - { - "id": "pm-11_gdn", - "name": "guidance", - "prose": "Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures." - } - ] - }, - { - "id": "pm-12", - "class": "SP800-53", - "title": "Insider Threat Program", - "properties": [ - { - "name": "label", - "value": "PM-12" - }, - { - "name": "sort-id", - "value": "PM-12" - } - ], - "links": [ - { - "href": "#2b5e12fb-633f-49e6-8aff-81d75bf53545", - "rel": "reference", - "text": "[EO 13587]" - }, - { - "href": "#286d42a1-efbe-49a2-9ce1-4c9bf68feb3b", - "rel": "reference", - "text": "[ODNI NITP]" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-16", - "rel": "related", - "text": "PM-16" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - } - ], - "parts": [ - { - "id": "pm-12_smt", - "name": "statement", - "prose": "Implement an insider threat program that includes a cross-discipline insider threat incident handling team." - }, - { - "id": "pm-12_gdn", - "name": "guidance", - "prose": "Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture.\nInsider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ] - }, - { - "id": "pm-13", - "class": "SP800-53", - "title": "Security and Privacy Workforce", - "properties": [ - { - "name": "label", - "value": "PM-13" - }, - { - "name": "sort-id", - "value": "PM-13" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#f4c3f657-de83-47ae-9aec-e144de8268d1", - "rel": "reference", - "text": "[SP 800-181]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - } - ], - "parts": [ - { - "id": "pm-13_smt", - "name": "statement", - "prose": "Establish a security and privacy workforce development and improvement program." - }, - { - "id": "pm-13_gdn", - "name": "guidance", - "prose": "Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals." - } - ] - }, - { - "id": "pm-14", - "class": "SP800-53", - "title": "Testing, Training, and Monitoring", - "properties": [ - { - "name": "label", - "value": "PM-14" - }, - { - "name": "sort-id", - "value": "PM-14" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "pm-14_smt", - "name": "statement", - "parts": [ - { - "id": "pm-14_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:", - "parts": [ - { - "id": "pm-14_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are developed and maintained; and" - }, - { - "id": "pm-14_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Continue to be executed; and" - } - ] - }, - { - "id": "pm-14_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." - } - ] - }, - { - "id": "pm-14_gdn", - "name": "guidance", - "prose": "This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments." - } - ] - }, - { - "id": "pm-15", - "class": "SP800-53", - "title": "Security and Privacy Groups and Associations", - "properties": [ - { - "name": "label", - "value": "PM-15" - }, - { - "name": "sort-id", - "value": "PM-15" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#si-5", - "rel": "related", - "text": "SI-5" - } - ], - "parts": [ - { - "id": "pm-15_smt", - "name": "statement", - "prose": "Establish and institutionalize contact with selected groups and associations within the security and privacy communities:", - "parts": [ - { - "id": "pm-15_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "To facilitate ongoing security and privacy education and training for organizational personnel;" - }, - { - "id": "pm-15_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "To maintain currency with recommended security and privacy practices, techniques, and technologies; and" - }, - { - "id": "pm-15_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "To share current security and privacy information, including threats, vulnerabilities, and incidents." - } - ] - }, - { - "id": "pm-15_gdn", - "name": "guidance", - "prose": "Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." - } - ] - }, - { - "id": "pm-16", - "class": "SP800-53", - "title": "Threat Awareness Program", - "properties": [ - { - "name": "label", - "value": "PM-16" - }, - { - "name": "sort-id", - "value": "PM-16" - } - ], - "links": [ - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - } - ], - "parts": [ - { - "id": "pm-16_smt", - "name": "statement", - "prose": "Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence." - }, - { - "id": "pm-16_gdn", - "name": "guidance", - "prose": "Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared." - } - ], - "controls": [ - { - "id": "pm-16.1", - "class": "SP800-53-enhancement", - "title": "Automated Means for Sharing Threat Intelligence", - "properties": [ - { - "name": "label", - "value": "PM-16(1)" - }, - { - "name": "sort-id", - "value": "PM-16(01)" - } - ], - "parts": [ - { - "id": "pm-16.1_smt", - "name": "statement", - "prose": "Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information." - }, - { - "id": "pm-16.1_gdn", - "name": "guidance", - "prose": "To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures." - } - ] - } - ] - }, - { - "id": "pm-17", - "class": "SP800-53", - "title": "Protecting Controlled Unclassified Information on External Systems", - "parameters": [ - { - "id": "pm-17_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-17" - }, - { - "name": "sort-id", - "value": "PM-17" - } - ], - "links": [ - { - "href": "#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc", - "rel": "reference", - "text": "[32 CFR 2002]" - }, - { - "href": "#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "rel": "reference", - "text": "[SP 800-171]" - }, - { - "href": "#dd87fdf0-840d-4392-9de4-220b2327e340", - "rel": "reference", - "text": "[NARA CUI]" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - } - ], - "parts": [ - { - "id": "pm-17_smt", - "name": "statement", - "parts": [ - { - "id": "pm-17_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards." - }, - { - "id": "pm-17_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update the policy and procedures {{ pm-17_prm_1 }}." - } - ] - }, - { - "id": "pm-17_gdn", - "name": "guidance", - "prose": "Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes." - } - ] - }, - { - "id": "pm-18", - "class": "SP800-53", - "title": "Privacy Program Plan", - "properties": [ - { - "name": "label", - "value": "PM-18" - }, - { - "name": "sort-id", - "value": "PM-18" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - } - ], - "parts": [ - { - "id": "pm-18_smt", - "name": "statement", - "parts": [ - { - "id": "pm-18_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:", - "parts": [ - { - "id": "pm-18_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;" - }, - { - "id": "pm-18_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;" - }, - { - "id": "pm-18_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;" - }, - { - "id": "pm-18_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;" - }, - { - "id": "pm-18_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Reflects coordination among organizational entities responsible for the different aspects of privacy; and" - }, - { - "id": "pm-18_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and" - } - ] - }, - { - "id": "pm-18_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments." - } - ] - }, - { - "id": "pm-18_gdn", - "name": "guidance", - "prose": "A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls." - } - ] - }, - { - "id": "pm-19", - "class": "SP800-53", - "title": "Privacy Program Leadership Role", - "properties": [ - { - "name": "label", - "value": "PM-19" - }, - { - "name": "sort-id", - "value": "PM-19" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#pm-20", - "rel": "related", - "text": "PM-20" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - } - ], - "parts": [ - { - "id": "pm-19_smt", - "name": "statement", - "prose": "Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program." - }, - { - "id": "pm-19_gdn", - "name": "guidance", - "prose": "The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24)." - } - ] - }, - { - "id": "pm-20", - "class": "SP800-53", - "title": "Dissemination of Privacy Program Information", - "properties": [ - { - "name": "label", - "value": "PM-20" - }, - { - "name": "sort-id", - "value": "PM-20" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#f7d3617a-9a4f-4f1a-a688-845081b70390", - "rel": "reference", - "text": "[OMB M-17-06]" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#pt-7", - "rel": "related", - "text": "PT-7" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - } - ], - "parts": [ - { - "id": "pm-20_smt", - "name": "statement", - "prose": "Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:", - "parts": [ - { - "id": "pm-20_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;" - }, - { - "id": "pm-20_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Ensures that organizational privacy practices and reports are publicly available; and" - }, - { - "id": "pm-20_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices." - } - ] - }, - { - "id": "pm-20_gdn", - "name": "guidance", - "prose": "Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications." - } - ] - }, - { - "id": "pm-21", - "class": "SP800-53", - "title": "Accounting of Disclosures", - "properties": [ - { - "name": "label", - "value": "PM-21" - }, - { - "name": "sort-id", - "value": "PM-21" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - } - ], - "parts": [ - { - "id": "pm-21_smt", - "name": "statement", - "parts": [ - { - "id": "pm-21_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:", - "parts": [ - { - "id": "pm-21_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Date, nature, and purpose of each disclosure; and" - }, - { - "id": "pm-21_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Name and address, or other contact information of the person or organization to which the disclosure was made;" - } - ] - }, - { - "id": "pm-21_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and" - }, - { - "id": "pm-21_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request." - } - ] - }, - { - "id": "pm-21_gdn", - "name": "guidance", - "prose": "The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions." - } - ] - }, - { - "id": "pm-22", - "class": "SP800-53", - "title": "Personally Identifiable Information Quality Management", - "properties": [ - { - "name": "label", - "value": "PM-22" - }, - { - "name": "sort-id", - "value": "PM-22" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#eadef75e-7e4d-4554-b818-44946c1dde0e", - "rel": "reference", - "text": "[SP 800-188]" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pm-22_smt", - "name": "statement", - "prose": "Develop and document policies and procedures for:", - "parts": [ - { - "id": "pm-22_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;" - }, - { - "id": "pm-22_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Correcting or deleting inaccurate or outdated personally identifiable information;" - }, - { - "id": "pm-22_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and" - }, - { - "id": "pm-22_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Appeals of adverse decisions on correction or deletion requests." - } - ] - }, - { - "id": "pm-22_gdn", - "name": "guidance", - "prose": "Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem." - } - ] - }, - { - "id": "pm-23", - "class": "SP800-53", - "title": "Data Governance Body", - "parameters": [ - { - "id": "pm-23_prm_1", - "label": "organization-defined roles" - }, - { - "id": "pm-23_prm_2", - "label": "organization-defined responsibilities" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-23" - }, - { - "name": "sort-id", - "value": "PM-23" - } - ], - "links": [ - { - "href": "#43facb7b-0afb-480f-8191-34790d5b444b", - "rel": "reference", - "text": "[EVIDACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#d843e915-eeb6-4bbe-8cab-ccc802088703", - "rel": "reference", - "text": "[OMB M-19-23]" - }, - { - "href": "#eadef75e-7e4d-4554-b818-44946c1dde0e", - "rel": "reference", - "text": "[SP 800-188]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-19", - "rel": "related", - "text": "SI-19" - } - ], - "parts": [ - { - "id": "pm-23_smt", - "name": "statement", - "prose": "Establish a Data Governance Body consisting of {{ pm-23_prm_1 }} with {{ pm-23_prm_2 }}." - }, - { - "id": "pm-23_gdn", - "name": "guidance", - "prose": "A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23]." - } - ] - }, - { - "id": "pm-24", - "class": "SP800-53", - "title": "Data Integrity Board", - "properties": [ - { - "name": "label", - "value": "PM-24" - }, - { - "name": "sort-id", - "value": "PM-24" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - } - ], - "parts": [ - { - "id": "pm-24_smt", - "name": "statement", - "prose": "Establish a Data Integrity Board to:", - "parts": [ - { - "id": "pm-24_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Review proposals to conduct or participate in a matching program; and" - }, - { - "id": "pm-24_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Conduct an annual review of all matching programs in which the agency has participated." - } - ] - }, - { - "id": "pm-24_gdn", - "name": "guidance", - "prose": "A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy." - } - ] - }, - { - "id": "pm-25", - "class": "SP800-53", - "title": "Minimization of Pii Used in Testing, Training, and Research", - "parameters": [ - { - "id": "pm-25_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-25" - }, - { - "name": "sort-id", - "value": "PM-25" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - } - ], - "parts": [ - { - "id": "pm-25_smt", - "name": "statement", - "parts": [ - { - "id": "pm-25_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;" - }, - { - "id": "pm-25_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;" - }, - { - "id": "pm-25_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and" - }, - { - "id": "pm-25_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review and update policies and procedures {{ pm-25_prm_1 }}." - } - ] - }, - { - "id": "pm-25_gdn", - "name": "guidance", - "prose": "The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2)." - } - ] - }, - { - "id": "pm-26", - "class": "SP800-53", - "title": "Complaint Management", - "parameters": [ - { - "id": "pm-26_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "pm-26_prm_2", - "label": "organization-defined time-period" - }, - { - "id": "pm-26_prm_3", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-26" - }, - { - "name": "sort-id", - "value": "PM-26" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pm-26_smt", - "name": "statement", - "prose": "Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:", - "parts": [ - { - "id": "pm-26_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Mechanisms that are easy to use and readily accessible by the public;" - }, - { - "id": "pm-26_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "All information necessary for successfully filing complaints;" - }, - { - "id": "pm-26_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }};" - }, - { - "id": "pm-26_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and" - }, - { - "id": "pm-26_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}." - } - ] - }, - { - "id": "pm-26_gdn", - "name": "guidance", - "prose": "Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information." - } - ] - }, - { - "id": "pm-27", - "class": "SP800-53", - "title": "Privacy Reporting", - "parameters": [ - { - "id": "pm-27_prm_1", - "label": "organization-defined privacy reports" - }, - { - "id": "pm-27_prm_2", - "label": "organization-defined officials" - }, - { - "id": "pm-27_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-27" - }, - { - "name": "sort-id", - "value": "PM-27" - } - ], - "links": [ - { - "href": "#14958422-54f6-471f-a345-802dca594dd8", - "rel": "reference", - "text": "[FISMA]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - } - ], - "parts": [ - { - "id": "pm-27_smt", - "name": "statement", - "parts": [ - { - "id": "pm-27_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop {{ pm-27_prm_1 }} and disseminate to:", - "parts": [ - { - "id": "pm-27_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and" - }, - { - "id": "pm-27_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "\n {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and" - } - ] - }, - { - "id": "pm-27_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update privacy reports {{ pm-27_prm_3 }}." - } - ] - }, - { - "id": "pm-27_gdn", - "name": "guidance", - "prose": "Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements." - } - ] - }, - { - "id": "pm-28", - "class": "SP800-53", - "title": "Risk Framing", - "parameters": [ - { - "id": "pm-28_prm_1", - "label": "organization-defined personnel" - }, - { - "id": "pm-28_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-28" - }, - { - "name": "sort-id", - "value": "PM-28" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - } - ], - "parts": [ - { - "id": "pm-28_smt", - "name": "statement", - "parts": [ - { - "id": "pm-28_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify and document:", - "parts": [ - { - "id": "pm-28_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Assumptions affecting risk assessments, risk responses, and risk monitoring;" - }, - { - "id": "pm-28_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Constraints affecting risk assessments, risk responses, and risk monitoring;" - }, - { - "id": "pm-28_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Priorities and trade-offs considered by the organization for managing risk; and" - }, - { - "id": "pm-28_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Organizational risk tolerance; and" - } - ] - }, - { - "id": "pm-28_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute the results of risk framing activities to {{ pm-28_prm_1 }};" - }, - { - "id": "pm-28_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update risk framing considerations {{ pm-28_prm_2 }}." - } - ] - }, - { - "id": "pm-28_gdn", - "name": "guidance", - "prose": "Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management." - } - ] - }, - { - "id": "pm-29", - "class": "SP800-53", - "title": "Risk Management Program Leadership Roles", - "properties": [ - { - "name": "label", - "value": "PM-29" - }, - { - "name": "sort-id", - "value": "PM-29" - } - ], - "links": [ - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#pm-2", - "rel": "related", - "text": "PM-2" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - } - ], - "parts": [ - { - "id": "pm-29_smt", - "name": "statement", - "parts": [ - { - "id": "pm-29_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and" - }, - { - "id": "pm-29_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization." - } - ] - }, - { - "id": "pm-29_gdn", - "name": "guidance", - "prose": "The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities." - } - ] - }, - { - "id": "pm-30", - "class": "SP800-53", - "title": "Supply Chain Risk Management Strategy", - "parameters": [ - { - "id": "pm-30_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-30" - }, - { - "name": "sort-id", - "value": "PM-30" - } - ], - "links": [ - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-7", - "rel": "related", - "text": "SR-7" - }, - { - "href": "#sr-8", - "rel": "related", - "text": "SR-8" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "pm-30_smt", - "name": "statement", - "parts": [ - { - "id": "pm-30_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;" - }, - { - "id": "pm-30_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the supply chain risk management strategy consistently across the organization; and" - }, - { - "id": "pm-30_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the supply chain risk management strategy on {{ pm-30_prm_1 }} or as required, to address organizational changes." - } - ] - }, - { - "id": "pm-30_gdn", - "name": "guidance", - "prose": "An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level." - } - ] - }, - { - "id": "pm-31", - "class": "SP800-53", - "title": "Continuous Monitoring Strategy", - "parameters": [ - { - "id": "pm-31_prm_1", - "label": "organization-defined metrics" - }, - { - "id": "pm-31_prm_2", - "label": "organization-defined frequencies" - }, - { - "id": "pm-31_prm_3", - "label": "organization-defined frequencies" - }, - { - "id": "pm-31_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "pm-31_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-31" - }, - { - "name": "sort-id", - "value": "PM-31" - } - ], - "links": [ - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pe-14", - "rel": "related", - "text": "PE-14" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-6", - "rel": "related", - "text": "PM-6" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "pm-31_smt", - "name": "statement", - "prose": "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:", - "parts": [ - { - "id": "pm-31_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }};" - }, - { - "id": "pm-31_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness;" - }, - { - "id": "pm-31_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;" - }, - { - "id": "pm-31_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Correlation and analysis of information generated by control assessments and monitoring;" - }, - { - "id": "pm-31_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" - }, - { - "id": "pm-31_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }}\n {{ pm-31_prm_5 }}." - } - ] - }, - { - "id": "pm-31_gdn", - "name": "guidance", - "prose": "Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4." - } - ] - }, - { - "id": "pm-32", - "class": "SP800-53", - "title": "Purposing", - "parameters": [ - { - "id": "pm-32_prm_1", - "label": "organization-defined systems or systems components" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-32" - }, - { - "name": "sort-id", - "value": "PM-32" - } - ], - "links": [ - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - } - ], - "parts": [ - { - "id": "pm-32_smt", - "name": "statement", - "prose": "Analyze {{ pm-32_prm_1 }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose." - }, - { - "id": "pm-32_gdn", - "name": "guidance", - "prose": "Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures." - } - ] - } - ] - }, - { - "id": "ps", - "class": "family", - "title": "Personnel Security", - "controls": [ - { - "id": "ps-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ps-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-1_prm_2" - }, - { - "id": "ps-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ps-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ps-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-1" - }, - { - "name": "sort-id", - "value": "PS-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ps-1_smt", - "name": "statement", - "parts": [ - { - "id": "ps-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ps-1_prm_1 }}:", - "parts": [ - { - "id": "ps-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ps-1_prm_2 }} personnel security policy that:", - "parts": [ - { - "id": "ps-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ps-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ps-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" - } - ] - }, - { - "id": "ps-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ps-1_prm_3 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" - }, - { - "id": "ps-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current personnel security:", - "parts": [ - { - "id": "ps-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ps-1_prm_4 }}; and" - }, - { - "id": "ps-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ps-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ps-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ps-2", - "class": "SP800-53", - "title": "Position Risk Designation", - "parameters": [ - { - "id": "ps-2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-2" - }, - { - "name": "sort-id", - "value": "PS-02" - } - ], - "links": [ - { - "href": "#2383ccfd-d8a0-4e3a-bf40-21288ae1e07a", - "rel": "reference", - "text": "[5 CFR 731]" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ps-2_smt", - "name": "statement", - "parts": [ - { - "id": "ps-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Assign a risk designation to all organizational positions;" - }, - { - "id": "ps-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establish screening criteria for individuals filling those positions; and" - }, - { - "id": "ps-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update position risk designations {{ ps-2_prm_1 }}." - } - ] - }, - { - "id": "ps-2_gdn", - "name": "guidance", - "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." - } - ] - }, - { - "id": "ps-3", - "class": "SP800-53", - "title": "Personnel Screening", - "parameters": [ - { - "id": "ps-3_prm_1", - "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-3" - }, - { - "name": "sort-id", - "value": "PS-03" - } - ], - "links": [ - { - "href": "#52a8b0c6-0c6b-424b-928d-41c50ba87838", - "rel": "reference", - "text": "[EO 13526]" - }, - { - "href": "#2b5e12fb-633f-49e6-8aff-81d75bf53545", - "rel": "reference", - "text": "[EO 13587]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - } - ], - "parts": [ - { - "id": "ps-3_smt", - "name": "statement", - "parts": [ - { - "id": "ps-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Screen individuals prior to authorizing access to the system; and" - }, - { - "id": "ps-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Rescreen individuals in accordance with {{ ps-3_prm_1 }}." - } - ] - }, - { - "id": "ps-3_gdn", - "name": "guidance", - "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." - } - ] - }, - { - "id": "ps-4", - "class": "SP800-53", - "title": "Personnel Termination", - "parameters": [ - { - "id": "ps-4_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ps-4_prm_2", - "label": "organization-defined information security topics" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-4" - }, - { - "name": "sort-id", - "value": "PS-04" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - } - ], - "parts": [ - { - "id": "ps-4_smt", - "name": "statement", - "prose": "Upon termination of individual employment:", - "parts": [ - { - "id": "ps-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Disable system access within {{ ps-4_prm_1 }};" - }, - { - "id": "ps-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" - }, - { - "id": "ps-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Conduct exit interviews that include a discussion of {{ ps-4_prm_2 }};" - }, - { - "id": "ps-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Retrieve all security-related organizational system-related property; and" - }, - { - "id": "ps-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." - } - ] - }, - { - "id": "ps-4_gdn", - "name": "guidance", - "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified." - } - ], - "controls": [ - { - "id": "ps-4.2", - "class": "SP800-53-enhancement", - "title": "Automated Notification", - "parameters": [ - { - "id": "ps-4.2_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-4.2_prm_2", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-4(2)" - }, - { - "name": "sort-id", - "value": "PS-04(02)" - } - ], - "parts": [ - { - "id": "ps-4.2_smt", - "name": "statement", - "prose": "Notify {{ ps-4.2_prm_1 }} of individual termination actions using {{ ps-4.2_prm_2 }}." - }, - { - "id": "ps-4.2_gdn", - "name": "guidance", - "prose": "In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications—or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including telephonically, via electronic mail, via text message, or via websites." - } - ] - } - ] - }, - { - "id": "ps-5", - "class": "SP800-53", - "title": "Personnel Transfer", - "parameters": [ - { - "id": "ps-5_prm_1", - "label": "organization-defined transfer or reassignment actions" - }, - { - "id": "ps-5_prm_2", - "label": "organization-defined time-period following the formal transfer action" - }, - { - "id": "ps-5_prm_3", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-5_prm_4", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-5" - }, - { - "name": "sort-id", - "value": "PS-05" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - } - ], - "parts": [ - { - "id": "ps-5_smt", - "name": "statement", - "parts": [ - { - "id": "ps-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" - }, - { - "id": "ps-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Initiate {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};" - }, - { - "id": "ps-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" - }, - { - "id": "ps-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Notify {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}." - } - ] - }, - { - "id": "ps-5_gdn", - "name": "guidance", - "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." - } - ] - }, - { - "id": "ps-6", - "class": "SP800-53", - "title": "Access Agreements", - "parameters": [ - { - "id": "ps-6_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ps-6_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-6" - }, - { - "name": "sort-id", - "value": "PS-06" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ps-6_smt", - "name": "statement", - "parts": [ - { - "id": "ps-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and document access agreements for organizational systems;" - }, - { - "id": "ps-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the access agreements {{ ps-6_prm_1 }}; and" - }, - { - "id": "ps-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Verify that individuals requiring access to organizational information and systems:", - "parts": [ - { - "id": "ps-6_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Sign appropriate access agreements prior to being granted access; and" - }, - { - "id": "ps-6_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ ps-6_prm_2 }}." - } - ] - } - ] - }, - { - "id": "ps-6_gdn", - "name": "guidance", - "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." - } - ] - }, - { - "id": "ps-7", - "class": "SP800-53", - "title": "External Personnel Security", - "parameters": [ - { - "id": "ps-7_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-7_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-7" - }, - { - "name": "sort-id", - "value": "PS-07" - } - ], - "links": [ - { - "href": "#ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "rel": "reference", - "text": "[SP 800-35]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - } - ], - "parts": [ - { - "id": "ps-7_smt", - "name": "statement", - "parts": [ - { - "id": "ps-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" - }, - { - "id": "ps-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" - }, - { - "id": "ps-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document personnel security requirements;" - }, - { - "id": "ps-7_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Require external providers to notify {{ ps-7_prm_1 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ ps-7_prm_2 }}; and" - }, - { - "id": "ps-7_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Monitor provider compliance with personnel security requirements." - } - ] - }, - { - "id": "ps-7_gdn", - "name": "guidance", - "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated." - } - ] - }, - { - "id": "ps-8", - "class": "SP800-53", - "title": "Personnel Sanctions", - "parameters": [ - { - "id": "ps-8_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-8_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-8" - }, - { - "name": "sort-id", - "value": "PS-08" - } - ], - "links": [ - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#at-1", - "rel": "related", - "text": "AT-1" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#ca-1", - "rel": "related", - "text": "CA-1" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cp-1", - "rel": "related", - "text": "CP-1" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ma-1", - "rel": "related", - "text": "MA-1" - }, - { - "href": "#mp-1", - "rel": "related", - "text": "MP-1" - }, - { - "href": "#pe-1", - "rel": "related", - "text": "PE-1" - }, - { - "href": "#pl-1", - "rel": "related", - "text": "PL-1" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#ps-1", - "rel": "related", - "text": "PS-1" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#sa-1", - "rel": "related", - "text": "SA-1" - }, - { - "href": "#sc-1", - "rel": "related", - "text": "SC-1" - }, - { - "href": "#si-1", - "rel": "related", - "text": "SI-1" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - } - ], - "parts": [ - { - "id": "ps-8_smt", - "name": "statement", - "parts": [ - { - "id": "ps-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" - }, - { - "id": "ps-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Notify {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." - } - ] - }, - { - "id": "ps-8_gdn", - "name": "guidance", - "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." - } - ] - } - ] - }, - { - "id": "ra", - "class": "family", - "title": "Risk Assessment", - "controls": [ - { - "id": "ra-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ra-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ra-1_prm_2" - }, - { - "id": "ra-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ra-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ra-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-1" - }, - { - "name": "sort-id", - "value": "RA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ra-1_smt", - "name": "statement", - "parts": [ - { - "id": "ra-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ra-1_prm_1 }}:", - "parts": [ - { - "id": "ra-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ra-1_prm_2 }} risk assessment policy that:", - "parts": [ - { - "id": "ra-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ra-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ra-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" - } - ] - }, - { - "id": "ra-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" - }, - { - "id": "ra-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current risk assessment:", - "parts": [ - { - "id": "ra-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ra-1_prm_4 }}; and" - }, - { - "id": "ra-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ra-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ra-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ra-2", - "class": "SP800-53", - "title": "Security Categorization", - "properties": [ - { - "name": "label", - "value": "RA-2" - }, - { - "name": "sort-id", - "value": "RA-02" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ra-2_smt", - "name": "statement", - "parts": [ - { - "id": "ra-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Categorize the system and information it processes, stores, and transmits;" - }, - { - "id": "ra-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" - }, - { - "id": "ra-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." - } - ] - }, - { - "id": "ra-2_gdn", - "name": "guidance", - "prose": "Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals.\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts.\nSecurity categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant." - } - ] - }, - { - "id": "ra-3", - "class": "SP800-53", - "title": "Risk Assessment", - "parameters": [ - { - "id": "ra-3_prm_1" - }, - { - "id": "ra-3_prm_2", - "depends-on": "ra-3_prm_1", - "label": "organization-defined document" - }, - { - "id": "ra-3_prm_3", - "label": "organization-defined frequency" - }, - { - "id": "ra-3_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "ra-3_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-3" - }, - { - "name": "sort-id", - "value": "RA-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-18", - "rel": "related", - "text": "PE-18" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ra-3_smt", - "name": "statement", - "parts": [ - { - "id": "ra-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Conduct a risk assessment, including:", - "parts": [ - { - "id": "ra-3_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" - }, - { - "id": "ra-3_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" - } - ] - }, - { - "id": "ra-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" - }, - { - "id": "ra-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document risk assessment results in {{ ra-3_prm_1 }};" - }, - { - "id": "ra-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review risk assessment results {{ ra-3_prm_3 }};" - }, - { - "id": "ra-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Disseminate risk assessment results to {{ ra-3_prm_4 }}; and" - }, - { - "id": "ra-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." - } - ] - }, - { - "id": "ra-3_gdn", - "name": "guidance", - "prose": "Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities.\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\nIn addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." - } - ], - "controls": [ - { - "id": "ra-3.1", - "class": "SP800-53-enhancement", - "title": "Supply Chain Risk Assessment", - "parameters": [ - { - "id": "ra-3.1_prm_1", - "label": "organization-defined systems, system components, and system services" - }, - { - "id": "ra-3.1_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-3(1)" - }, - { - "name": "sort-id", - "value": "RA-03(01)" - } - ], - "links": [ - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#pm-17", - "rel": "related", - "text": "PM-17" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "ra-3.1_smt", - "name": "statement", - "parts": [ - { - "id": "ra-3.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Assess supply chain risks associated with {{ ra-3.1_prm_1 }}; and" - }, - { - "id": "ra-3.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Update the supply chain risk assessment {{ ra-3.1_prm_2 }}, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." - } - ] - }, - { - "id": "ra-3.1_gdn", - "name": "guidance", - "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." - } - ] - } - ] - }, - { - "id": "ra-5", - "class": "SP800-53", - "title": "Vulnerability Monitoring and Scanning", - "parameters": [ - { - "id": "ra-5_prm_1", - "label": "organization-defined frequency and/or randomly in accordance with organization-defined process" - }, - { - "id": "ra-5_prm_2", - "label": "organization-defined response times" - }, - { - "id": "ra-5_prm_3", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-5" - }, - { - "name": "sort-id", - "value": "RA-05" - } - ], - "links": [ - { - "href": "#1126ec09-2b27-4a21-80b2-fef70b31c49d", - "rel": "reference", - "text": "[SP 800-40]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f", - "rel": "reference", - "text": "[SP 800-126]" - }, - { - "href": "#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c", - "rel": "reference", - "text": "[IR 7788]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "ra-5_smt", - "name": "statement", - "parts": [ - { - "id": "ra-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" - }, - { - "id": "ra-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", - "parts": [ - { - "id": "ra-5_smt.b.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Enumerating platforms, software flaws, and improper configurations;" - }, - { - "id": "ra-5_smt.b.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Formatting checklists and test procedures; and" - }, - { - "id": "ra-5_smt.b.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Measuring vulnerability impact;" - } - ] - }, - { - "id": "ra-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" - }, - { - "id": "ra-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Remediate legitimate vulnerabilities {{ ra-5_prm_2 }} in accordance with an organizational assessment of risk;" - }, - { - "id": "ra-5_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ ra-5_prm_3 }} to help eliminate similar vulnerabilities in other systems; and" - }, - { - "id": "ra-5_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." - } - ] - }, - { - "id": "ra-5_gdn", - "name": "guidance", - "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\nVulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\nOrganizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." - } - ], - "controls": [ - { - "id": "ra-5.2", - "class": "SP800-53-enhancement", - "title": "Update System Vulnerabilities", - "parameters": [ - { - "id": "ra-5.2_prm_1" - }, - { - "id": "ra-5.2_prm_2", - "depends-on": "ra-5.2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-5(2)" - }, - { - "name": "sort-id", - "value": "RA-05(02)" - } - ], - "links": [ - { - "href": "#si-5", - "rel": "related", - "text": "SI-5" - } - ], - "parts": [ - { - "id": "ra-5.2_smt", - "name": "statement", - "prose": "Update the system vulnerabilities to be scanned {{ ra-5.2_prm_1 }}." - }, - { - "id": "ra-5.2_gdn", - "name": "guidance", - "prose": "Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." - } - ] - }, - { - "id": "ra-5.4", - "class": "SP800-53-enhancement", - "title": "Discoverable Information", - "parameters": [ - { - "id": "ra-5.4_prm_1", - "label": "organization-defined corrective actions" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-5(4)" - }, - { - "name": "sort-id", - "value": "RA-05(04)" - } - ], - "links": [ - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#sc-26", - "rel": "related", - "text": "SC-26" - } - ], - "parts": [ - { - "id": "ra-5.4_smt", - "name": "statement", - "prose": "Determine information about the system that is discoverable and take {{ ra-5.4_prm_1 }}." - }, - { - "id": "ra-5.4_gdn", - "name": "guidance", - "prose": "Discoverable information includes information that adversaries could obtain without compromising or breaching the system, for example, by collecting information the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization." - } - ] - }, - { - "id": "ra-5.5", - "class": "SP800-53-enhancement", - "title": "Privileged Access", - "parameters": [ - { - "id": "ra-5.5_prm_1", - "label": "organization-defined system components" - }, - { - "id": "ra-5.5_prm_2", - "label": "organization-defined vulnerability scanning activities" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-5(5)" - }, - { - "name": "sort-id", - "value": "RA-05(05)" - } - ], - "parts": [ - { - "id": "ra-5.5_smt", - "name": "statement", - "prose": "Implement privileged access authorization to {{ ra-5.5_prm_1 }} for {{ ra-5.5_prm_2 }}." - }, - { - "id": "ra-5.5_gdn", - "name": "guidance", - "prose": "In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning." - } - ] - } - ] - }, - { - "id": "ra-7", - "class": "SP800-53", - "title": "Risk Response", - "properties": [ - { - "name": "label", - "value": "RA-7" - }, - { - "name": "sort-id", - "value": "RA-07" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "ra-7_smt", - "name": "statement", - "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." - }, - { - "id": "ra-7_gdn", - "name": "guidance", - "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." - } - ] - }, - { - "id": "ra-9", - "class": "SP800-53", - "title": "Criticality Analysis", - "parameters": [ - { - "id": "ra-9_prm_1", - "label": "organization-defined systems, system components, or system services" - }, - { - "id": "ra-9_prm_2", - "label": "organization-defined decision points in the system development life cycle" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-9" - }, - { - "name": "sort-id", - "value": "RA-09" - } - ], - "links": [ - { - "href": "#7a93e915-fd58-4147-be12-e48044c367e6", - "rel": "reference", - "text": "[IR 8179]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-20", - "rel": "related", - "text": "SA-20" - } - ], - "parts": [ - { - "id": "ra-9_smt", - "name": "statement", - "prose": "Identify critical system components and functions by performing a criticality analysis for {{ ra-9_prm_1 }} at {{ ra-9_prm_2 }}." - }, - { - "id": "ra-9_gdn", - "name": "guidance", - "prose": "Not all system components, functions, or services necessarily require significant protections. Criticality analysis is a key tenet of, for example, supply chain risk management, and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders regulations, directives, policies, and standards; system functionality requirements; system and component interfaces; and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system; decomposition into the specific functions to perform those missions; and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system containing the components and functions. Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, for example, by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2." - } - ] - } - ] - }, - { - "id": "sa", - "class": "family", - "title": "System and Services Acquisition", - "controls": [ - { - "id": "sa-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "sa-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "sa-1_prm_2" - }, - { - "id": "sa-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "sa-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "sa-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-1" - }, - { - "name": "sort-id", - "value": "SA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "sa-1_smt", - "name": "statement", - "parts": [ - { - "id": "sa-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ sa-1_prm_1 }}:", - "parts": [ - { - "id": "sa-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ sa-1_prm_2 }} system and services acquisition policy that:", - "parts": [ - { - "id": "sa-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "sa-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "sa-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" - } - ] - }, - { - "id": "sa-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" - }, - { - "id": "sa-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current system and services acquisition:", - "parts": [ - { - "id": "sa-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ sa-1_prm_4 }}; and" - }, - { - "id": "sa-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ sa-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "sa-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "sa-2", - "class": "SP800-53", - "title": "Allocation of Resources", - "properties": [ - { - "name": "label", - "value": "SA-2" - }, - { - "name": "sort-id", - "value": "SA-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#pl-7", - "rel": "related", - "text": "PL-7" - }, - { - "href": "#pm-3", - "rel": "related", - "text": "PM-3" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-2_smt", - "name": "statement", - "parts": [ - { - "id": "sa-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" - }, - { - "id": "sa-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" - }, - { - "id": "sa-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." - } - ] - }, - { - "id": "sa-2_gdn", - "name": "guidance", - "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle." - } - ] - }, - { - "id": "sa-3", - "class": "SP800-53", - "title": "System Development Life Cycle", - "parameters": [ - { - "id": "sa-3_prm_1", - "label": "organization-defined system development life cycle" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-3" - }, - { - "name": "sort-id", - "value": "SA-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "rel": "reference", - "text": "[SP 800-171]" - }, - { - "href": "#aad55f03-8ece-4b21-b09c-9ef65b5a9f55", - "rel": "reference", - "text": "[SP 800-171B]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-22", - "rel": "related", - "text": "SA-22" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - } - ], - "parts": [ - { - "id": "sa-3_smt", - "name": "statement", - "parts": [ - { - "id": "sa-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Acquire, develop, and manage the system using {{ sa-3_prm_1 }} that incorporates information security and privacy considerations;" - }, - { - "id": "sa-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" - }, - { - "id": "sa-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Identify individuals having information security and privacy roles and responsibilities; and" - }, - { - "id": "sa-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." - } - ] - }, - { - "id": "sa-3_gdn", - "name": "guidance", - "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle." - } - ] - }, - { - "id": "sa-4", - "class": "SP800-53", - "title": "Acquisition Process", - "parameters": [ - { - "id": "sa-4_prm_1" - }, - { - "id": "sa-4_prm_2", - "depends-on": "sa-4_prm_1", - "label": "organization-defined contract language" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-4" - }, - { - "name": "sort-id", - "value": "SA-04" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#6ddb507b-6ddb-4e15-a8d4-0854e704446e", - "rel": "reference", - "text": "[ISO 15408-1]" - }, - { - "href": "#18abb755-c10f-407d-b0ef-4f99e5ec4a49", - "rel": "reference", - "text": "[ISO 15408-2]" - }, - { - "href": "#2ce3a8bf-7f8b-4249-bd16-808231415b14", - "rel": "reference", - "text": "[ISO 15408-3]" - }, - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "rel": "reference", - "text": "[SP 800-35]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "rel": "reference", - "text": "[IR 7539]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#daf69edb-a0ef-4447-9880-8c4bf553181f", - "rel": "reference", - "text": "[IR 7676]" - }, - { - "href": "#197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "rel": "reference", - "text": "[IR 7870]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#5dac2312-1d0d-416f-aebb-400fa9775b74", - "rel": "reference", - "text": "[NIAP CCEVS]" - }, - { - "href": "#634dec27-df88-4c30-b1a4-b57cdfd24f20", - "rel": "reference", - "text": "[NSA CSFC]" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-4_smt", - "name": "statement", - "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service:", - "parts": [ - { - "id": "sa-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Security and privacy functional requirements;" - }, - { - "id": "sa-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Strength of mechanism requirements;" - }, - { - "id": "sa-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Security and privacy assurance requirements;" - }, - { - "id": "sa-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Controls needed to satisfy the security and privacy requirements." - }, - { - "id": "sa-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Security and privacy documentation requirements;" - }, - { - "id": "sa-4_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Requirements for protecting security and privacy documentation;" - }, - { - "id": "sa-4_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Description of the system development environment and environment in which the system is intended to operate;" - }, - { - "id": "sa-4_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "h." - } - ], - "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" - }, - { - "id": "sa-4_smt.i", - "name": "item", - "properties": [ - { - "name": "label", - "value": "i." - } - ], - "prose": "Acceptance criteria." - } - ] - }, - { - "id": "sa-4_gdn", - "name": "guidance", - "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle.\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement." - } - ], - "controls": [ - { - "id": "sa-4.1", - "class": "SP800-53-enhancement", - "title": "Functional Properties of Controls", - "properties": [ - { - "name": "label", - "value": "SA-4(1)" - }, - { - "name": "sort-id", - "value": "SA-04(01)" - } - ], - "parts": [ - { - "id": "sa-4.1_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented." - }, - { - "id": "sa-4.1_gdn", - "name": "guidance", - "prose": "Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls." - } - ] - }, - { - "id": "sa-4.2", - "class": "SP800-53-enhancement", - "title": "Design and Implementation Information for Controls", - "parameters": [ - { - "id": "sa-4.2_prm_1" - }, - { - "id": "sa-4.2_prm_2", - "depends-on": "sa-4.2_prm_1", - "label": "organization-defined design and implementation information" - }, - { - "id": "sa-4.2_prm_3", - "label": "organization-defined level of detail" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-4(2)" - }, - { - "name": "sort-id", - "value": "SA-04(02)" - } - ], - "parts": [ - { - "id": "sa-4.2_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}." - }, - { - "id": "sa-4.2_gdn", - "name": "guidance", - "prose": "Organizations may require different levels of detail in the documentation for the design and implementation for controls in organizational systems, system components, or system services based on mission and business requirements; requirements for resiliency and trustworthiness; and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system." - } - ] - }, - { - "id": "sa-4.5", - "class": "SP800-53-enhancement", - "title": "System, Component, and Service Configurations", - "parameters": [ - { - "id": "sa-4.5_prm_1", - "label": "organization-defined security configurations" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-4(5)" - }, - { - "name": "sort-id", - "value": "SA-04(05)" - } - ], - "parts": [ - { - "id": "sa-4.5_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to:", - "parts": [ - { - "id": "sa-4.5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Deliver the system, component, or service with {{ sa-4.5_prm_1 }} implemented; and" - }, - { - "id": "sa-4.5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade." - } - ] - }, - { - "id": "sa-4.5_gdn", - "name": "guidance", - "prose": "Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed." - } - ] - }, - { - "id": "sa-4.9", - "class": "SP800-53-enhancement", - "title": "Functions, Ports, Protocols, and Services in Use", - "properties": [ - { - "name": "label", - "value": "SA-4(9)" - }, - { - "name": "sort-id", - "value": "SA-04(09)" - } - ], - "links": [ - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - } - ], - "parts": [ - { - "id": "sa-4.9_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use." - }, - { - "id": "sa-4.9_gdn", - "name": "guidance", - "prose": "The identification of functions, ports, protocols, and services early in the system development life cycle, for example, during the initial requirements definition and design stages, allows organizations to influence the design of the system, system component, or system service. This early involvement in the system life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or when requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources." - } - ] - }, - { - "id": "sa-4.10", - "class": "SP800-53-enhancement", - "title": "Use of Approved PIV Products", - "properties": [ - { - "name": "label", - "value": "SA-4(10)" - }, - { - "name": "sort-id", - "value": "SA-04(10)" - } - ], - "links": [ - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - } - ], - "parts": [ - { - "id": "sa-4.10_smt", - "name": "statement", - "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." - }, - { - "id": "sa-4.10_gdn", - "name": "guidance", - "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations." - } - ] - } - ] - }, - { - "id": "sa-5", - "class": "SP800-53", - "title": "System Documentation", - "parameters": [ - { - "id": "sa-5_prm_1", - "label": "organization-defined actions" - }, - { - "id": "sa-5_prm_2", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-5" - }, - { - "name": "sort-id", - "value": "SA-05" - } - ], - "links": [ - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - } - ], - "parts": [ - { - "id": "sa-5_smt", - "name": "statement", - "parts": [ - { - "id": "sa-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Obtain administrator documentation for the system, system component, or system service that describes:", - "parts": [ - { - "id": "sa-5_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Secure configuration, installation, and operation of the system, component, or service;" - }, - { - "id": "sa-5_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" - }, - { - "id": "sa-5_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" - } - ] - }, - { - "id": "sa-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Obtain user documentation for the system, system component, or system service that describes:", - "parts": [ - { - "id": "sa-5_smt.b.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" - }, - { - "id": "sa-5_smt.b.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" - }, - { - "id": "sa-5_smt.b.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" - } - ] - }, - { - "id": "sa-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes {{ sa-5_prm_1 }} in response;" - }, - { - "id": "sa-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect documentation as required, in accordance with the organizational risk management strategy; and" - }, - { - "id": "sa-5_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Distribute documentation to {{ sa-5_prm_2 }}." - } - ] - }, - { - "id": "sa-5_gdn", - "name": "guidance", - "prose": "System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." - } - ] - }, - { - "id": "sa-8", - "class": "SP800-53", - "title": "Security and Privacy Engineering Principles", - "parameters": [ - { - "id": "sa-8_prm_1", - "label": "organization-defined systems security and privacy engineering principles" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-8" - }, - { - "name": "sort-id", - "value": "SA-08" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-20", - "rel": "related", - "text": "SA-20" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-32", - "rel": "related", - "text": "SC-32" - }, - { - "href": "#sc-39", - "rel": "related", - "text": "SC-39" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-8_smt", - "name": "statement", - "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ sa-8_prm_1 }}." - }, - { - "id": "sa-8_gdn", - "name": "guidance", - "prose": "Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\nThe application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design." - } - ] - }, - { - "id": "sa-9", - "class": "SP800-53", - "title": "External System Services", - "parameters": [ - { - "id": "sa-9_prm_1", - "label": "organization-defined controls" - }, - { - "id": "sa-9_prm_2", - "label": "organization-defined processes, methods, and techniques" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-9" - }, - { - "name": "sort-id", - "value": "SA-09" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "rel": "reference", - "text": "[SP 800-35]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-9_smt", - "name": "statement", - "parts": [ - { - "id": "sa-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }};" - }, - { - "id": "sa-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" - }, - { - "id": "sa-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}." - } - ] - }, - { - "id": "sa-9_gdn", - "name": "guidance", - "prose": "External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." - } - ], - "controls": [ - { - "id": "sa-9.2", - "class": "SP800-53-enhancement", - "title": "Identification of Functions, Ports, Protocols, and Services", - "parameters": [ - { - "id": "sa-9.2_prm_1", - "label": "organization-defined external system services" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-9(2)" - }, - { - "name": "sort-id", - "value": "SA-09(02)" - } - ], - "links": [ - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - } - ], - "parts": [ - { - "id": "sa-9.2_smt", - "name": "statement", - "prose": "Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ sa-9.2_prm_1 }}." - }, - { - "id": "sa-9.2_gdn", - "name": "guidance", - "prose": "Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols." - } - ] - } - ] - }, - { - "id": "sa-10", - "class": "SP800-53", - "title": "Developer Configuration Management", - "parameters": [ - { - "id": "sa-10_prm_1" - }, - { - "id": "sa-10_prm_2", - "label": "organization-defined configuration items under configuration management" - }, - { - "id": "sa-10_prm_3", - "label": "organization-defined personnel" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-10" - }, - { - "name": "sort-id", - "value": "SA-10" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - } - ], - "parts": [ - { - "id": "sa-10_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to:", - "parts": [ - { - "id": "sa-10_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Perform configuration management during system, component, or service {{ sa-10_prm_1 }};" - }, - { - "id": "sa-10_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }};" - }, - { - "id": "sa-10_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Implement only organization-approved changes to the system, component, or service;" - }, - { - "id": "sa-10_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and" - }, - { - "id": "sa-10_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Track security flaws and flaw resolution within the system, component, or service and report findings to {{ sa-10_prm_3 }}." - } - ] - }, - { - "id": "sa-10_gdn", - "name": "guidance", - "prose": "Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting from unauthorized modification or destruction, the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes.\nThe configuration items that are placed under configuration management include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle." - } - ] - }, - { - "id": "sa-11", - "class": "SP800-53", - "title": "Developer Testing and Evaluation", - "parameters": [ - { - "id": "sa-11_prm_1" - }, - { - "id": "sa-11_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "sa-11_prm_3", - "label": "organization-defined depth and coverage" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-11" - }, - { - "name": "sort-id", - "value": "SA-11" - } - ], - "links": [ - { - "href": "#2ce3a8bf-7f8b-4249-bd16-808231415b14", - "rel": "reference", - "text": "[ISO 15408-3]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#fd0f14f5-8910-45c4-b60a-0c8936e00daa", - "rel": "reference", - "text": "[SP 800-154]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-7", - "rel": "related", - "text": "SR-7" - } - ], - "parts": [ - { - "id": "sa-11_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:", - "parts": [ - { - "id": "sa-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and implement a plan for ongoing security and privacy assessments;" - }, - { - "id": "sa-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Perform {{ sa-11_prm_1 }} testing/evaluation {{ sa-11_prm_2 }} at {{ sa-11_prm_3 }};" - }, - { - "id": "sa-11_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;" - }, - { - "id": "sa-11_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Implement a verifiable flaw remediation process; and" - }, - { - "id": "sa-11_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Correct flaws identified during testing and evaluation." - } - ] - }, - { - "id": "sa-11_gdn", - "name": "guidance", - "prose": "Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation." - } - ] - }, - { - "id": "sa-15", - "class": "SP800-53", - "title": "Development Process, Standards, and Tools", - "parameters": [ - { - "id": "sa-15_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "sa-15_prm_2", - "label": "organization-defined security and privacy requirements" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-15" - }, - { - "name": "sort-id", - "value": "SA-15" - } - ], - "links": [ - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#7a93e915-fd58-4147-be12-e48044c367e6", - "rel": "reference", - "text": "[IR 8179]" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - } - ], - "parts": [ - { - "id": "sa-15_smt", - "name": "statement", - "parts": [ - { - "id": "sa-15_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Require the developer of the system, system component, or system service to follow a documented development process that:", - "parts": [ - { - "id": "sa-15_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Explicitly addresses security and privacy requirements;" - }, - { - "id": "sa-15_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Identifies the standards and tools used in the development process;" - }, - { - "id": "sa-15_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Documents the specific tool options and tool configurations used in the development process; and" - }, - { - "id": "sa-15_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and" - } - ] - }, - { - "id": "sa-15_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review the development process, standards, tools, tool options, and tool configurations {{ sa-15_prm_1 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ sa-15_prm_2 }}." - } - ] - }, - { - "id": "sa-15_gdn", - "name": "guidance", - "prose": "Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes." - } - ], - "controls": [ - { - "id": "sa-15.3", - "class": "SP800-53-enhancement", - "title": "Criticality Analysis", - "parameters": [ - { - "id": "sa-15.3_prm_1", - "label": "organization-defined decision points in the system development life cycle" - }, - { - "id": "sa-15.3_prm_2", - "label": "organization-defined breadth and depth of criticality analysis" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-15(3)" - }, - { - "name": "sort-id", - "value": "SA-15(03)" - } - ], - "links": [ - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - } - ], - "parts": [ - { - "id": "sa-15.3_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to perform a criticality analysis:", - "parts": [ - { - "id": "sa-15.3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "At the following decision points in the system development life cycle: {{ sa-15.3_prm_1 }}; and" - }, - { - "id": "sa-15.3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "At the following level of rigor: {{ sa-15.3_prm_2 }}." - } - ] - }, - { - "id": "sa-15.3_gdn", - "name": "guidance", - "prose": "Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, and source code and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses." - } - ] - } - ] - }, - { - "id": "sa-16", - "class": "SP800-53", - "title": "Developer-provided Training", - "parameters": [ - { - "id": "sa-16_prm_1", - "label": "organization-defined training" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-16" - }, - { - "name": "sort-id", - "value": "SA-16" - } - ], - "links": [ - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - } - ], - "parts": [ - { - "id": "sa-16_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: {{ sa-16_prm_1 }}." - }, - { - "id": "sa-16_gdn", - "name": "guidance", - "prose": "Developer-provided training applies to external and internal (in-house) developers. Training of personnel is an essential element to help ensure the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training; classroom-style training; and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms." - } - ] - }, - { - "id": "sa-17", - "class": "SP800-53", - "title": "Developer Security Architecture and Design", - "properties": [ - { - "name": "label", - "value": "SA-17" - }, - { - "name": "sort-id", - "value": "SA-17" - } - ], - "links": [ - { - "href": "#18abb755-c10f-407d-b0ef-4f99e5ec4a49", - "rel": "reference", - "text": "[ISO 15408-2]" - }, - { - "href": "#2ce3a8bf-7f8b-4249-bd16-808231415b14", - "rel": "reference", - "text": "[ISO 15408-3]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "sa-17_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to produce a design specification and security architecture that:", - "parts": [ - { - "id": "sa-17_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Is consistent with the organization’s security architecture that is an integral part the organization’s enterprise architecture;" - }, - { - "id": "sa-17_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Accurately and completely describes the required security functionality, and the allocation of controls among physical and logical components; and" - }, - { - "id": "sa-17_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection." - } - ] - }, - { - "id": "sa-17_gdn", - "name": "guidance", - "prose": "Developer security architecture and design is directed at external developers, although it could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security architecture and that the architecture is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services, and when there is a requirement to demonstrate consistency with the enterprise architecture and security architecture of the organization. [ISO 15408-2], [ISO 15408-3], and [SP 800-160 v1] provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing." - } - ] - }, - { - "id": "sa-21", - "class": "SP800-53", - "title": "Developer Screening", - "parameters": [ - { - "id": "sa-21_prm_1", - "label": "organization-defined system, system component, or system service" - }, - { - "id": "sa-21_prm_2", - "label": "organization-defined official government duties" - }, - { - "id": "sa-21_prm_3", - "label": "organization-defined additional personnel screening criteria" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-21" - }, - { - "name": "sort-id", - "value": "SA-21" - } - ], - "links": [ - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - } - ], - "parts": [ - { - "id": "sa-21_smt", - "name": "statement", - "prose": "Require that the developer of {{ sa-21_prm_1 }}:", - "parts": [ - { - "id": "sa-21_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Has appropriate access authorizations as determined by assigned {{ sa-21_prm_2 }};" - }, - { - "id": "sa-21_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Satisfies the following additional personnel screening criteria: {{ sa-21_prm_3 }}; and" - }, - { - "id": "sa-21_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Provides information that the access authorizations and screening criteria are satisfied." - } - ] - }, - { - "id": "sa-21_gdn", - "name": "guidance", - "prose": "Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals accessing the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships the company has with entities potentially affecting the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements." - } - ] - }, - { - "id": "sa-22", - "class": "SP800-53", - "title": "Unsupported System Components", - "parameters": [ - { - "id": "sa-22_prm_1" - }, - { - "id": "sa-22_prm_2", - "depends-on": "sa-22_prm_1", - "label": "organization-defined support from external providers" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-22" - }, - { - "name": "sort-id", - "value": "SA-22" - } - ], - "links": [ - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - } - ], - "parts": [ - { - "id": "sa-22_smt", - "name": "statement", - "parts": [ - { - "id": "sa-22_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" - }, - { - "id": "sa-22_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ sa-22_prm_1 }}." - } - ] - }, - { - "id": "sa-22_gdn", - "name": "guidance", - "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors." - } - ] - } - ] - }, - { - "id": "sc", - "class": "family", - "title": "System and Communications Protection", - "controls": [ - { - "id": "sc-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "sc-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "sc-1_prm_2" - }, - { - "id": "sc-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "sc-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "sc-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-1" - }, - { - "name": "sort-id", - "value": "SC-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "sc-1_smt", - "name": "statement", - "parts": [ - { - "id": "sc-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ sc-1_prm_1 }}:", - "parts": [ - { - "id": "sc-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ sc-1_prm_2 }} system and communications protection policy that:", - "parts": [ - { - "id": "sc-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "sc-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "sc-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" - } - ] - }, - { - "id": "sc-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ sc-1_prm_3 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" - }, - { - "id": "sc-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current system and communications protection:", - "parts": [ - { - "id": "sc-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ sc-1_prm_4 }}; and" - }, - { - "id": "sc-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ sc-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "sc-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "sc-2", - "class": "SP800-53", - "title": "Separation of System and User Functionality", - "properties": [ - { - "name": "label", - "value": "SC-2" - }, - { - "name": "sort-id", - "value": "SC-02" - } - ], - "links": [ - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-22", - "rel": "related", - "text": "SC-22" - }, - { - "href": "#sc-32", - "rel": "related", - "text": "SC-32" - }, - { - "href": "#sc-39", - "rel": "related", - "text": "SC-39" - } - ], - "parts": [ - { - "id": "sc-2_smt", - "name": "statement", - "prose": "Separate user functionality, including user interface services, from system management functionality." - }, - { - "id": "sc-2_gdn", - "name": "guidance", - "prose": "System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations implement separation of system management functions from user functions, for example, by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18)." - } - ] - }, - { - "id": "sc-3", - "class": "SP800-53", - "title": "Security Function Isolation", - "properties": [ - { - "name": "label", - "value": "SC-3" - }, - { - "name": "sort-id", - "value": "SC-03" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-25", - "rel": "related", - "text": "AC-25" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-32", - "rel": "related", - "text": "SC-32" - }, - { - "href": "#sc-39", - "rel": "related", - "text": "SC-39" - }, - { - "href": "#si-16", - "rel": "related", - "text": "SI-16" - } - ], - "parts": [ - { - "id": "sc-3_smt", - "name": "statement", - "prose": "Isolate security functions from nonsecurity functions." - }, - { - "id": "sc-3_gdn", - "name": "guidance", - "prose": "Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Systems implement code separation in many ways, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18)." - } - ] - }, - { - "id": "sc-4", - "class": "SP800-53", - "title": "Information in Shared System Resources", - "properties": [ - { - "name": "label", - "value": "SC-4" - }, - { - "name": "sort-id", - "value": "SC-04" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "sc-4_smt", - "name": "statement", - "prose": "Prevent unauthorized and unintended information transfer via shared system resources." - }, - { - "id": "sc-4_gdn", - "name": "guidance", - "prose": "Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This control also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. This control does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles." - } - ] - }, - { - "id": "sc-5", - "class": "SP800-53", - "title": "Denial of Service Protection", - "parameters": [ - { - "id": "sc-5_prm_1" - }, - { - "id": "sc-5_prm_2", - "label": "organization-defined types of denial of service events" - }, - { - "id": "sc-5_prm_3", - "label": "organization-defined controls by type of denial of service event" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-5" - }, - { - "name": "sort-id", - "value": "SC-05" - } - ], - "links": [ - { - "href": "#3862cd94-ff25-4631-9a9a-b92c21a0a923", - "rel": "reference", - "text": "[SP 800-189]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#sc-6", - "rel": "related", - "text": "SC-6" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - } - ], - "parts": [ - { - "id": "sc-5_smt", - "name": "statement", - "parts": [ - { - "id": "sc-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "\n {{ sc-5_prm_1 }} the effects of the following types of denial of service events: {{ sc-5_prm_2 }}; and" - }, - { - "id": "sc-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ the following controls to achieve the denial of service objective: {{ sc-5_prm_3 }}." - } - ] - }, - { - "id": "sc-5_gdn", - "name": "guidance", - "prose": "Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events." - } - ] - }, - { - "id": "sc-7", - "class": "SP800-53", - "title": "Boundary Protection", - "parameters": [ - { - "id": "sc-7_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-7" - }, - { - "name": "sort-id", - "value": "SC-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#db7877cf-1013-4fb1-b943-ca9361d16370", - "rel": "reference", - "text": "[SP 800-41]" - }, - { - "href": "#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "rel": "reference", - "text": "[SP 800-77]" - }, - { - "href": "#3862cd94-ff25-4631-9a9a-b92c21a0a923", - "rel": "reference", - "text": "[SP 800-189]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-32", - "rel": "related", - "text": "SC-32" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - } - ], - "parts": [ - { - "id": "sc-7_smt", - "name": "statement", - "parts": [ - { - "id": "sc-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system;" - }, - { - "id": "sc-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks; and" - }, - { - "id": "sc-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." - } - ] - }, - { - "id": "sc-7_gdn", - "name": "guidance", - "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions." - } - ], - "controls": [ - { - "id": "sc-7.3", - "class": "SP800-53-enhancement", - "title": "Access Points", - "properties": [ - { - "name": "label", - "value": "SC-7(3)" - }, - { - "name": "sort-id", - "value": "SC-07(03)" - } - ], - "parts": [ - { - "id": "sc-7.3_smt", - "name": "statement", - "prose": "Limit the number of external network connections to the system." - }, - { - "id": "sc-7.3_gdn", - "name": "guidance", - "prose": "Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline requiring limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system." - } - ] - }, - { - "id": "sc-7.4", - "class": "SP800-53-enhancement", - "title": "External Telecommunications Services", - "parameters": [ - { - "id": "sc-7.4_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-7(4)" - }, - { - "name": "sort-id", - "value": "SC-07(04)" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - } - ], - "parts": [ - { - "id": "sc-7.4_smt", - "name": "statement", - "parts": [ - { - "id": "sc-7.4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Implement a managed interface for each external telecommunication service;" - }, - { - "id": "sc-7.4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Establish a traffic flow policy for each managed interface;" - }, - { - "id": "sc-7.4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Protect the confidentiality and integrity of the information being transmitted across each interface;" - }, - { - "id": "sc-7.4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(d)" - } - ], - "prose": "Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;" - }, - { - "id": "sc-7.4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(e)" - } - ], - "prose": "Review exceptions to the traffic flow policy {{ sc-7.4_prm_1 }} and remove exceptions that are no longer supported by an explicit mission or business need;" - }, - { - "id": "sc-7.4_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(f)" - } - ], - "prose": "Prevent unauthorized exchange of control plane traffic with external networks;" - }, - { - "id": "sc-7.4_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(g)" - } - ], - "prose": "Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and" - }, - { - "id": "sc-7.4_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(h)" - } - ], - "prose": "Filter unauthorized control plane traffic from external networks." - } - ] - }, - { - "id": "sc-7.4_gdn", - "name": "guidance", - "prose": "External commercial telecommunications services may provide data or voice communications services. Examples of control plane traffic include routing, domain name system (DNS), and management. Unauthorized control plane traffic can occur for example, through a technique known as “spoofing.”" - } - ] - }, - { - "id": "sc-7.5", - "class": "SP800-53-enhancement", - "title": "Deny by Default — Allow by Exception", - "parameters": [ - { - "id": "sc-7.5_prm_1" - }, - { - "id": "sc-7.5_prm_2", - "depends-on": "sc-7.5_prm_1", - "label": "organization-defined systems" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-7(5)" - }, - { - "name": "sort-id", - "value": "SC-07(05)" - } - ], - "parts": [ - { - "id": "sc-7.5_smt", - "name": "statement", - "prose": "Deny network communications traffic by default and allow network communications traffic by exception {{ sc-7.5_prm_1 }}." - }, - { - "id": "sc-7.5_gdn", - "name": "guidance", - "prose": "Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system." - } - ] - }, - { - "id": "sc-7.7", - "class": "SP800-53-enhancement", - "title": "Prevent Split Tunneling for Remote Devices", - "properties": [ - { - "name": "label", - "value": "SC-7(7)" - }, - { - "name": "sort-id", - "value": "SC-07(07)" - } - ], - "parts": [ - { - "id": "sc-7.7_smt", - "name": "statement", - "prose": "Prevent a remote device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks." - }, - { - "id": "sc-7.7_gdn", - "name": "guidance", - "prose": "Prevention of split tunneling is implemented in remote devices through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being configurable by users. Prevention of split tunneling is implemented within the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information." - } - ] - }, - { - "id": "sc-7.8", - "class": "SP800-53-enhancement", - "title": "Route Traffic to Authenticated Proxy Servers", - "parameters": [ - { - "id": "sc-7.8_prm_1", - "label": "organization-defined internal communications traffic" - }, - { - "id": "sc-7.8_prm_2", - "label": "organization-defined external networks" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-7(8)" - }, - { - "name": "sort-id", - "value": "SC-07(08)" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - } - ], - "parts": [ - { - "id": "sc-7.8_smt", - "name": "statement", - "prose": "Route {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed interfaces." - }, - { - "id": "sc-7.8_gdn", - "name": "guidance", - "prose": "External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers can support logging of Transmission Control Protocol sessions and blocking specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for “man-in-the-middle” attacks (depending on the implementation)." - } - ] - }, - { - "id": "sc-7.18", - "class": "SP800-53-enhancement", - "title": "Fail Secure", - "properties": [ - { - "name": "label", - "value": "SC-7(18)" - }, - { - "name": "sort-id", - "value": "SC-07(18)" - } - ], - "links": [ - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-12", - "rel": "related", - "text": "CP-12" - }, - { - "href": "#sc-24", - "rel": "related", - "text": "SC-24" - } - ], - "parts": [ - { - "id": "sc-7.18_smt", - "name": "statement", - "prose": "Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device." - }, - { - "id": "sc-7.18_gdn", - "name": "guidance", - "prose": "Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases." - } - ] - }, - { - "id": "sc-7.21", - "class": "SP800-53-enhancement", - "title": "Isolation of System Components", - "parameters": [ - { - "id": "sc-7.21_prm_1", - "label": "organization-defined system components" - }, - { - "id": "sc-7.21_prm_2", - "label": "organization-defined missions and/or business functions" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-7(21)" - }, - { - "name": "sort-id", - "value": "SC-07(21)" - } - ], - "links": [ - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - } - ], - "parts": [ - { - "id": "sc-7.21_smt", - "name": "statement", - "prose": "Employ boundary protection mechanisms to isolate {{ sc-7.21_prm_1 }} supporting {{ sc-7.21_prm_2 }}." - }, - { - "id": "sc-7.21_gdn", - "name": "guidance", - "prose": "Organizations can isolate system components performing different missions or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls separating system components into physically separate networks or subnetworks; virtualization techniques; cross-domain devices separating subnetworks; and encrypting information flows among system components using distinct encryption keys." - } - ] - } - ] - }, - { - "id": "sc-8", - "class": "SP800-53", - "title": "Transmission Confidentiality and Integrity", - "parameters": [ - { - "id": "sc-8_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-8" - }, - { - "name": "sort-id", - "value": "SC-08" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#bbc7085f-b383-444e-af74-722a55cccc0f", - "rel": "reference", - "text": "[FIPS 197]" - }, - { - "href": "#286604ec-e383-4c1d-bd8c-d88f88e54a0f", - "rel": "reference", - "text": "[SP 800-52]" - }, - { - "href": "#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "rel": "reference", - "text": "[SP 800-77]" - }, - { - "href": "#93d44344-59f9-4669-845d-6cc2a5852621", - "rel": "reference", - "text": "[SP 800-81-2]" - }, - { - "href": "#36132a58-56fd-4980-9f6c-c010d3faf52b", - "rel": "reference", - "text": "[SP 800-113]" - }, - { - "href": "#64e044e4-b2a9-490f-a079-1106407c812f", - "rel": "reference", - "text": "[SP 800-177]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ia-9", - "rel": "related", - "text": "IA-9" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-16", - "rel": "related", - "text": "SC-16" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - } - ], - "parts": [ - { - "id": "sc-8_smt", - "name": "statement", - "prose": "Protect the {{ sc-8_prm_1 }} of transmitted information." - }, - { - "id": "sc-8_gdn", - "name": "guidance", - "prose": "Protecting the confidentiality and integrity of transmitted information applies to internal and external networks, and any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical means or by logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a term for wireline or fiber-optics telecommunication system that includes terminals and adequate acoustical, electrical, electromagnetic, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\nOrganizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services, may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunication service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls." - } - ], - "controls": [ - { - "id": "sc-8.1", - "class": "SP800-53-enhancement", - "title": "Cryptographic Protection", - "parameters": [ - { - "id": "sc-8.1_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-8(1)" - }, - { - "name": "sort-id", - "value": "SC-08(01)" - } - ], - "links": [ - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "sc-8.1_smt", - "name": "statement", - "prose": "Implement cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission." - }, - { - "id": "sc-8.1_gdn", - "name": "guidance", - "prose": "Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have application in digital signatures, checksums, and message authentication codes. SC-13 is used to specify the specific protocols, algorithms, and algorithm parameters to be implemented on each transmission path." - } - ] - } - ] - }, - { - "id": "sc-10", - "class": "SP800-53", - "title": "Network Disconnect", - "parameters": [ - { - "id": "sc-10_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-10" - }, - { - "name": "sort-id", - "value": "SC-10" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - } - ], - "parts": [ - { - "id": "sc-10_smt", - "name": "statement", - "prose": "Terminate the network connection associated with a communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity." - }, - { - "id": "sc-10_gdn", - "name": "guidance", - "prose": "Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time-periods by type of network access or for specific network accesses." - } - ] - }, - { - "id": "sc-12", - "class": "SP800-53", - "title": "Cryptographic Key Establishment and Management", - "parameters": [ - { - "id": "sc-12_prm_1", - "label": "organization-defined requirements for key generation, distribution, storage, access, and destruction" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-12" - }, - { - "name": "sort-id", - "value": "SC-12" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#77dc1838-3664-4faa-bc6e-4e2a16e52f35", - "rel": "reference", - "text": "[SP 800-56A]" - }, - { - "href": "#f417e4ec-cadb-47a8-a363-6006b32c28ad", - "rel": "reference", - "text": "[SP 800-56B]" - }, - { - "href": "#7c3ba335-62bd-4f03-888f-960790409b11", - "rel": "reference", - "text": "[SP 800-56C]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#f437b52f-7f26-42aa-8e8f-999e7d67b2fe", - "rel": "reference", - "text": "[IR 7956]" - }, - { - "href": "#30213e10-2aca-47b3-8cdb-61303e0959f5", - "rel": "reference", - "text": "[IR 7966]" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-11", - "rel": "related", - "text": "SC-11" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-17", - "rel": "related", - "text": "SC-17" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "sc-12_smt", - "name": "statement", - "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ sc-12_prm_1 }}." - }, - { - "id": "sc-12_gdn", - "name": "guidance", - "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." - } - ], - "controls": [ - { - "id": "sc-12.1", - "class": "SP800-53-enhancement", - "title": "Availability", - "properties": [ - { - "name": "label", - "value": "SC-12(1)" - }, - { - "name": "sort-id", - "value": "SC-12(01)" - } - ], - "parts": [ - { - "id": "sc-12.1_smt", - "name": "statement", - "prose": "Maintain availability of information in the event of the loss of cryptographic keys by users." - }, - { - "id": "sc-12.1_gdn", - "name": "guidance", - "prose": "Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys. A forgotten passphrase is an example of losing a cryptographic key." - } - ] - } - ] - }, - { - "id": "sc-13", - "class": "SP800-53", - "title": "Cryptographic Protection", - "parameters": [ - { - "id": "sc-13_prm_1", - "label": "organization-defined cryptographic uses" - }, - { - "id": "sc-13_prm_2", - "label": "organization-defined types of cryptography for each specified cryptographic use" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-13" - }, - { - "name": "sort-id", - "value": "SC-13" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "sc-13_smt", - "name": "statement", - "parts": [ - { - "id": "sc-13_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Determine the {{ sc-13_prm_1 }}; and" - }, - { - "id": "sc-13_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ sc-13_prm_2 }}." - } - ] - }, - { - "id": "sc-13_gdn", - "name": "guidance", - "prose": "Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ] - }, - { - "id": "sc-15", - "class": "SP800-53", - "title": "Collaborative Computing Devices and Applications", - "parameters": [ - { - "id": "sc-15_prm_1", - "label": "organization-defined exceptions where remote activation is to be allowed" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-15" - }, - { - "name": "sort-id", - "value": "SC-15" - } - ], - "links": [ - { - "href": "#ac-21", - "rel": "related", - "text": "AC-21" - }, - { - "href": "#sc-42", - "rel": "related", - "text": "SC-42" - } - ], - "parts": [ - { - "id": "sc-15_smt", - "name": "statement", - "parts": [ - { - "id": "sc-15_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ sc-15_prm_1 }}; and" - }, - { - "id": "sc-15_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Provide an explicit indication of use to users physically present at the devices." - } - ] - }, - { - "id": "sc-15_gdn", - "name": "guidance", - "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated." - } - ] - }, - { - "id": "sc-17", - "class": "SP800-53", - "title": "Public Key Infrastructure Certificates", - "parameters": [ - { - "id": "sc-17_prm_1", - "label": "organization-defined certificate policy" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-17" - }, - { - "name": "sort-id", - "value": "SC-17" - } - ], - "links": [ - { - "href": "#b7140427-d4c4-467a-97a1-5ca9f7c6584a", - "rel": "reference", - "text": "[SP 800-32]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - } - ], - "parts": [ - { - "id": "sc-17_smt", - "name": "statement", - "parts": [ - { - "id": "sc-17_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Issue public key certificates under an {{ sc-17_prm_1 }} or obtain public key certificates from an approved service provider; and" - }, - { - "id": "sc-17_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Include only approved trust anchors in trust stores or certificate stores managed by the organization." - } - ] - }, - { - "id": "sc-17_gdn", - "name": "guidance", - "prose": "This control addresses certificates with visibility external to organizational systems and certificates related to internal operations of systems, for example, application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates." - } - ] - }, - { - "id": "sc-18", - "class": "SP800-53", - "title": "Mobile Code", - "properties": [ - { - "name": "label", - "value": "SC-18" - }, - { - "name": "sort-id", - "value": "SC-18" - } - ], - "links": [ - { - "href": "#8e334d74-fc06-47a9-bbb1-804fdfae0e44", - "rel": "reference", - "text": "[SP 800-28]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - } - ], - "parts": [ - { - "id": "sc-18_smt", - "name": "statement", - "parts": [ - { - "id": "sc-18_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Define acceptable and unacceptable mobile code and mobile code technologies; and" - }, - { - "id": "sc-18_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Authorize, monitor, and control the use of mobile code within the system." - } - ] - }, - { - "id": "sc-18_gdn", - "name": "guidance", - "prose": "Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java, JavaScript, Flash animations, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source." - } - ] - }, - { - "id": "sc-20", - "class": "SP800-53", - "title": "Secure Name/address Resolution Service (authoritative Source)", - "properties": [ - { - "name": "label", - "value": "SC-20" - }, - { - "name": "sort-id", - "value": "SC-20" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#93d44344-59f9-4669-845d-6cc2a5852621", - "rel": "reference", - "text": "[SP 800-81-2]" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-21", - "rel": "related", - "text": "SC-21" - }, - { - "href": "#sc-22", - "rel": "related", - "text": "SC-22" - } - ], - "parts": [ - { - "id": "sc-20_smt", - "name": "statement", - "parts": [ - { - "id": "sc-20_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" - }, - { - "id": "sc-20_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." - } - ] - }, - { - "id": "sc-20_gdn", - "name": "guidance", - "prose": "This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." - } - ] - }, - { - "id": "sc-21", - "class": "SP800-53", - "title": "Secure Name/address Resolution Service (recursive or Caching Resolver)", - "properties": [ - { - "name": "label", - "value": "SC-21" - }, - { - "name": "sort-id", - "value": "SC-21" - } - ], - "links": [ - { - "href": "#93d44344-59f9-4669-845d-6cc2a5852621", - "rel": "reference", - "text": "[SP 800-81-2]" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-22", - "rel": "related", - "text": "SC-22" - } - ], - "parts": [ - { - "id": "sc-21_smt", - "name": "statement", - "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources." - }, - { - "id": "sc-21_gdn", - "name": "guidance", - "prose": "Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." - } - ] - }, - { - "id": "sc-22", - "class": "SP800-53", - "title": "Architecture and Provisioning for Name/address Resolution Service", - "properties": [ - { - "name": "label", - "value": "SC-22" - }, - { - "name": "sort-id", - "value": "SC-22" - } - ], - "links": [ - { - "href": "#93d44344-59f9-4669-845d-6cc2a5852621", - "rel": "reference", - "text": "[SP 800-81-2]" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-21", - "rel": "related", - "text": "SC-21" - }, - { - "href": "#sc-24", - "rel": "related", - "text": "SC-24" - } - ], - "parts": [ - { - "id": "sc-22_smt", - "name": "statement", - "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." - }, - { - "id": "sc-22_gdn", - "name": "guidance", - "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists." - } - ] - }, - { - "id": "sc-23", - "class": "SP800-53", - "title": "Session Authenticity", - "properties": [ - { - "name": "label", - "value": "SC-23" - }, - { - "name": "sort-id", - "value": "SC-23" - } - ], - "links": [ - { - "href": "#286604ec-e383-4c1d-bd8c-d88f88e54a0f", - "rel": "reference", - "text": "[SP 800-52]" - }, - { - "href": "#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "rel": "reference", - "text": "[SP 800-77]" - }, - { - "href": "#1d91d984-0cb6-4f96-a01d-c39a3eee7d43", - "rel": "reference", - "text": "[SP 800-95]" - }, - { - "href": "#36132a58-56fd-4980-9f6c-c010d3faf52b", - "rel": "reference", - "text": "[SP 800-113]" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-10", - "rel": "related", - "text": "SC-10" - }, - { - "href": "#sc-11", - "rel": "related", - "text": "SC-11" - } - ], - "parts": [ - { - "id": "sc-23_smt", - "name": "statement", - "prose": "Protect the authenticity of communications sessions." - }, - { - "id": "sc-23_gdn", - "name": "guidance", - "prose": "Protecting session authenticity addresses communications protection at the session, level; not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of information transmitted. Authenticity protection includes protecting against man-in-the-middle attacks and session hijacking, and the insertion of false information into sessions." - } - ] - }, - { - "id": "sc-24", - "class": "SP800-53", - "title": "Fail in Known State", - "parameters": [ - { - "id": "sc-24_prm_1", - "label": "organization-defined known system state" - }, - { - "id": "sc-24_prm_2", - "label": "organization-defined system state information" - }, - { - "id": "sc-24_prm_3", - "label": "list of organization-defined types of system failures on organization-defined system components" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-24" - }, - { - "name": "sort-id", - "value": "SC-24" - } - ], - "links": [ - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#cp-12", - "rel": "related", - "text": "CP-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-22", - "rel": "related", - "text": "SC-22" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - } - ], - "parts": [ - { - "id": "sc-24_smt", - "name": "statement", - "prose": "Fail to a {{ sc-24_prm_1 }} for the following failures on the indicated components while preserving {{ sc-24_prm_2 }} in failure: {{ sc-24_prm_3 }}." - }, - { - "id": "sc-24_gdn", - "name": "guidance", - "prose": "Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes." - } - ] - }, - { - "id": "sc-28", - "class": "SP800-53", - "title": "Protection of Information at Rest", - "parameters": [ - { - "id": "sc-28_prm_1" - }, - { - "id": "sc-28_prm_2", - "label": "organization-defined information at rest" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-28" - }, - { - "name": "sort-id", - "value": "SC-28" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#77dc1838-3664-4faa-bc6e-4e2a16e52f35", - "rel": "reference", - "text": "[SP 800-56A]" - }, - { - "href": "#f417e4ec-cadb-47a8-a363-6006b32c28ad", - "rel": "reference", - "text": "[SP 800-56B]" - }, - { - "href": "#7c3ba335-62bd-4f03-888f-960790409b11", - "rel": "reference", - "text": "[SP 800-56C]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#1b14b50f-7154-4226-958c-7dfff8276755", - "rel": "reference", - "text": "[SP 800-111]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-16", - "rel": "related", - "text": "SI-16" - } - ], - "parts": [ - { - "id": "sc-28_smt", - "name": "statement", - "prose": "Protect the {{ sc-28_prm_1 }} of the following information at rest: {{ sc-28_prm_2 }}." - }, - { - "id": "sc-28_gdn", - "name": "guidance", - "prose": "Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information requiring protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure off-line storage in lieu of online storage." - } - ], - "controls": [ - { - "id": "sc-28.1", - "class": "SP800-53-enhancement", - "title": "Cryptographic Protection", - "parameters": [ - { - "id": "sc-28.1_prm_1", - "label": "organization-defined system components or media" - }, - { - "id": "sc-28.1_prm_2", - "label": "organization-defined information" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-28(1)" - }, - { - "name": "sort-id", - "value": "SC-28(01)" - } - ], - "links": [ - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - } - ], - "parts": [ - { - "id": "sc-28.1_smt", - "name": "statement", - "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ sc-28.1_prm_1 }}: {{ sc-28.1_prm_2 }}." - }, - { - "id": "sc-28.1_gdn", - "name": "guidance", - "prose": "Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. Organizations using cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13)." - } - ] - } - ] - }, - { - "id": "sc-39", - "class": "SP800-53", - "title": "Process Isolation", - "properties": [ - { - "name": "label", - "value": "SC-39" - }, - { - "name": "sort-id", - "value": "SC-39" - } - ], - "links": [ - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-25", - "rel": "related", - "text": "AC-25" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#si-16", - "rel": "related", - "text": "SI-16" - } - ], - "parts": [ - { - "id": "sc-39_smt", - "name": "statement", - "prose": "Maintain a separate execution domain for each executing system process." - }, - { - "id": "sc-39_gdn", - "name": "guidance", - "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." - } - ] - } - ] - }, - { - "id": "si", - "class": "family", - "title": "System and Information Integrity", - "controls": [ - { - "id": "si-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "si-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-1_prm_2" - }, - { - "id": "si-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "si-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "si-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-1" - }, - { - "name": "sort-id", - "value": "SI-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "si-1_smt", - "name": "statement", - "parts": [ - { - "id": "si-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ si-1_prm_1 }}:", - "parts": [ - { - "id": "si-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ si-1_prm_2 }} system and information integrity policy that:", - "parts": [ - { - "id": "si-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "si-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "si-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" - } - ] - }, - { - "id": "si-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" - }, - { - "id": "si-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current system and information integrity:", - "parts": [ - { - "id": "si-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ si-1_prm_4 }}; and" - }, - { - "id": "si-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ si-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "si-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "si-2", - "class": "SP800-53", - "title": "Flaw Remediation", - "parameters": [ - { - "id": "si-2_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-2" - }, - { - "name": "sort-id", - "value": "SI-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#1126ec09-2b27-4a21-80b2-fef70b31c49d", - "rel": "reference", - "text": "[SP 800-40]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c", - "rel": "reference", - "text": "[IR 7788]" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-5", - "rel": "related", - "text": "SI-5" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-11", - "rel": "related", - "text": "SI-11" - } - ], - "parts": [ - { - "id": "si-2_smt", - "name": "statement", - "parts": [ - { - "id": "si-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify, report, and correct system flaws;" - }, - { - "id": "si-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" - }, - { - "id": "si-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Install security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and" - }, - { - "id": "si-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Incorporate flaw remediation into the organizational configuration management process." - } - ] - }, - { - "id": "si-2_gdn", - "name": "guidance", - "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\nOrganization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." - } - ], - "controls": [ - { - "id": "si-2.1", - "class": "SP800-53-enhancement", - "title": "Central Management", - "properties": [ - { - "name": "label", - "value": "SI-2(1)" - }, - { - "name": "sort-id", - "value": "SI-02(01)" - } - ], - "links": [ - { - "href": "#pl-9", - "rel": "related", - "text": "PL-9" - } - ], - "parts": [ - { - "id": "si-2.1_smt", - "name": "statement", - "prose": "Centrally manage the flaw remediation process." - }, - { - "id": "si-2.1_gdn", - "name": "guidance", - "prose": "Central management is the organization-wide management and implementation of flaw remediation processes. It includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation controls." - } - ] - }, - { - "id": "si-2.2", - "class": "SP800-53-enhancement", - "title": "Automated Flaw Remediation Status", - "parameters": [ - { - "id": "si-2.2_prm_1", - "label": "organization-defined automated mechanisms" - }, - { - "id": "si-2.2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-2(2)" - }, - { - "name": "sort-id", - "value": "SI-02(02)" - } - ], - "links": [ - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "si-2.2_smt", - "name": "statement", - "prose": "Determine if system components have applicable security-relevant software and firmware updates installed using {{ si-2.2_prm_1 }}\n {{ si-2.2_prm_2 }}." - }, - { - "id": "si-2.2_gdn", - "name": "guidance", - "prose": "Automated mechanisms can track and determine the status of known flaws for system components." - } - ] - } - ] - }, - { - "id": "si-3", - "class": "SP800-53", - "title": "Malicious Code Protection", - "parameters": [ - { - "id": "si-3_prm_1" - }, - { - "id": "si-3_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "si-3_prm_3" - }, - { - "id": "si-3_prm_4" - }, - { - "id": "si-3_prm_5", - "depends-on": "si-3_prm_4", - "label": "organization-defined action" - }, - { - "id": "si-3_prm_6", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-3" - }, - { - "name": "sort-id", - "value": "SI-03" - } - ], - "links": [ - { - "href": "#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "rel": "reference", - "text": "[SP 800-83]" - }, - { - "href": "#c972a85c-fa75-4596-be25-a338dc7e4e46", - "rel": "reference", - "text": "[SP 800-125B]" - }, - { - "href": "#64e044e4-b2a9-490f-a079-1106407c812f", - "rel": "reference", - "text": "[SP 800-177]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - }, - { - "href": "#sc-26", - "rel": "related", - "text": "SC-26" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-44", - "rel": "related", - "text": "SC-44" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-8", - "rel": "related", - "text": "SI-8" - }, - { - "href": "#si-15", - "rel": "related", - "text": "SI-15" - } - ], - "parts": [ - { - "id": "si-3_smt", - "name": "statement", - "parts": [ - { - "id": "si-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement {{ si-3_prm_1 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" - }, - { - "id": "si-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" - }, - { - "id": "si-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Configure malicious code protection mechanisms to:", - "parts": [ - { - "id": "si-3_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Perform periodic scans of the system {{ si-3_prm_2 }} and real-time scans of files from external sources at {{ si-3_prm_3 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" - }, - { - "id": "si-3_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "\n {{ si-3_prm_4 }}; and send alert to {{ si-3_prm_6 }} in response to malicious code detection." - } - ] - }, - { - "id": "si-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." - } - ] - }, - { - "id": "si-3_gdn", - "name": "guidance", - "prose": "System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions.\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files." - } - ], - "controls": [ - { - "id": "si-3.1", - "class": "SP800-53-enhancement", - "title": "Central Management", - "properties": [ - { - "name": "label", - "value": "SI-3(1)" - }, - { - "name": "sort-id", - "value": "SI-03(01)" - } - ], - "links": [ - { - "href": "#pl-9", - "rel": "related", - "text": "PL-9" - } - ], - "parts": [ - { - "id": "si-3.1_smt", - "name": "statement", - "prose": "Centrally manage malicious code protection mechanisms." - }, - { - "id": "si-3.1_gdn", - "name": "guidance", - "prose": "Central management addresses the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw and malicious code protection controls." - } - ] - } - ] - }, - { - "id": "si-4", - "class": "SP800-53", - "title": "System Monitoring", - "parameters": [ - { - "id": "si-4_prm_1", - "label": "organization-defined monitoring objectives" - }, - { - "id": "si-4_prm_2", - "label": "organization-defined techniques and methods" - }, - { - "id": "si-4_prm_3", - "label": "organization-defined system monitoring information" - }, - { - "id": "si-4_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-4_prm_5" - }, - { - "id": "si-4_prm_6", - "depends-on": "si-4_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-4" - }, - { - "name": "sort-id", - "value": "SI-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "rel": "reference", - "text": "[SP 800-83]" - }, - { - "href": "#02d8ec60-6197-43f8-9f47-18732127963e", - "rel": "reference", - "text": "[SP 800-92]" - }, - { - "href": "#41e2e2c6-2260-4258-85c8-09db17c43103", - "rel": "reference", - "text": "[SP 800-94]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-10", - "rel": "related", - "text": "IA-10" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-26", - "rel": "related", - "text": "SC-26" - }, - { - "href": "#sc-31", - "rel": "related", - "text": "SC-31" - }, - { - "href": "#sc-35", - "rel": "related", - "text": "SC-35" - }, - { - "href": "#sc-36", - "rel": "related", - "text": "SC-36" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-6", - "rel": "related", - "text": "SI-6" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - } - ], - "parts": [ - { - "id": "si-4_smt", - "name": "statement", - "parts": [ - { - "id": "si-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor the system to detect:", - "parts": [ - { - "id": "si-4_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ si-4_prm_1 }}; and" - }, - { - "id": "si-4_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Unauthorized local, network, and remote connections;" - } - ] - }, - { - "id": "si-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ si-4_prm_2 }};" - }, - { - "id": "si-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", - "parts": [ - { - "id": "si-4_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Strategically within the system to collect organization-determined essential information; and" - }, - { - "id": "si-4_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" - } - ] - }, - { - "id": "si-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;" - }, - { - "id": "si-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" - }, - { - "id": "si-4_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Obtain legal opinion regarding system monitoring activities; and" - }, - { - "id": "si-4_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Provide {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n {{ si-4_prm_5 }}." - } - ] - }, - { - "id": "si-4_gdn", - "name": "guidance", - "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\nDepending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ], - "controls": [ - { - "id": "si-4.2", - "class": "SP800-53-enhancement", - "title": "Automated Tools and Mechanisms for Real-time Analysis", - "properties": [ - { - "name": "label", - "value": "SI-4(2)" - }, - { - "name": "sort-id", - "value": "SI-04(02)" - } - ], - "links": [ - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-25", - "rel": "related", - "text": "PM-25" - } - ], - "parts": [ - { - "id": "si-4.2_smt", - "name": "statement", - "prose": "Employ automated tools and mechanisms to support near real-time analysis of events." - }, - { - "id": "si-4.2_gdn", - "name": "guidance", - "prose": "Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or Security Information and Event Management technologies that provide real time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." - } - ] - }, - { - "id": "si-4.4", - "class": "SP800-53-enhancement", - "title": "Inbound and Outbound Communications Traffic", - "parameters": [ - { - "id": "si-4.4_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-4(4)" - }, - { - "name": "sort-id", - "value": "SI-04(04)" - } - ], - "parts": [ - { - "id": "si-4.4_smt", - "name": "statement", - "prose": "Monitor inbound and outbound communications traffic {{ si-4.4_prm_1 }} for unusual or unauthorized activities or conditions." - }, - { - "id": "si-4.4_gdn", - "name": "guidance", - "prose": "Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code within organizational systems or propagating among system components; the unauthorized exporting of information; or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components." - } - ] - }, - { - "id": "si-4.5", - "class": "SP800-53-enhancement", - "title": "System-generated Alerts", - "parameters": [ - { - "id": "si-4.5_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-4.5_prm_2", - "label": "organization-defined compromise indicators" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-4(5)" - }, - { - "name": "sort-id", - "value": "SI-04(05)" - } - ], - "links": [ - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - } - ], - "parts": [ - { - "id": "si-4.5_smt", - "name": "statement", - "prose": "Alert {{ si-4.5_prm_1 }} when the following system-generated indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}." - }, - { - "id": "si-4.5_gdn", - "name": "guidance", - "prose": "Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. This control enhancement addresses the security alerts generated by the system. Alternatively, alerts generated by organizations in SI-4(12) focus on information sources external to the system such as suspicious activity reports and reports on potential insider threats." - } - ] - }, - { - "id": "si-4.10", - "class": "SP800-53-enhancement", - "title": "Visibility of Encrypted Communications", - "parameters": [ - { - "id": "si-4.10_prm_1", - "label": "organization-defined encrypted communications traffic" - }, - { - "id": "si-4.10_prm_2", - "label": "organization-defined system monitoring tools and mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-4(10)" - }, - { - "name": "sort-id", - "value": "SI-04(10)" - } - ], - "parts": [ - { - "id": "si-4.10_smt", - "name": "statement", - "prose": "Make provisions so that {{ si-4.10_prm_1 }} is visible to {{ si-4.10_prm_2 }}." - }, - { - "id": "si-4.10_gdn", - "name": "guidance", - "prose": "Organizations balance the need for encrypting communications traffic to protect data confidentiality with the need for having visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types." - } - ] - }, - { - "id": "si-4.12", - "class": "SP800-53-enhancement", - "title": "Automated Organization-generated Alerts", - "parameters": [ - { - "id": "si-4.12_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-4.12_prm_2", - "label": "organization-defined automated mechanisms" - }, - { - "id": "si-4.12_prm_3", - "label": "organization-defined activities that trigger alerts" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-4(12)" - }, - { - "name": "sort-id", - "value": "SI-04(12)" - } - ], - "parts": [ - { - "id": "si-4.12_smt", - "name": "statement", - "prose": "Alert {{ si-4.12_prm_1 }} using {{ si-4.12_prm_2 }} when the following indications of inappropriate or unusual activities with security or privacy implications occur: {{ si-4.12_prm_3 }}." - }, - { - "id": "si-4.12_gdn", - "name": "guidance", - "prose": "Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by systems in SI-4(5) that focus on information sources that are internal to the systems such as audit records, the sources of information for this enhancement focus on other entities such as suspicious activity reports and reports on potential insider threats." - } - ] - }, - { - "id": "si-4.14", - "class": "SP800-53-enhancement", - "title": "Wireless Intrusion Detection", - "properties": [ - { - "name": "label", - "value": "SI-4(14)" - }, - { - "name": "sort-id", - "value": "SI-04(14)" - } - ], - "links": [ - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - } - ], - "parts": [ - { - "id": "si-4.14_smt", - "name": "statement", - "prose": "Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system." - }, - { - "id": "si-4.14_gdn", - "name": "guidance", - "prose": "Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems, but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems." - } - ] - }, - { - "id": "si-4.20", - "class": "SP800-53-enhancement", - "title": "Privileged Users", - "parameters": [ - { - "id": "si-4.20_prm_1", - "label": "organization-defined additional monitoring" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-4(20)" - }, - { - "name": "sort-id", - "value": "SI-04(20)" - } - ], - "links": [ - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - } - ], - "parts": [ - { - "id": "si-4.20_smt", - "name": "statement", - "prose": "Implement the following additional monitoring of privileged users: {{ si-4.20_prm_1 }}." - }, - { - "id": "si-4.20_gdn", - "name": "guidance", - "prose": "Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions." - } - ] - }, - { - "id": "si-4.22", - "class": "SP800-53-enhancement", - "title": "Unauthorized Network Services", - "parameters": [ - { - "id": "si-4.22_prm_1", - "label": "organization-defined authorization or approval processes" - }, - { - "id": "si-4.22_prm_2" - }, - { - "id": "si-4.22_prm_3", - "depends-on": "si-4.22_prm_2", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-4(22)" - }, - { - "name": "sort-id", - "value": "SI-04(22)" - } - ], - "links": [ - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - } - ], - "parts": [ - { - "id": "si-4.22_smt", - "name": "statement", - "parts": [ - { - "id": "si-4.22_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Detect network services that have not been authorized or approved by {{ si-4.22_prm_1 }}; and" - }, - { - "id": "si-4.22_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "\n {{ si-4.22_prm_2 }} when detected." - } - ] - }, - { - "id": "si-4.22_gdn", - "name": "guidance", - "prose": "Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services." - } - ] - } - ] - }, - { - "id": "si-5", - "class": "SP800-53", - "title": "Security Alerts, Advisories, and Directives", - "parameters": [ - { - "id": "si-5_prm_1", - "label": "organization-defined external organizations" - }, - { - "id": "si-5_prm_2" - }, - { - "id": "si-5_prm_3", - "depends-on": "si-5_prm_2", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-5_prm_4", - "depends-on": "si-5_prm_2", - "label": "organization-defined elements within the organization" - }, - { - "id": "si-5_prm_5", - "depends-on": "si-5_prm_2", - "label": "organization-defined external organizations" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-5" - }, - { - "name": "sort-id", - "value": "SI-05" - } - ], - "links": [ - { - "href": "#1126ec09-2b27-4a21-80b2-fef70b31c49d", - "rel": "reference", - "text": "[SP 800-40]" - }, - { - "href": "#pm-15", - "rel": "related", - "text": "PM-15" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - } - ], - "parts": [ - { - "id": "si-5_smt", - "name": "statement", - "parts": [ - { - "id": "si-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Receive system security alerts, advisories, and directives from {{ si-5_prm_1 }} on an ongoing basis;" - }, - { - "id": "si-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" - }, - { - "id": "si-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Disseminate security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and" - }, - { - "id": "si-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." - } - ] - }, - { - "id": "si-5_gdn", - "name": "guidance", - "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." - } - ], - "controls": [ - { - "id": "si-5.1", - "class": "SP800-53-enhancement", - "title": "Automated Alerts and Advisories", - "parameters": [ - { - "id": "si-5.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-5(1)" - }, - { - "name": "sort-id", - "value": "SI-05(01)" - } - ], - "parts": [ - { - "id": "si-5.1_smt", - "name": "statement", - "prose": "Broadcast security alert and advisory information throughout the organization using {{ si-5.1_prm_1 }}." - }, - { - "id": "si-5.1_gdn", - "name": "guidance", - "prose": "The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of information security and privacy risk, including the governance level, mission and business process level, and the information system level." - } - ] - } - ] - }, - { - "id": "si-6", - "class": "SP800-53", - "title": "Security and Privacy Function Verification", - "parameters": [ - { - "id": "si-6_prm_1", - "label": "organization-defined security and privacy functions" - }, - { - "id": "si-6_prm_2" - }, - { - "id": "si-6_prm_3", - "depends-on": "si-6_prm_2", - "label": "organization-defined system transitional states" - }, - { - "id": "si-6_prm_4", - "depends-on": "si-6_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "si-6_prm_5", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-6_prm_6" - }, - { - "id": "si-6_prm_7", - "depends-on": "si-6_prm_6", - "label": "organization-defined alternative action(s)" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-6" - }, - { - "name": "sort-id", - "value": "SI-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "si-6_smt", - "name": "statement", - "parts": [ - { - "id": "si-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Verify the correct operation of {{ si-6_prm_1 }};" - }, - { - "id": "si-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Perform the verification of the functions specified in SI-6a {{ si-6_prm_2 }};" - }, - { - "id": "si-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Notify {{ si-6_prm_5 }} of failed security and privacy verification tests; and" - }, - { - "id": "si-6_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "\n {{ si-6_prm_6 }} when anomalies are discovered." - } - ] - }, - { - "id": "si-6_gdn", - "name": "guidance", - "prose": "Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy, or that privacy attributes are applied or used as expected." - } - ] - }, - { - "id": "si-7", - "class": "SP800-53", - "title": "Software, Firmware, and Information Integrity", - "parameters": [ - { - "id": "si-7_prm_1", - "label": "organization-defined software, firmware, and information" - }, - { - "id": "si-7_prm_2", - "label": "organization-defined actions" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-7" - }, - { - "name": "sort-id", - "value": "SI-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#e9224c9b-4fa5-40b7-bfbb-02bff7712d92", - "rel": "reference", - "text": "[SP 800-147]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "si-7_smt", - "name": "statement", - "parts": [ - { - "id": "si-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ si-7_prm_1 }}; and" - }, - { - "id": "si-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ si-7_prm_2 }}." - } - ] - }, - { - "id": "si-7_gdn", - "name": "guidance", - "prose": "Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes the Basic Input Output System (BIOS). Information includes personally identifiable information and metadata containing security and privacy attributes associated with information. Integrity-checking mechanisms, including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools can automatically monitor the integrity of systems and hosted applications." - } - ], - "controls": [ - { - "id": "si-7.1", - "class": "SP800-53-enhancement", - "title": "Integrity Checks", - "parameters": [ - { - "id": "si-7.1_prm_1", - "label": "organization-defined software, firmware, and information" - }, - { - "id": "si-7.1_prm_2" - }, - { - "id": "si-7.1_prm_3", - "depends-on": "si-7.1_prm_2", - "label": "organization-defined transitional states or security-relevant events" - }, - { - "id": "si-7.1_prm_4", - "depends-on": "si-7.1_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-7(1)" - }, - { - "name": "sort-id", - "value": "SI-07(01)" - } - ], - "parts": [ - { - "id": "si-7.1_smt", - "name": "statement", - "prose": "Perform an integrity check of {{ si-7.1_prm_1 }}\n {{ si-7.1_prm_2 }}." - }, - { - "id": "si-7.1_gdn", - "name": "guidance", - "prose": "Security-relevant events include the identification of a new threat to which organizational systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort." - } - ] - }, - { - "id": "si-7.2", - "class": "SP800-53-enhancement", - "title": "Automated Notifications of Integrity Violations", - "parameters": [ - { - "id": "si-7.2_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-7(2)" - }, - { - "name": "sort-id", - "value": "SI-07(02)" - } - ], - "parts": [ - { - "id": "si-7.2_smt", - "name": "statement", - "prose": "Employ automated tools that provide notification to {{ si-7.2_prm_1 }} upon discovering discrepancies during integrity verification." - }, - { - "id": "si-7.2_gdn", - "name": "guidance", - "prose": "The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel having an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, systems administrators, software developers, systems integrators, and information security officers, and privacy officers." - } - ] - }, - { - "id": "si-7.5", - "class": "SP800-53-enhancement", - "title": "Automated Response to Integrity Violations", - "parameters": [ - { - "id": "si-7.5_prm_1" - }, - { - "id": "si-7.5_prm_2", - "depends-on": "si-7.5_prm_1", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-7(5)" - }, - { - "name": "sort-id", - "value": "SI-07(05)" - } - ], - "parts": [ - { - "id": "si-7.5_smt", - "name": "statement", - "prose": "Automatically {{ si-7.5_prm_1 }} when integrity violations are discovered." - }, - { - "id": "si-7.5_gdn", - "name": "guidance", - "prose": "Organizations may define different integrity checking responses by type of information, by specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur." - } - ] - }, - { - "id": "si-7.7", - "class": "SP800-53-enhancement", - "title": "Integration of Detection and Response", - "parameters": [ - { - "id": "si-7.7_prm_1", - "label": "organization-defined security-relevant changes to the system" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-7(7)" - }, - { - "name": "sort-id", - "value": "SI-07(07)" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "si-7.7_smt", - "name": "statement", - "prose": "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ si-7.7_prm_1 }}." - }, - { - "id": "si-7.7_gdn", - "name": "guidance", - "prose": "This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended time-period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or unauthorized elevation of system privileges." - } - ] - }, - { - "id": "si-7.15", - "class": "SP800-53-enhancement", - "title": "Code Authentication", - "parameters": [ - { - "id": "si-7.15_prm_1", - "label": "organization-defined software or firmware components" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-7(15)" - }, - { - "name": "sort-id", - "value": "SI-07(15)" - } - ], - "links": [ - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - } - ], - "parts": [ - { - "id": "si-7.15_smt", - "name": "statement", - "prose": "Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: {{ si-7.15_prm_1 }}." - }, - { - "id": "si-7.15_gdn", - "name": "guidance", - "prose": "Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations employing cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13)." - } - ] - } - ] - }, - { - "id": "si-8", - "class": "SP800-53", - "title": "Spam Protection", - "properties": [ - { - "name": "label", - "value": "SI-8" - }, - { - "name": "sort-id", - "value": "SI-08" - } - ], - "links": [ - { - "href": "#23b0a203-c020-47dd-b86c-9f8c35ecaa4e", - "rel": "reference", - "text": "[SP 800-45]" - }, - { - "href": "#64e044e4-b2a9-490f-a079-1106407c812f", - "rel": "reference", - "text": "[SP 800-177]" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "si-8_smt", - "name": "statement", - "parts": [ - { - "id": "si-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and" - }, - { - "id": "si-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures." - } - ] - }, - { - "id": "si-8_gdn", - "name": "guidance", - "prose": "System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions." - } - ], - "controls": [ - { - "id": "si-8.1", - "class": "SP800-53-enhancement", - "title": "Central Management", - "properties": [ - { - "name": "label", - "value": "SI-8(1)" - }, - { - "name": "sort-id", - "value": "SI-08(01)" - } - ], - "links": [ - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "si-8.1_smt", - "name": "statement", - "prose": "Centrally manage spam protection mechanisms." - }, - { - "id": "si-8.1_gdn", - "name": "guidance", - "prose": "Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection controls." - } - ] - }, - { - "id": "si-8.2", - "class": "SP800-53-enhancement", - "title": "Automatic Updates", - "parameters": [ - { - "id": "si-8.2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-8(2)" - }, - { - "name": "sort-id", - "value": "SI-08(02)" - } - ], - "parts": [ - { - "id": "si-8.2_smt", - "name": "statement", - "prose": "Automatically update spam protection mechanisms {{ si-8.2_prm_1 }}." - }, - { - "id": "si-8.2_gdn", - "name": "guidance", - "prose": "Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capability." - } - ] - } - ] - }, - { - "id": "si-10", - "class": "SP800-53", - "title": "Information Input Validation", - "parameters": [ - { - "id": "si-10_prm_1", - "label": "organization-defined information inputs to the system" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-10" - }, - { - "name": "sort-id", - "value": "SI-10" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - } - ], - "parts": [ - { - "id": "si-10_smt", - "name": "statement", - "prose": "Check the validity of the following information inputs: {{ si-10_prm_1 }}." - }, - { - "id": "si-10_gdn", - "name": "guidance", - "prose": "Checking the valid syntax and semantics of system inputs, including character set, length, numerical range, and acceptable values, verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks." - } - ] - }, - { - "id": "si-11", - "class": "SP800-53", - "title": "Error Handling", - "parameters": [ - { - "id": "si-11_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-11" - }, - { - "name": "sort-id", - "value": "SI-11" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#sc-31", - "rel": "related", - "text": "SC-31" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - } - ], - "parts": [ - { - "id": "si-11_smt", - "name": "statement", - "parts": [ - { - "id": "si-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and" - }, - { - "id": "si-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Reveal error messages only to {{ si-11_prm_1 }}." - } - ] - }, - { - "id": "si-11_gdn", - "name": "guidance", - "prose": "Organizations consider the structure and the content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information." - } - ] - }, - { - "id": "si-12", - "class": "SP800-53", - "title": "Information Management and Retention", - "properties": [ - { - "name": "label", - "value": "SI-12" - }, - { - "name": "sort-id", - "value": "SI-12" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#at-1", - "rel": "related", - "text": "AT-1" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#ca-1", - "rel": "related", - "text": "CA-1" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cp-1", - "rel": "related", - "text": "CP-1" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ma-1", - "rel": "related", - "text": "MA-1" - }, - { - "href": "#mp-1", - "rel": "related", - "text": "MP-1" - }, - { - "href": "#pe-1", - "rel": "related", - "text": "PE-1" - }, - { - "href": "#pl-1", - "rel": "related", - "text": "PL-1" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#ps-1", - "rel": "related", - "text": "PS-1" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#sa-1", - "rel": "related", - "text": "SA-1" - }, - { - "href": "#sc-1", - "rel": "related", - "text": "SC-1" - }, - { - "href": "#si-1", - "rel": "related", - "text": "SI-1" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-3", - "rel": "related", - "text": "MP-3" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - } - ], - "parts": [ - { - "id": "si-12_smt", - "name": "statement", - "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." - }, - { - "id": "si-12_gdn", - "name": "guidance", - "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel." - } - ] - }, - { - "id": "si-16", - "class": "SP800-53", - "title": "Memory Protection", - "parameters": [ - { - "id": "si-16_prm_1", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-16" - }, - { - "name": "sort-id", - "value": "SI-16" - } - ], - "links": [ - { - "href": "#ac-25", - "rel": "related", - "text": "AC-25" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - } - ], - "parts": [ - { - "id": "si-16_smt", - "name": "statement", - "prose": "Implement the following controls to protect the system memory from unauthorized code execution: {{ si-16_prm_1 }}." - }, - { - "id": "si-16_gdn", - "name": "guidance", - "prose": "Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism." - } - ] - } - ] - }, - { - "id": "sr", - "class": "family", - "title": "Supply Chain Risk Management", - "controls": [ - { - "id": "sr-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "sr-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "sr-1_prm_2" - }, - { - "id": "sr-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "sr-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "sr-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-1" - }, - { - "name": "sort-id", - "value": "SR-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "sr-1_smt", - "name": "statement", - "parts": [ - { - "id": "sr-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ sr-1_prm_1 }}:", - "parts": [ - { - "id": "sr-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ sr-1_prm_2 }} supply chain risk management policy that:", - "parts": [ - { - "id": "sr-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "sr-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "sr-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" - } - ] - }, - { - "id": "sr-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ sr-1_prm_3 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" - }, - { - "id": "sr-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current supply chain risk management:", - "parts": [ - { - "id": "sr-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ sr-1_prm_4 }}; and" - }, - { - "id": "sr-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ sr-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "sr-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "sr-2", - "class": "SP800-53", - "title": "Supply Chain Risk Management Plan", - "parameters": [ - { - "id": "sr-2_prm_1", - "label": "organization-defined systems, system components, or system services" - }, - { - "id": "sr-2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-2" - }, - { - "name": "sort-id", - "value": "SR-02" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "sr-2_smt", - "name": "statement", - "parts": [ - { - "id": "sr-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: {{ sr-2_prm_1 }};" - }, - { - "id": "sr-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the supply chain risk management plan consistently across the organization; and" - }, - { - "id": "sr-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the supply chain risk management plan {{ sr-2_prm_2 }} or as required, to address threat, organizational or environmental changes." - } - ] - }, - { - "id": "sr-2_gdn", - "name": "guidance", - "prose": "The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans.\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8)." - } - ], - "controls": [ - { - "id": "sr-2.1", - "class": "SP800-53-enhancement", - "title": "Establish Scrm Team", - "parameters": [ - { - "id": "sr-2.1_prm_1", - "label": "organization-defined personnel, roles, and responsibilities" - }, - { - "id": "sr-2.1_prm_2", - "label": "organization-defined supply chain risk management activities" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-2(1)" - }, - { - "name": "sort-id", - "value": "SR-02(01)" - } - ], - "parts": [ - { - "id": "sr-2.1_smt", - "name": "statement", - "prose": "Establish a supply chain risk management team consisting of {{ sr-2.1_prm_1 }} to lead and support the following SCRM activities: {{ sr-2.1_prm_2 }}." - }, - { - "id": "sr-2.1_gdn", - "name": "guidance", - "prose": "To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team." - } - ] - } - ] - }, - { - "id": "sr-3", - "class": "SP800-53", - "title": "Supply Chain Controls and Processes", - "parameters": [ - { - "id": "sr-3_prm_1", - "label": "organization-defined system or system component" - }, - { - "id": "sr-3_prm_2", - "label": "organization-defined supply chain personnel" - }, - { - "id": "sr-3_prm_3", - "label": "organization-defined supply chain controls" - }, - { - "id": "sr-3_prm_4" - }, - { - "id": "sr-3_prm_5", - "depends-on": "sr-3_prm_4", - "label": "organization-defined document" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-3" - }, - { - "name": "sort-id", - "value": "SR-03" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-29", - "rel": "related", - "text": "SC-29" - }, - { - "href": "#sc-30", - "rel": "related", - "text": "SC-30" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "sr-3_smt", - "name": "statement", - "parts": [ - { - "id": "sr-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ sr-3_prm_1 }} in coordination with {{ sr-3_prm_2 }};" - }, - { - "id": "sr-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ sr-3_prm_3 }}; and" - }, - { - "id": "sr-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document the selected and implemented supply chain processes and controls in {{ sr-3_prm_4 }}." - } - ] - }, - { - "id": "sr-3_gdn", - "name": "guidance", - "prose": "Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." - } - ] - }, - { - "id": "sr-5", - "class": "SP800-53", - "title": "Acquisition Strategies, Tools, and Methods", - "parameters": [ - { - "id": "sr-5_prm_1", - "label": "organization-defined acquisition strategies, contract tools, and procurement methods" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-5" - }, - { - "name": "sort-id", - "value": "SR-05" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "sr-5_smt", - "name": "statement", - "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ sr-5_prm_1 }}." - }, - { - "id": "sr-5_gdn", - "name": "guidance", - "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." - } - ] - }, - { - "id": "sr-6", - "class": "SP800-53", - "title": "Supplier Reviews", - "parameters": [ - { - "id": "sr-6_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-6" - }, - { - "name": "sort-id", - "value": "SR-06" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sr-6_smt", - "name": "statement", - "prose": "Review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ sr-6_prm_1 }}." - }, - { - "id": "sr-6_gdn", - "name": "guidance", - "prose": "A review of supplier risk includes security processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess any subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate to share review results with other organizations in accordance with any applicable inter-organizational agreements or contracts." - } - ] - }, - { - "id": "sr-8", - "class": "SP800-53", - "title": "Notification Agreements", - "parameters": [ - { - "id": "sr-8_prm_1" - }, - { - "id": "sr-8_prm_2", - "depends-on": "sr-8_prm_1", - "label": "organization-defined information" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-8" - }, - { - "name": "sort-id", - "value": "SR-08" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - } - ], - "parts": [ - { - "id": "sr-8_smt", - "name": "statement", - "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ sr-8_prm_1 }}." - }, - { - "id": "sr-8_gdn", - "name": "guidance", - "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." - } - ] - }, - { - "id": "sr-9", - "class": "SP800-53", - "title": "Tamper Resistance and Detection", - "properties": [ - { - "name": "label", - "value": "SR-9" - }, - { - "name": "sort-id", - "value": "SR-09" - } - ], - "links": [ - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "sr-9_smt", - "name": "statement", - "prose": "Implement a tamper protection program for the system, system component, or system service." - }, - { - "id": "sr-9_gdn", - "name": "guidance", - "prose": "Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use." - } - ], - "controls": [ - { - "id": "sr-9.1", - "class": "SP800-53-enhancement", - "title": "Multiple Stages of System Development Life Cycle", - "properties": [ - { - "name": "label", - "value": "SR-9(1)" - }, - { - "name": "sort-id", - "value": "SR-09(01)" - } - ], - "links": [ - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - } - ], - "parts": [ - { - "id": "sr-9.1_smt", - "name": "statement", - "prose": "Employ anti-tamper technologies, tools, and techniques during multiple stages in the system development life cycle, including design, development, integration, operations, and maintenance." - }, - { - "id": "sr-9.1_gdn", - "name": "guidance", - "prose": "Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations employ obfuscation and self-checking, for example, to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage." - } - ] - } - ] - }, - { - "id": "sr-10", - "class": "SP800-53", - "title": "Inspection of Systems or Components", - "parameters": [ - { - "id": "sr-10_prm_1" - }, - { - "id": "sr-10_prm_2", - "depends-on": "sr-10_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "sr-10_prm_3", - "depends-on": "sr-10_prm_1", - "label": "organization-defined indications of need for inspection" - }, - { - "id": "sr-10_prm_4", - "label": "organization-defined systems or system components" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-10" - }, - { - "name": "sort-id", - "value": "SR-10" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "sr-10_smt", - "name": "statement", - "prose": "Inspect the following systems or system components {{ sr-10_prm_1 }} to detect tampering: {{ sr-10_prm_4 }}." - }, - { - "id": "sr-10_gdn", - "name": "guidance", - "prose": "Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations." - } - ] - }, - { - "id": "sr-11", - "class": "SP800-53", - "title": "Component Authenticity", - "parameters": [ - { - "id": "sr-11_prm_1" - }, - { - "id": "sr-11_prm_2", - "depends-on": "sr-11_prm_1", - "label": "organization-defined external reporting organizations" - }, - { - "id": "sr-11_prm_3", - "depends-on": "sr-11_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11" - }, - { - "name": "sort-id", - "value": "SR-11" - } - ], - "links": [ - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - } - ], - "parts": [ - { - "id": "sr-11_smt", - "name": "statement", - "parts": [ - { - "id": "sr-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" - }, - { - "id": "sr-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Report counterfeit system components to {{ sr-11_prm_1 }}." - } - ] - }, - { - "id": "sr-11_gdn", - "name": "guidance", - "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." - } - ], - "controls": [ - { - "id": "sr-11.1", - "class": "SP800-53-enhancement", - "title": "Anti-counterfeit Training", - "parameters": [ - { - "id": "sr-11.1_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11(1)" - }, - { - "name": "sort-id", - "value": "SR-11(01)" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - } - ], - "parts": [ - { - "id": "sr-11.1_smt", - "name": "statement", - "prose": "Train {{ sr-11.1_prm_1 }} to detect counterfeit system components (including hardware, software, and firmware)." - }, - { - "id": "sr-11.1_gdn", - "name": "guidance", - "prose": "None." - } - ] - }, - { - "id": "sr-11.2", - "class": "SP800-53-enhancement", - "title": "Configuration Control for Component Service and Repair", - "parameters": [ - { - "id": "sr-11.2_prm_1", - "label": "organization-defined system components" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11(2)" - }, - { - "name": "sort-id", - "value": "SR-11(02)" - } - ], - "links": [ - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - } - ], - "parts": [ - { - "id": "sr-11.2_smt", - "name": "statement", - "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ sr-11.2_prm_1 }}." - }, - { - "id": "sr-11.2_gdn", - "name": "guidance", - "prose": "None." - } - ] - }, - { - "id": "sr-11.3", - "class": "SP800-53-enhancement", - "title": "Component Disposal", - "parameters": [ - { - "id": "sr-11.3_prm_1", - "label": "organization-defined techniques and methods" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11(3)" - }, - { - "name": "sort-id", - "value": "SR-11(03)" - } - ], - "links": [ - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - } - ], - "parts": [ - { - "id": "sr-11.3_smt", - "name": "statement", - "prose": "Dispose of system components using the following techniques and methods: {{ sr-11.3_prm_1 }}." - }, - { - "id": "sr-11.3_gdn", - "name": "guidance", - "prose": "Proper disposal of system components helps to prevent such components from entering the gray market." - } - ] - } - ] - } - ] - } - ], - "back-matter": { - "resources": [ - { - "uuid": "a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "title": "[PRIVACT]", - "citation": { - "text": "Privacy Act (P.L. 93-579), December 1974." - }, - "rlinks": [ - { - "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" - } - ] - }, - { - "uuid": "43facb7b-0afb-480f-8191-34790d5b444b", - "title": "[EVIDACT]", - "citation": { - "text": "Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019." - }, - "rlinks": [ - { - "href": "https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf" - } - ] - }, - { - "uuid": "52a8b0c6-0c6b-424b-928d-41c50ba87838", - "title": "[EO 13526]", - "citation": { - "text": "Executive Order 13526, *Classified National Security Information*, December 2009." - }, - "rlinks": [ - { - "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" - } - ] - }, - { - "uuid": "14958422-54f6-471f-a345-802dca594dd8", - "title": "[FISMA]", - "citation": { - "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." - }, - "rlinks": [ - { - "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" - } - ] - }, - { - "uuid": "2b5e12fb-633f-49e6-8aff-81d75bf53545", - "title": "[EO 13587]", - "citation": { - "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information*, October 2011." - }, - "rlinks": [ - { - "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" - } - ] - }, - { - "uuid": "cde25174-38e0-4a00-8919-8ee3674b8088", - "title": "[HSPD 7]", - "citation": { - "text": "Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003." - }, - "rlinks": [ - { - "href": "https://www.dhs.gov/homeland-security-presidential-directive-7" - } - ] - }, - { - "uuid": "2383ccfd-d8a0-4e3a-bf40-21288ae1e07a", - "title": "[5 CFR 731]", - "citation": { - "text": "Code of Federal Regulations, Title 5, *Administrative Personnel*, Section 731.106, *Designation of Public Trust Positions and Investigative Requirements*(5 C.F.R. 731.106)." - }, - "rlinks": [ - { - "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" - } - ] - }, - { - "uuid": "742b7c0e-218e-4fca-9c3d-5f264bbaf2bc", - "title": "[32 CFR 2002]", - "citation": { - "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information*(32 C.F.R 2002)." - }, - "rlinks": [ - { - "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" - } - ] - }, - { - "uuid": "286d42a1-efbe-49a2-9ce1-4c9bf68feb3b", - "title": "[ODNI NITP]", - "citation": { - "text": "Office of the Director National Intelligence, *National Insider Threat Policy*\n " - }, - "rlinks": [ - { - "href": "https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf" - } - ] - }, - { - "uuid": "395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "title": "[OMB A-108]", - "citation": { - "text": "Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf" - } - ] - }, - { - "uuid": "a646d45d-775f-4887-86d3-5a00ffbc4090", - "title": "[OMB A-130]", - "citation": { - "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016." - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" - } - ] - }, - { - "uuid": "f7d3617a-9a4f-4f1a-a688-845081b70390", - "title": "[OMB M-17-06]", - "citation": { - "text": "Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf" - } - ] - }, - { - "uuid": "389fe193-866e-46b1-bf1d-38904b56aa7b", - "title": "[OMB M-17-12]", - "citation": { - "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. **\n " - }, - "rlinks": [ - { - "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" - } - ] - }, - { - "uuid": "ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3", - "title": "[OMB M-17-25]", - "citation": { - "text": "Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure*, May 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf" - } - ] - }, - { - "uuid": "d843e915-eeb6-4bbe-8cab-ccc802088703", - "title": "[OMB M-19-23]", - "citation": { - "text": "Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance*, July 2019. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf" - } - ] - }, - { - "uuid": "ee96f130-3f91-46ed-a4d8-57e5f220a623", - "title": "[CNSSI 1253]", - "citation": { - "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems*, March 2014." - }, - "rlinks": [ - { - "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" - } - ] - }, - { - "uuid": "24b7b1ec-6430-41de-9353-29fdb1b488fc", - "title": "[DHS NIPP]", - "citation": { - "text": "Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009." - }, - "rlinks": [ - { - "href": "https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf" - } - ] - }, - { - "uuid": "6ddb507b-6ddb-4e15-a8d4-0854e704446e", - "title": "[ISO 15408-1]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" - } - ] - }, - { - "uuid": "18abb755-c10f-407d-b0ef-4f99e5ec4a49", - "title": "[ISO 15408-2]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" - } - ] - }, - { - "uuid": "2ce3a8bf-7f8b-4249-bd16-808231415b14", - "title": "[ISO 15408-3]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" - } - ] - }, - { - "uuid": "aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "title": "[FIPS 140-3]", - "citation": { - "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.140-3" - } - ] - }, - { - "uuid": "d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "title": "[FIPS 180-4]", - "citation": { - "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.180-4" - } - ] - }, - { - "uuid": "0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "title": "[FIPS 186-4]", - "citation": { - "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.186-4" - } - ] - }, - { - "uuid": "bbc7085f-b383-444e-af74-722a55cccc0f", - "title": "[FIPS 197]", - "citation": { - "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.197" - } - ] - }, - { - "uuid": "b3e26423-0687-47c7-ba9a-a96870d58a27", - "title": "[FIPS 199]", - "citation": { - "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.199" - } - ] - }, - { - "uuid": "f2163084-3287-45e2-9ee7-95f020415495", - "title": "[FIPS 200]", - "citation": { - "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.200" - } - ] - }, - { - "uuid": "ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "title": "[FIPS 201-2]", - "citation": { - "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.201-2" - } - ] - }, - { - "uuid": "11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "title": "[FIPS 202]", - "citation": { - "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.202" - } - ] - }, - { - "uuid": "12702585-0c72-43c9-9185-a76a59f74233", - "title": "[SP 800-12]", - "citation": { - "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-12r1" - } - ] - }, - { - "uuid": "ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "title": "[SP 800-18]", - "citation": { - "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-18r1" - } - ] - }, - { - "uuid": "8e334d74-fc06-47a9-bbb1-804fdfae0e44", - "title": "[SP 800-28]", - "citation": { - "text": "Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-28ver2" - } - ] - }, - { - "uuid": "1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "title": "[SP 800-30]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-30r1" - } - ] - }, - { - "uuid": "b7140427-d4c4-467a-97a1-5ca9f7c6584a", - "title": "[SP 800-32]", - "citation": { - "text": "Kuhn R, Hu VC, Polk T, Chang S-jH (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-32" - } - ] - }, - { - "uuid": "65774382-fcc6-4bbc-89fc-9d35aab19952", - "title": "[SP 800-34]", - "citation": { - "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-34r1" - } - ] - }, - { - "uuid": "ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "title": "[SP 800-35]", - "citation": { - "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-35" - } - ] - }, - { - "uuid": "e07d73ea-96b9-4330-aff2-e0215f455343", - "title": "[SP 800-37]", - "citation": { - "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-37r2" - } - ] - }, - { - "uuid": "451e9636-402e-4c27-b3f5-e0e50f957f27", - "title": "[SP 800-39]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-39" - } - ] - }, - { - "uuid": "1126ec09-2b27-4a21-80b2-fef70b31c49d", - "title": "[SP 800-40]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-40r3" - } - ] - }, - { - "uuid": "db7877cf-1013-4fb1-b943-ca9361d16370", - "title": "[SP 800-41]", - "citation": { - "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-41r1" - } - ] - }, - { - "uuid": "23b0a203-c020-47dd-b86c-9f8c35ecaa4e", - "title": "[SP 800-45]", - "citation": { - "text": "Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-45ver2" - } - ] - }, - { - "uuid": "7768c184-088d-4ee8-a316-f9286b52df7f", - "title": "[SP 800-46]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-46r2" - } - ] - }, - { - "uuid": "2e66c31a-190e-49ad-8e00-f306f8a0df17", - "title": "[SP 800-47]", - "citation": { - "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-47" - } - ] - }, - { - "uuid": "2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "title": "[SP 800-50]", - "citation": { - "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-50" - } - ] - }, - { - "uuid": "286604ec-e383-4c1d-bd8c-d88f88e54a0f", - "title": "[SP 800-52]", - "citation": { - "text": "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-52r2" - } - ] - }, - { - "uuid": "5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "title": "[SP 800-53A]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" - } - ] - }, - { - "uuid": "31f3c9de-c57c-4281-929b-f9951f9640f1", - "title": "[SP 800-53B]", - "citation": { - "text": "National Institute of Standards and Technology Special Publication 800-53B, *Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations*. Projected for publication in 2020." - } - }, - { - "uuid": "8ba0d54e-fa16-4f5d-baa1-763ec3e33e26", - "title": "[SP 800-55]", - "citation": { - "text": "Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-55r1" - } - ] - }, - { - "uuid": "77dc1838-3664-4faa-bc6e-4e2a16e52f35", - "title": "[SP 800-56A]", - "citation": { - "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" - } - ] - }, - { - "uuid": "f417e4ec-cadb-47a8-a363-6006b32c28ad", - "title": "[SP 800-56B]", - "citation": { - "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" - } - ] - }, - { - "uuid": "7c3ba335-62bd-4f03-888f-960790409b11", - "title": "[SP 800-56C]", - "citation": { - "text": "Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-56Cr1" - } - ] - }, - { - "uuid": "770f9bdc-4023-48ef-8206-c65397f061ea", - "title": "[SP 800-57-1]", - "citation": { - "text": "Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r4" - } - ] - }, - { - "uuid": "69644a9e-438a-47c3-bac9-cf28b5baf848", - "title": "[SP 800-57-2]", - "citation": { - "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" - } - ] - }, - { - "uuid": "9933c883-e8f3-4a83-9a9a-d1e058038080", - "title": "[SP 800-57-3]", - "citation": { - "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" - } - ] - }, - { - "uuid": "68949f14-9cf5-4116-91d8-e820b9df3ffd", - "title": "[SP 800-60 v1]", - "citation": { - "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" - } - ] - }, - { - "uuid": "e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "title": "[SP 800-60 v2]", - "citation": { - "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" - } - ] - }, - { - "uuid": "7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "title": "[SP 800-61]", - "citation": { - "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-61r2" - } - ] - }, - { - "uuid": "549993c0-9bdd-4d49-875c-f56950cc5f30", - "title": "[SP 800-63-3]", - "citation": { - "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-63-3" - } - ] - }, - { - "uuid": "3c50fa31-7f4d-4d30-91d7-27ee87cd5f75", - "title": "[SP 800-63A]", - "citation": { - "text": "Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-63a" - } - ] - }, - { - "uuid": "14a7d982-9747-48e0-a877-3e8fbf6ae381", - "title": "[SP 800-70]", - "citation": { - "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-70r4" - } - ] - }, - { - "uuid": "3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "title": "[SP 800-73-4]", - "citation": { - "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-73-4" - } - ] - }, - { - "uuid": "d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "title": "[SP 800-76-2]", - "citation": { - "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-76-2" - } - ] - }, - { - "uuid": "8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "title": "[SP 800-77]", - "citation": { - "text": "Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-77" - } - ] - }, - { - "uuid": "013e098f-0680-4856-a130-b768c69dab9c", - "title": "[SP 800-78-4]", - "citation": { - "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-78-4" - } - ] - }, - { - "uuid": "bb55e71a-e059-4263-8dd8-bc96fd3f063d", - "title": "[SP 800-79-2]", - "citation": { - "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-79-2" - } - ] - }, - { - "uuid": "93d44344-59f9-4669-845d-6cc2a5852621", - "title": "[SP 800-81-2]", - "citation": { - "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-81-2" - } - ] - }, - { - "uuid": "8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "title": "[SP 800-83]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-83r1" - } - ] - }, - { - "uuid": "20bf433b-074c-47a0-8fca-cd591772ccd6", - "title": "[SP 800-84]", - "citation": { - "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-84" - } - ] - }, - { - "uuid": "35dfd59f-eef2-4f71-bdb5-6d878267456a", - "title": "[SP 800-86]", - "citation": { - "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-86" - } - ] - }, - { - "uuid": "fed6a3b5-2b74-499f-9172-46671f7c24c8", - "title": "[SP 800-88]", - "citation": { - "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-88r1" - } - ] - }, - { - "uuid": "02d8ec60-6197-43f8-9f47-18732127963e", - "title": "[SP 800-92]", - "citation": { - "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-92" - } - ] - }, - { - "uuid": "41e2e2c6-2260-4258-85c8-09db17c43103", - "title": "[SP 800-94]", - "citation": { - "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-94" - } - ] - }, - { - "uuid": "1d91d984-0cb6-4f96-a01d-c39a3eee7d43", - "title": "[SP 800-95]", - "citation": { - "text": "Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-95" - } - ] - }, - { - "uuid": "6bed1550-cd5d-4e80-8d83-4e597c1514fe", - "title": "[SP 800-97]", - "citation": { - "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-97" - } - ] - }, - { - "uuid": "9183bd83-170e-4701-b32c-97e08ef8bedb", - "title": "[SP 800-100]", - "citation": { - "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-100" - } - ] - }, - { - "uuid": "1e2c475a-84ae-4c60-b420-8fb2ea552b71", - "title": "[SP 800-101]", - "citation": { - "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-101r1" - } - ] - }, - { - "uuid": "1b14b50f-7154-4226-958c-7dfff8276755", - "title": "[SP 800-111]", - "citation": { - "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-111" - } - ] - }, - { - "uuid": "36132a58-56fd-4980-9f6c-c010d3faf52b", - "title": "[SP 800-113]", - "citation": { - "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-113" - } - ] - }, - { - "uuid": "49fa1ee1-aaf7-4270-bb5a-a86497f717dc", - "title": "[SP 800-114]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-114r1" - } - ] - }, - { - "uuid": "a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "title": "[SP 800-115]", - "citation": { - "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-115" - } - ] - }, - { - "uuid": "ad7d575f-b5fe-489b-8d48-36a93d964a5f", - "title": "[SP 800-116]", - "citation": { - "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-116r1" - } - ] - }, - { - "uuid": "60b24979-65b8-4ca5-a442-11b74339fab5", - "title": "[SP 800-121]", - "citation": { - "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-121r2" - } - ] - }, - { - "uuid": "18c6942b-95f8-414c-b548-c8e6b8d8a172", - "title": "[SP 800-124]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-124r1" - } - ] - }, - { - "uuid": "c972a85c-fa75-4596-be25-a338dc7e4e46", - "title": "[SP 800-125B]", - "citation": { - "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-125B" - } - ] - }, - { - "uuid": "0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f", - "title": "[SP 800-126]", - "citation": { - "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-126r3" - } - ] - }, - { - "uuid": "a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "title": "[SP 800-128]", - "citation": { - "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-128" - } - ] - }, - { - "uuid": "ae412317-c2b4-47bb-b47b-c329ce0d7a0b", - "title": "[SP 800-130]", - "citation": { - "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-130" - } - ] - }, - { - "uuid": "c3b34083-77b2-4dab-a980-73068f8933bd", - "title": "[SP 800-137]", - "citation": { - "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-137" - } - ] - }, - { - "uuid": "e9224c9b-4fa5-40b7-bfbb-02bff7712d92", - "title": "[SP 800-147]", - "citation": { - "text": "Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-147" - } - ] - }, - { - "uuid": "ad3e8f21-07c6-4968-b002-00b64dfa70ae", - "title": "[SP 800-150]", - "citation": { - "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-150" - } - ] - }, - { - "uuid": "38dbdf55-9a14-446f-b563-c48e4e3d37fb", - "title": "[SP 800-152]", - "citation": { - "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-152" - } - ] - }, - { - "uuid": "fd0f14f5-8910-45c4-b60a-0c8936e00daa", - "title": "[SP 800-154]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154." - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/publications/detail/sp/800-154/draft" - } - ] - }, - { - "uuid": "f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa", - "title": "[SP 800-156]", - "citation": { - "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-156" - } - ] - }, - { - "uuid": "8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "title": "[SP 800-160 v1]", - "citation": { - "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-160v1" - } - ] - }, - { - "uuid": "8411e6e8-09bd-431d-bbcb-3423d36ad880", - "title": "[SP 800-160 v2]", - "citation": { - "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-160v2" - } - ] - }, - { - "uuid": "66476e76-46b4-47fb-be19-d13e6f3840df", - "title": "[SP 800-161]", - "citation": { - "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-161" - } - ] - }, - { - "uuid": "359f960c-2598-454c-ba3b-a30c553e498f", - "title": "[SP 800-162]", - "citation": { - "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-162" - } - ] - }, - { - "uuid": "a8f55663-86c5-415b-aabe-d2a126981d65", - "title": "[SP 800-166]", - "citation": { - "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-166" - } - ] - }, - { - "uuid": "893d1736-324c-41d6-a5f4-d526b5ca981a", - "title": "[SP 800-167]", - "citation": { - "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-167" - } - ] - }, - { - "uuid": "0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "title": "[SP 800-171]", - "citation": { - "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-171r2" - } - ] - }, - { - "uuid": "aad55f03-8ece-4b21-b09c-9ef65b5a9f55", - "title": "[SP 800-171B]", - "citation": { - "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B." - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf" - } - ] - }, - { - "uuid": "64e044e4-b2a9-490f-a079-1106407c812f", - "title": "[SP 800-177]", - "citation": { - "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-177r1" - } - ] - }, - { - "uuid": "223b23a9-baea-4a50-8058-63cf7967b61f", - "title": "[SP 800-178]", - "citation": { - "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-178" - } - ] - }, - { - "uuid": "f4c3f657-de83-47ae-9aec-e144de8268d1", - "title": "[SP 800-181]", - "citation": { - "text": "Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-181" - } - ] - }, - { - "uuid": "08f518f7-f9b9-4bee-8986-860214f46b16", - "title": "[SP 800-184]", - "citation": { - "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-184" - } - ] - }, - { - "uuid": "eadef75e-7e4d-4554-b818-44946c1dde0e", - "title": "[SP 800-188]", - "citation": { - "text": "Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188." - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/publications/detail/sp/800-188/draft" - } - ] - }, - { - "uuid": "3862cd94-ff25-4631-9a9a-b92c21a0a923", - "title": "[SP 800-189]", - "citation": { - "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-189" - } - ] - }, - { - "uuid": "06d3c11a-4a00-42d9-ad75-e6a777ffae5e", - "title": "[SP 800-192]", - "citation": { - "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-192" - } - ] - }, - { - "uuid": "d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "title": "[IR 7539]", - "citation": { - "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7539" - } - ] - }, - { - "uuid": "09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "title": "[IR 7559]", - "citation": { - "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7559" - } - ] - }, - { - "uuid": "7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "title": "[IR 7622]", - "citation": { - "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7622" - } - ] - }, - { - "uuid": "daf69edb-a0ef-4447-9880-8c4bf553181f", - "title": "[IR 7676]", - "citation": { - "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7676" - } - ] - }, - { - "uuid": "bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c", - "title": "[IR 7788]", - "citation": { - "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7788" - } - ] - }, - { - "uuid": "a49f67fc-827c-40e6-9a37-2b1cbe8142fd", - "title": "[IR 7817]", - "citation": { - "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7817" - } - ] - }, - { - "uuid": "972c10bd-aedf-485f-b0db-f46a402127e2", - "title": "[IR 7849]", - "citation": { - "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7849" - } - ] - }, - { - "uuid": "197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "title": "[IR 7870]", - "citation": { - "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7870" - } - ] - }, - { - "uuid": "bb22d510-54a9-4588-b725-00d37576562b", - "title": "[IR 7874]", - "citation": { - "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7874" - } - ] - }, - { - "uuid": "f437b52f-7f26-42aa-8e8f-999e7d67b2fe", - "title": "[IR 7956]", - "citation": { - "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7956" - } - ] - }, - { - "uuid": "30213e10-2aca-47b3-8cdb-61303e0959f5", - "title": "[IR 7966]", - "citation": { - "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7966" - } - ] - }, - { - "uuid": "851b5ba4-6aa0-4583-857c-4c360cbdf2a0", - "title": "[IR 8011 v1]", - "citation": { - "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8011-1" - } - ] - }, - { - "uuid": "7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "title": "[IR 8023]", - "citation": { - "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8023" - } - ] - }, - { - "uuid": "24738ee6-b3f3-4e37-825b-58775846bdbc", - "title": "[IR 8040]", - "citation": { - "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8040" - } - ] - }, - { - "uuid": "817b4227-5857-494d-9032-915980b32f15", - "title": "[IR 8062]", - "citation": { - "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8062" - } - ] - }, - { - "uuid": "7a93e915-fd58-4147-be12-e48044c367e6", - "title": "[IR 8179]", - "citation": { - "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8179" - } - ] - }, - { - "uuid": "294eed19-7471-4517-9480-2ec73e7c6a78", - "title": "[DOD STIG]", - "citation": { - "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." - }, - "rlinks": [ - { - "href": "https://iase.disa.mil/stigs/Pages/index.aspx" - } - ] - }, - { - "uuid": "17ca9481-ea11-4ef2-81c1-885fd37d4be5", - "title": "[IETF 5905]", - "citation": { - "text": "" - } - }, - { - "uuid": "dd87fdf0-840d-4392-9de4-220b2327e340", - "title": "[NARA CUI]", - "citation": { - "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." - }, - "rlinks": [ - { - "href": "https://www.archives.gov/cui" - } - ] - }, - { - "uuid": "5dac2312-1d0d-416f-aebb-400fa9775b74", - "title": "[NIAP CCEVS]", - "citation": { - "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." - }, - "rlinks": [ - { - "href": "https://www.niap-ccevs.org/" - } - ] - }, - { - "uuid": "5cc04a1c-5489-4751-a493-746a9639067b", - "title": "[NCPR]", - "citation": { - "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository*. Available at" - }, - "rlinks": [ - { - "href": "https://nvd.nist.gov/ncp/repository" - } - ] - }, - { - "uuid": "634dec27-df88-4c30-b1a4-b57cdfd24f20", - "title": "[NSA CSFC]", - "citation": { - "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." - }, - "rlinks": [ - { - "href": "https://www.nsa.gov/resources/everyone/csfc" - } - ] - }, - { - "uuid": "a52271dc-11b5-423a-8b6f-14867bd94259", - "title": "[NSA MEDIA]", - "citation": { - "text": "National Security Agency, *Media Destruction Guidance*." - }, - "rlinks": [ - { - "href": "https://www.nsa.gov/resources/everyone/media-destruction" - } - ] - }, - { - "uuid": "06842bea-64c9-4e20-807a-b8fc003fa737", - "title": "[USGCB]", - "citation": { - "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline*. Available at" - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" - } - ] - } - ] - } - } -} diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile-min.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile-min.json deleted file mode 100644 index cba45096af..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile-min.json +++ /dev/null @@ -1 +0,0 @@ -{"profile":{"uuid":"3ae6cabe-4976-43e4-b921-11c34b432b51","metadata":{"title":"SP800-53 HIGH IMPACT BASELINE","last-modified":"2020-08-26T16:28:38.111-04:00","version":"FPD","oscal-version":"1.0.0-milestone3","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"a90f4235-ab3c-4bf1-ba0a-865bbc833346","type":"organization","party-name":"Joint Task Force, Transformation Initiative","addresses":[{"postal-address":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}],"email-addresses":["sec-cert@nist.gov"]}],"responsible-parties":{"creator":{"party-uuids":["a90f4235-ab3c-4bf1-ba0a-865bbc833346"]},"contact":{"party-uuids":["a90f4235-ab3c-4bf1-ba0a-865bbc833346"]}}},"imports":[{"href":"NIST_SP-800-53_rev5-FPD_catalog.xml","include":{"id-selectors":[{"control-id":"ac-1"},{"control-id":"ac-2"},{"control-id":"ac-2.1"},{"control-id":"ac-2.2"},{"control-id":"ac-2.3"},{"control-id":"ac-2.4"},{"control-id":"ac-2.5"},{"control-id":"ac-2.11"},{"control-id":"ac-2.12"},{"control-id":"ac-2.13"},{"control-id":"ac-3"},{"control-id":"ac-4"},{"control-id":"ac-4.4"},{"control-id":"ac-5"},{"control-id":"ac-6"},{"control-id":"ac-6.1"},{"control-id":"ac-6.2"},{"control-id":"ac-6.3"},{"control-id":"ac-6.5"},{"control-id":"ac-6.7"},{"control-id":"ac-6.9"},{"control-id":"ac-6.10"},{"control-id":"ac-7"},{"control-id":"ac-8"},{"control-id":"ac-10"},{"control-id":"ac-11"},{"control-id":"ac-11.1"},{"control-id":"ac-12"},{"control-id":"ac-14"},{"control-id":"ac-17"},{"control-id":"ac-17.1"},{"control-id":"ac-17.2"},{"control-id":"ac-17.3"},{"control-id":"ac-17.4"},{"control-id":"ac-18"},{"control-id":"ac-18.1"},{"control-id":"ac-18.3"},{"control-id":"ac-18.4"},{"control-id":"ac-18.5"},{"control-id":"ac-19"},{"control-id":"ac-19.5"},{"control-id":"ac-20"},{"control-id":"ac-20.1"},{"control-id":"ac-20.2"},{"control-id":"ac-21"},{"control-id":"ac-22"},{"control-id":"at-1"},{"control-id":"at-2"},{"control-id":"at-2.2"},{"control-id":"at-2.3"},{"control-id":"at-3"},{"control-id":"at-4"},{"control-id":"au-1"},{"control-id":"au-2"},{"control-id":"au-3"},{"control-id":"au-3.1"},{"control-id":"au-3.2"},{"control-id":"au-4"},{"control-id":"au-5"},{"control-id":"au-5.1"},{"control-id":"au-5.2"},{"control-id":"au-6"},{"control-id":"au-6.1"},{"control-id":"au-6.3"},{"control-id":"au-6.5"},{"control-id":"au-6.6"},{"control-id":"au-7"},{"control-id":"au-7.1"},{"control-id":"au-8"},{"control-id":"au-8.1"},{"control-id":"au-9"},{"control-id":"au-9.2"},{"control-id":"au-9.3"},{"control-id":"au-9.4"},{"control-id":"au-10"},{"control-id":"au-11"},{"control-id":"au-12"},{"control-id":"au-12.1"},{"control-id":"au-12.3"},{"control-id":"ca-1"},{"control-id":"ca-2"},{"control-id":"ca-2.1"},{"control-id":"ca-2.2"},{"control-id":"ca-3"},{"control-id":"ca-3.6"},{"control-id":"ca-5"},{"control-id":"ca-6"},{"control-id":"ca-7"},{"control-id":"ca-7.1"},{"control-id":"ca-7.4"},{"control-id":"ca-8"},{"control-id":"ca-8.1"},{"control-id":"ca-9"},{"control-id":"cm-1"},{"control-id":"cm-2"},{"control-id":"cm-2.2"},{"control-id":"cm-2.3"},{"control-id":"cm-2.7"},{"control-id":"cm-3"},{"control-id":"cm-3.1"},{"control-id":"cm-3.2"},{"control-id":"cm-3.4"},{"control-id":"cm-3.6"},{"control-id":"cm-4"},{"control-id":"cm-4.1"},{"control-id":"cm-4.2"},{"control-id":"cm-5"},{"control-id":"cm-5.1"},{"control-id":"cm-5.3"},{"control-id":"cm-6"},{"control-id":"cm-6.1"},{"control-id":"cm-6.2"},{"control-id":"cm-7"},{"control-id":"cm-7.1"},{"control-id":"cm-7.2"},{"control-id":"cm-7.5"},{"control-id":"cm-8"},{"control-id":"cm-8.1"},{"control-id":"cm-8.2"},{"control-id":"cm-8.3"},{"control-id":"cm-8.4"},{"control-id":"cm-9"},{"control-id":"cm-10"},{"control-id":"cm-11"},{"control-id":"cm-12"},{"control-id":"cm-12.1"},{"control-id":"cp-1"},{"control-id":"cp-2"},{"control-id":"cp-2.1"},{"control-id":"cp-2.2"},{"control-id":"cp-2.3"},{"control-id":"cp-2.5"},{"control-id":"cp-2.8"},{"control-id":"cp-3"},{"control-id":"cp-3.1"},{"control-id":"cp-4"},{"control-id":"cp-4.1"},{"control-id":"cp-4.2"},{"control-id":"cp-6"},{"control-id":"cp-6.1"},{"control-id":"cp-6.2"},{"control-id":"cp-6.3"},{"control-id":"cp-7"},{"control-id":"cp-7.1"},{"control-id":"cp-7.2"},{"control-id":"cp-7.3"},{"control-id":"cp-7.4"},{"control-id":"cp-8"},{"control-id":"cp-8.1"},{"control-id":"cp-8.2"},{"control-id":"cp-8.3"},{"control-id":"cp-8.4"},{"control-id":"cp-9"},{"control-id":"cp-9.1"},{"control-id":"cp-9.2"},{"control-id":"cp-9.3"},{"control-id":"cp-9.5"},{"control-id":"cp-9.8"},{"control-id":"cp-10"},{"control-id":"cp-10.2"},{"control-id":"cp-10.4"},{"control-id":"ia-1"},{"control-id":"ia-2"},{"control-id":"ia-2.1"},{"control-id":"ia-2.2"},{"control-id":"ia-2.5"},{"control-id":"ia-2.8"},{"control-id":"ia-2.12"},{"control-id":"ia-3"},{"control-id":"ia-4"},{"control-id":"ia-4.4"},{"control-id":"ia-5"},{"control-id":"ia-5.1"},{"control-id":"ia-5.2"},{"control-id":"ia-5.6"},{"control-id":"ia-6"},{"control-id":"ia-7"},{"control-id":"ia-8"},{"control-id":"ia-8.1"},{"control-id":"ia-8.2"},{"control-id":"ia-8.4"},{"control-id":"ia-11"},{"control-id":"ia-12"},{"control-id":"ia-12.2"},{"control-id":"ia-12.3"},{"control-id":"ia-12.4"},{"control-id":"ia-12.5"},{"control-id":"ir-1"},{"control-id":"ir-2"},{"control-id":"ir-2.1"},{"control-id":"ir-2.2"},{"control-id":"ir-3"},{"control-id":"ir-3.2"},{"control-id":"ir-4"},{"control-id":"ir-4.1"},{"control-id":"ir-4.4"},{"control-id":"ir-5"},{"control-id":"ir-5.1"},{"control-id":"ir-6"},{"control-id":"ir-6.1"},{"control-id":"ir-6.3"},{"control-id":"ir-7"},{"control-id":"ir-7.1"},{"control-id":"ir-8"},{"control-id":"ir-10"},{"control-id":"ma-1"},{"control-id":"ma-2"},{"control-id":"ma-2.2"},{"control-id":"ma-3"},{"control-id":"ma-3.1"},{"control-id":"ma-3.2"},{"control-id":"ma-3.3"},{"control-id":"ma-4"},{"control-id":"ma-4.3"},{"control-id":"ma-5"},{"control-id":"ma-5.1"},{"control-id":"ma-6"},{"control-id":"mp-1"},{"control-id":"mp-2"},{"control-id":"mp-3"},{"control-id":"mp-4"},{"control-id":"mp-5"},{"control-id":"mp-6"},{"control-id":"mp-6.1"},{"control-id":"mp-6.2"},{"control-id":"mp-6.3"},{"control-id":"mp-7"},{"control-id":"pe-1"},{"control-id":"pe-2"},{"control-id":"pe-3"},{"control-id":"pe-3.1"},{"control-id":"pe-4"},{"control-id":"pe-5"},{"control-id":"pe-6"},{"control-id":"pe-6.1"},{"control-id":"pe-6.4"},{"control-id":"pe-8"},{"control-id":"pe-8.1"},{"control-id":"pe-9"},{"control-id":"pe-10"},{"control-id":"pe-11"},{"control-id":"pe-11.1"},{"control-id":"pe-12"},{"control-id":"pe-13"},{"control-id":"pe-13.1"},{"control-id":"pe-13.2"},{"control-id":"pe-14"},{"control-id":"pe-15"},{"control-id":"pe-15.1"},{"control-id":"pe-16"},{"control-id":"pe-17"},{"control-id":"pe-18"},{"control-id":"pl-1"},{"control-id":"pl-2"},{"control-id":"pl-4"},{"control-id":"pl-4.1"},{"control-id":"pl-8"},{"control-id":"pl-10"},{"control-id":"pl-11"},{"control-id":"pm-1"},{"control-id":"pm-2"},{"control-id":"pm-3"},{"control-id":"pm-4"},{"control-id":"pm-5"},{"control-id":"pm-5.1"},{"control-id":"pm-6"},{"control-id":"pm-7"},{"control-id":"pm-7.1"},{"control-id":"pm-8"},{"control-id":"pm-9"},{"control-id":"pm-10"},{"control-id":"pm-11"},{"control-id":"pm-12"},{"control-id":"pm-13"},{"control-id":"pm-14"},{"control-id":"pm-15"},{"control-id":"pm-16"},{"control-id":"pm-16.1"},{"control-id":"pm-17"},{"control-id":"pm-18"},{"control-id":"pm-19"},{"control-id":"pm-20"},{"control-id":"pm-21"},{"control-id":"pm-22"},{"control-id":"pm-23"},{"control-id":"pm-24"},{"control-id":"pm-25"},{"control-id":"pm-26"},{"control-id":"pm-27"},{"control-id":"pm-28"},{"control-id":"pm-29"},{"control-id":"pm-30"},{"control-id":"pm-31"},{"control-id":"pm-32"},{"control-id":"ps-1"},{"control-id":"ps-2"},{"control-id":"ps-3"},{"control-id":"ps-4"},{"control-id":"ps-4.2"},{"control-id":"ps-5"},{"control-id":"ps-6"},{"control-id":"ps-7"},{"control-id":"ps-8"},{"control-id":"ra-1"},{"control-id":"ra-2"},{"control-id":"ra-3"},{"control-id":"ra-3.1"},{"control-id":"ra-5"},{"control-id":"ra-5.2"},{"control-id":"ra-5.4"},{"control-id":"ra-5.5"},{"control-id":"ra-7"},{"control-id":"ra-9"},{"control-id":"sa-1"},{"control-id":"sa-2"},{"control-id":"sa-3"},{"control-id":"sa-4"},{"control-id":"sa-4.1"},{"control-id":"sa-4.2"},{"control-id":"sa-4.5"},{"control-id":"sa-4.9"},{"control-id":"sa-4.10"},{"control-id":"sa-5"},{"control-id":"sa-8"},{"control-id":"sa-9"},{"control-id":"sa-9.2"},{"control-id":"sa-10"},{"control-id":"sa-11"},{"control-id":"sa-15"},{"control-id":"sa-15.3"},{"control-id":"sa-16"},{"control-id":"sa-17"},{"control-id":"sa-21"},{"control-id":"sa-22"},{"control-id":"sc-1"},{"control-id":"sc-2"},{"control-id":"sc-3"},{"control-id":"sc-4"},{"control-id":"sc-5"},{"control-id":"sc-7"},{"control-id":"sc-7.3"},{"control-id":"sc-7.4"},{"control-id":"sc-7.5"},{"control-id":"sc-7.7"},{"control-id":"sc-7.8"},{"control-id":"sc-7.18"},{"control-id":"sc-7.21"},{"control-id":"sc-8"},{"control-id":"sc-8.1"},{"control-id":"sc-10"},{"control-id":"sc-12"},{"control-id":"sc-12.1"},{"control-id":"sc-13"},{"control-id":"sc-15"},{"control-id":"sc-17"},{"control-id":"sc-18"},{"control-id":"sc-20"},{"control-id":"sc-21"},{"control-id":"sc-22"},{"control-id":"sc-23"},{"control-id":"sc-24"},{"control-id":"sc-28"},{"control-id":"sc-28.1"},{"control-id":"sc-39"},{"control-id":"si-1"},{"control-id":"si-2"},{"control-id":"si-2.1"},{"control-id":"si-2.2"},{"control-id":"si-3"},{"control-id":"si-3.1"},{"control-id":"si-4"},{"control-id":"si-4.2"},{"control-id":"si-4.4"},{"control-id":"si-4.5"},{"control-id":"si-4.10"},{"control-id":"si-4.12"},{"control-id":"si-4.14"},{"control-id":"si-4.20"},{"control-id":"si-4.22"},{"control-id":"si-5"},{"control-id":"si-5.1"},{"control-id":"si-6"},{"control-id":"si-7"},{"control-id":"si-7.1"},{"control-id":"si-7.2"},{"control-id":"si-7.5"},{"control-id":"si-7.7"},{"control-id":"si-7.15"},{"control-id":"si-8"},{"control-id":"si-8.1"},{"control-id":"si-8.2"},{"control-id":"si-10"},{"control-id":"si-11"},{"control-id":"si-12"},{"control-id":"si-16"},{"control-id":"sr-1"},{"control-id":"sr-2"},{"control-id":"sr-2.1"},{"control-id":"sr-3"},{"control-id":"sr-5"},{"control-id":"sr-6"},{"control-id":"sr-8"},{"control-id":"sr-9"},{"control-id":"sr-9.1"},{"control-id":"sr-10"},{"control-id":"sr-11"},{"control-id":"sr-11.1"},{"control-id":"sr-11.2"},{"control-id":"sr-11.3"}]}}],"merge":{"as-is":true}}} \ No newline at end of file diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.json deleted file mode 100644 index c9fe7f7e64..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.json +++ /dev/null @@ -1,1295 +0,0 @@ -{ - "profile": { - "uuid": "3ae6cabe-4976-43e4-b921-11c34b432b51", - "metadata": { - "title": "SP800-53 HIGH IMPACT BASELINE", - "last-modified": "2020-08-26T16:28:38.111-04:00", - "version": "FPD", - "oscal-version": "1.0.0-milestone3", - "roles": [ - { - "id": "creator", - "title": "Document Creator" - }, - { - "id": "contact", - "title": "Contact" - } - ], - "parties": [ - { - "uuid": "a90f4235-ab3c-4bf1-ba0a-865bbc833346", - "type": "organization", - "party-name": "Joint Task Force, Transformation Initiative", - "addresses": [ - { - "postal-address": [ - "National Institute of Standards and Technology", - "Attn: Computer Security Division", - "Information Technology Laboratory", - "100 Bureau Drive (Mail Stop 8930)" - ], - "city": "Gaithersburg", - "state": "MD", - "postal-code": "20899-8930" - } - ], - "email-addresses": [ - "sec-cert@nist.gov" - ] - } - ], - "responsible-parties": { - "creator": { - "party-uuids": [ - "a90f4235-ab3c-4bf1-ba0a-865bbc833346" - ] - }, - "contact": { - "party-uuids": [ - "a90f4235-ab3c-4bf1-ba0a-865bbc833346" - ] - } - } - }, - "imports": [ - { - "href": "NIST_SP-800-53_rev5-FPD_catalog.xml", - "include": { - "id-selectors": [ - { - "control-id": "ac-1" - }, - { - "control-id": "ac-2" - }, - { - "control-id": "ac-2.1" - }, - { - "control-id": "ac-2.2" - }, - { - "control-id": "ac-2.3" - }, - { - "control-id": "ac-2.4" - }, - { - "control-id": "ac-2.5" - }, - { - "control-id": "ac-2.11" - }, - { - "control-id": "ac-2.12" - }, - { - "control-id": "ac-2.13" - }, - { - "control-id": "ac-3" - }, - { - "control-id": "ac-4" - }, - { - "control-id": "ac-4.4" - }, - { - "control-id": "ac-5" - }, - { - "control-id": "ac-6" - }, - { - "control-id": "ac-6.1" - }, - { - "control-id": "ac-6.2" - }, - { - "control-id": "ac-6.3" - }, - { - "control-id": "ac-6.5" - }, - { - "control-id": "ac-6.7" - }, - { - "control-id": "ac-6.9" - }, - { - "control-id": "ac-6.10" - }, - { - "control-id": "ac-7" - }, - { - "control-id": "ac-8" - }, - { - "control-id": "ac-10" - }, - { - "control-id": "ac-11" - }, - { - "control-id": "ac-11.1" - }, - { - "control-id": "ac-12" - }, - { - "control-id": "ac-14" - }, - { - "control-id": "ac-17" - }, - { - "control-id": "ac-17.1" - }, - { - "control-id": "ac-17.2" - }, - { - "control-id": "ac-17.3" - }, - { - "control-id": "ac-17.4" - }, - { - "control-id": "ac-18" - }, - { - "control-id": "ac-18.1" - }, - { - "control-id": "ac-18.3" - }, - { - "control-id": "ac-18.4" - }, - { - "control-id": "ac-18.5" - }, - { - "control-id": "ac-19" - }, - { - "control-id": "ac-19.5" - }, - { - "control-id": "ac-20" - }, - { - "control-id": "ac-20.1" - }, - { - "control-id": "ac-20.2" - }, - { - "control-id": "ac-21" - }, - { - "control-id": "ac-22" - }, - { - "control-id": "at-1" - }, - { - "control-id": "at-2" - }, - { - "control-id": "at-2.2" - }, - { - "control-id": "at-2.3" - }, - { - "control-id": "at-3" - }, - { - "control-id": "at-4" - }, - { - "control-id": "au-1" - }, - { - "control-id": "au-2" - }, - { - "control-id": "au-3" - }, - { - "control-id": "au-3.1" - }, - { - "control-id": "au-3.2" - }, - { - "control-id": "au-4" - }, - { - "control-id": "au-5" - }, - { - "control-id": "au-5.1" - }, - { - "control-id": "au-5.2" - }, - { - "control-id": "au-6" - }, - { - "control-id": "au-6.1" - }, - { - "control-id": "au-6.3" - }, - { - "control-id": "au-6.5" - }, - { - "control-id": "au-6.6" - }, - { - "control-id": "au-7" - }, - { - "control-id": "au-7.1" - }, - { - "control-id": "au-8" - }, - { - "control-id": "au-8.1" - }, - { - "control-id": "au-9" - }, - { - "control-id": "au-9.2" - }, - { - "control-id": "au-9.3" - }, - { - "control-id": "au-9.4" - }, - { - "control-id": "au-10" - }, - { - "control-id": "au-11" - }, - { - "control-id": "au-12" - }, - { - "control-id": "au-12.1" - }, - { - "control-id": "au-12.3" - }, - { - "control-id": "ca-1" - }, - { - "control-id": "ca-2" - }, - { - "control-id": "ca-2.1" - }, - { - "control-id": "ca-2.2" - }, - { - "control-id": "ca-3" - }, - { - "control-id": "ca-3.6" - }, - { - "control-id": "ca-5" - }, - { - "control-id": "ca-6" - }, - { - "control-id": "ca-7" - }, - { - "control-id": "ca-7.1" - }, - { - "control-id": "ca-7.4" - }, - { - "control-id": "ca-8" - }, - { - "control-id": "ca-8.1" - }, - { - "control-id": "ca-9" - }, - { - "control-id": "cm-1" - }, - { - "control-id": "cm-2" - }, - { - "control-id": "cm-2.2" - }, - { - "control-id": "cm-2.3" - }, - { - "control-id": "cm-2.7" - }, - { - "control-id": "cm-3" - }, - { - "control-id": "cm-3.1" - }, - { - "control-id": "cm-3.2" - }, - { - "control-id": "cm-3.4" - }, - { - "control-id": "cm-3.6" - }, - { - "control-id": "cm-4" - }, - { - "control-id": "cm-4.1" - }, - { - "control-id": "cm-4.2" - }, - { - "control-id": "cm-5" - }, - { - "control-id": "cm-5.1" - }, - { - "control-id": "cm-5.3" - }, - { - "control-id": "cm-6" - }, - { - "control-id": "cm-6.1" - }, - { - "control-id": "cm-6.2" - }, - { - "control-id": "cm-7" - }, - { - "control-id": "cm-7.1" - }, - { - "control-id": "cm-7.2" - }, - { - "control-id": "cm-7.5" - }, - { - "control-id": "cm-8" - }, - { - "control-id": "cm-8.1" - }, - { - "control-id": "cm-8.2" - }, - { - "control-id": "cm-8.3" - }, - { - "control-id": "cm-8.4" - }, - { - "control-id": "cm-9" - }, - { - "control-id": "cm-10" - }, - { - "control-id": "cm-11" - }, - { - "control-id": "cm-12" - }, - { - "control-id": "cm-12.1" - }, - { - "control-id": "cp-1" - }, - { - "control-id": "cp-2" - }, - { - "control-id": "cp-2.1" - }, - { - "control-id": "cp-2.2" - }, - { - "control-id": "cp-2.3" - }, - { - "control-id": "cp-2.5" - }, - { - "control-id": "cp-2.8" - }, - { - "control-id": "cp-3" - }, - { - "control-id": "cp-3.1" - }, - { - "control-id": "cp-4" - }, - { - "control-id": "cp-4.1" - }, - { - "control-id": "cp-4.2" - }, - { - "control-id": "cp-6" - }, - { - "control-id": "cp-6.1" - }, - { - "control-id": "cp-6.2" - }, - { - "control-id": "cp-6.3" - }, - { - "control-id": "cp-7" - }, - { - "control-id": "cp-7.1" - }, - { - "control-id": "cp-7.2" - }, - { - "control-id": "cp-7.3" - }, - { - "control-id": "cp-7.4" - }, - { - "control-id": "cp-8" - }, - { - "control-id": "cp-8.1" - }, - { - "control-id": "cp-8.2" - }, - { - "control-id": "cp-8.3" - }, - { - "control-id": "cp-8.4" - }, - { - "control-id": "cp-9" - }, - { - "control-id": "cp-9.1" - }, - { - "control-id": "cp-9.2" - }, - { - "control-id": "cp-9.3" - }, - { - "control-id": "cp-9.5" - }, - { - "control-id": "cp-9.8" - }, - { - "control-id": "cp-10" - }, - { - "control-id": "cp-10.2" - }, - { - "control-id": "cp-10.4" - }, - { - "control-id": "ia-1" - }, - { - "control-id": "ia-2" - }, - { - "control-id": "ia-2.1" - }, - { - "control-id": "ia-2.2" - }, - { - "control-id": "ia-2.5" - }, - { - "control-id": "ia-2.8" - }, - { - "control-id": "ia-2.12" - }, - { - "control-id": "ia-3" - }, - { - "control-id": "ia-4" - }, - { - "control-id": "ia-4.4" - }, - { - "control-id": "ia-5" - }, - { - "control-id": "ia-5.1" - }, - { - "control-id": "ia-5.2" - }, - { - "control-id": "ia-5.6" - }, - { - "control-id": "ia-6" - }, - { - "control-id": "ia-7" - }, - { - "control-id": "ia-8" - }, - { - "control-id": "ia-8.1" - }, - { - "control-id": "ia-8.2" - }, - { - "control-id": "ia-8.4" - }, - { - "control-id": "ia-11" - }, - { - "control-id": "ia-12" - }, - { - "control-id": "ia-12.2" - }, - { - "control-id": "ia-12.3" - }, - { - "control-id": "ia-12.4" - }, - { - "control-id": "ia-12.5" - }, - { - "control-id": "ir-1" - }, - { - "control-id": "ir-2" - }, - { - "control-id": "ir-2.1" - }, - { - "control-id": "ir-2.2" - }, - { - "control-id": "ir-3" - }, - { - "control-id": "ir-3.2" - }, - { - "control-id": "ir-4" - }, - { - "control-id": "ir-4.1" - }, - { - "control-id": "ir-4.4" - }, - { - "control-id": "ir-5" - }, - { - "control-id": "ir-5.1" - }, - { - "control-id": "ir-6" - }, - { - "control-id": "ir-6.1" - }, - { - "control-id": "ir-6.3" - }, - { - "control-id": "ir-7" - }, - { - "control-id": "ir-7.1" - }, - { - "control-id": "ir-8" - }, - { - "control-id": "ir-10" - }, - { - "control-id": "ma-1" - }, - { - "control-id": "ma-2" - }, - { - "control-id": "ma-2.2" - }, - { - "control-id": "ma-3" - }, - { - "control-id": "ma-3.1" - }, - { - "control-id": "ma-3.2" - }, - { - "control-id": "ma-3.3" - }, - { - "control-id": "ma-4" - }, - { - "control-id": "ma-4.3" - }, - { - "control-id": "ma-5" - }, - { - "control-id": "ma-5.1" - }, - { - "control-id": "ma-6" - }, - { - "control-id": "mp-1" - }, - { - "control-id": "mp-2" - }, - { - "control-id": "mp-3" - }, - { - "control-id": "mp-4" - }, - { - "control-id": "mp-5" - }, - { - "control-id": "mp-6" - }, - { - "control-id": "mp-6.1" - }, - { - "control-id": "mp-6.2" - }, - { - "control-id": "mp-6.3" - }, - { - "control-id": "mp-7" - }, - { - "control-id": "pe-1" - }, - { - "control-id": "pe-2" - }, - { - "control-id": "pe-3" - }, - { - "control-id": "pe-3.1" - }, - { - "control-id": "pe-4" - }, - { - "control-id": "pe-5" - }, - { - "control-id": "pe-6" - }, - { - "control-id": "pe-6.1" - }, - { - "control-id": "pe-6.4" - }, - { - "control-id": "pe-8" - }, - { - "control-id": "pe-8.1" - }, - { - "control-id": "pe-9" - }, - { - "control-id": "pe-10" - }, - { - "control-id": "pe-11" - }, - { - "control-id": "pe-11.1" - }, - { - "control-id": "pe-12" - }, - { - "control-id": "pe-13" - }, - { - "control-id": "pe-13.1" - }, - { - "control-id": "pe-13.2" - }, - { - "control-id": "pe-14" - }, - { - "control-id": "pe-15" - }, - { - "control-id": "pe-15.1" - }, - { - "control-id": "pe-16" - }, - { - "control-id": "pe-17" - }, - { - "control-id": "pe-18" - }, - { - "control-id": "pl-1" - }, - { - "control-id": "pl-2" - }, - { - "control-id": "pl-4" - }, - { - "control-id": "pl-4.1" - }, - { - "control-id": "pl-8" - }, - { - "control-id": "pl-10" - }, - { - "control-id": "pl-11" - }, - { - "control-id": "pm-1" - }, - { - "control-id": "pm-2" - }, - { - "control-id": "pm-3" - }, - { - "control-id": "pm-4" - }, - { - "control-id": "pm-5" - }, - { - "control-id": "pm-5.1" - }, - { - "control-id": "pm-6" - }, - { - "control-id": "pm-7" - }, - { - "control-id": "pm-7.1" - }, - { - "control-id": "pm-8" - }, - { - "control-id": "pm-9" - }, - { - "control-id": "pm-10" - }, - { - "control-id": "pm-11" - }, - { - "control-id": "pm-12" - }, - { - "control-id": "pm-13" - }, - { - "control-id": "pm-14" - }, - { - "control-id": "pm-15" - }, - { - "control-id": "pm-16" - }, - { - "control-id": "pm-16.1" - }, - { - "control-id": "pm-17" - }, - { - "control-id": "pm-18" - }, - { - "control-id": "pm-19" - }, - { - "control-id": "pm-20" - }, - { - "control-id": "pm-21" - }, - { - "control-id": "pm-22" - }, - { - "control-id": "pm-23" - }, - { - "control-id": "pm-24" - }, - { - "control-id": "pm-25" - }, - { - "control-id": "pm-26" - }, - { - "control-id": "pm-27" - }, - { - "control-id": "pm-28" - }, - { - "control-id": "pm-29" - }, - { - "control-id": "pm-30" - }, - { - "control-id": "pm-31" - }, - { - "control-id": "pm-32" - }, - { - "control-id": "ps-1" - }, - { - "control-id": "ps-2" - }, - { - "control-id": "ps-3" - }, - { - "control-id": "ps-4" - }, - { - "control-id": "ps-4.2" - }, - { - "control-id": "ps-5" - }, - { - "control-id": "ps-6" - }, - { - "control-id": "ps-7" - }, - { - "control-id": "ps-8" - }, - { - "control-id": "ra-1" - }, - { - "control-id": "ra-2" - }, - { - "control-id": "ra-3" - }, - { - "control-id": "ra-3.1" - }, - { - "control-id": "ra-5" - }, - { - "control-id": "ra-5.2" - }, - { - "control-id": "ra-5.4" - }, - { - "control-id": "ra-5.5" - }, - { - "control-id": "ra-7" - }, - { - "control-id": "ra-9" - }, - { - "control-id": "sa-1" - }, - { - "control-id": "sa-2" - }, - { - "control-id": "sa-3" - }, - { - "control-id": "sa-4" - }, - { - "control-id": "sa-4.1" - }, - { - "control-id": "sa-4.2" - }, - { - "control-id": "sa-4.5" - }, - { - "control-id": "sa-4.9" - }, - { - "control-id": "sa-4.10" - }, - { - "control-id": "sa-5" - }, - { - "control-id": "sa-8" - }, - { - "control-id": "sa-9" - }, - { - "control-id": "sa-9.2" - }, - { - "control-id": "sa-10" - }, - { - "control-id": "sa-11" - }, - { - "control-id": "sa-15" - }, - { - "control-id": "sa-15.3" - }, - { - "control-id": "sa-16" - }, - { - "control-id": "sa-17" - }, - { - "control-id": "sa-21" - }, - { - "control-id": "sa-22" - }, - { - "control-id": "sc-1" - }, - { - "control-id": "sc-2" - }, - { - "control-id": "sc-3" - }, - { - "control-id": "sc-4" - }, - { - "control-id": "sc-5" - }, - { - "control-id": "sc-7" - }, - { - "control-id": "sc-7.3" - }, - { - "control-id": "sc-7.4" - }, - { - "control-id": "sc-7.5" - }, - { - "control-id": "sc-7.7" - }, - { - "control-id": "sc-7.8" - }, - { - "control-id": "sc-7.18" - }, - { - "control-id": "sc-7.21" - }, - { - "control-id": "sc-8" - }, - { - "control-id": "sc-8.1" - }, - { - "control-id": "sc-10" - }, - { - "control-id": "sc-12" - }, - { - "control-id": "sc-12.1" - }, - { - "control-id": "sc-13" - }, - { - "control-id": "sc-15" - }, - { - "control-id": "sc-17" - }, - { - "control-id": "sc-18" - }, - { - "control-id": "sc-20" - }, - { - "control-id": "sc-21" - }, - { - "control-id": "sc-22" - }, - { - "control-id": "sc-23" - }, - { - "control-id": "sc-24" - }, - { - "control-id": "sc-28" - }, - { - "control-id": "sc-28.1" - }, - { - "control-id": "sc-39" - }, - { - "control-id": "si-1" - }, - { - "control-id": "si-2" - }, - { - "control-id": "si-2.1" - }, - { - "control-id": "si-2.2" - }, - { - "control-id": "si-3" - }, - { - "control-id": "si-3.1" - }, - { - "control-id": "si-4" - }, - { - "control-id": "si-4.2" - }, - { - "control-id": "si-4.4" - }, - { - "control-id": "si-4.5" - }, - { - "control-id": "si-4.10" - }, - { - "control-id": "si-4.12" - }, - { - "control-id": "si-4.14" - }, - { - "control-id": "si-4.20" - }, - { - "control-id": "si-4.22" - }, - { - "control-id": "si-5" - }, - { - "control-id": "si-5.1" - }, - { - "control-id": "si-6" - }, - { - "control-id": "si-7" - }, - { - "control-id": "si-7.1" - }, - { - "control-id": "si-7.2" - }, - { - "control-id": "si-7.5" - }, - { - "control-id": "si-7.7" - }, - { - "control-id": "si-7.15" - }, - { - "control-id": "si-8" - }, - { - "control-id": "si-8.1" - }, - { - "control-id": "si-8.2" - }, - { - "control-id": "si-10" - }, - { - "control-id": "si-11" - }, - { - "control-id": "si-12" - }, - { - "control-id": "si-16" - }, - { - "control-id": "sr-1" - }, - { - "control-id": "sr-2" - }, - { - "control-id": "sr-2.1" - }, - { - "control-id": "sr-3" - }, - { - "control-id": "sr-5" - }, - { - "control-id": "sr-6" - }, - { - "control-id": "sr-8" - }, - { - "control-id": "sr-9" - }, - { - "control-id": "sr-9.1" - }, - { - "control-id": "sr-10" - }, - { - "control-id": "sr-11" - }, - { - "control-id": "sr-11.1" - }, - { - "control-id": "sr-11.2" - }, - { - "control-id": "sr-11.3" - } - ] - } - } - ], - "merge": { - "as-is": true - } - } -} diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog-min.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog-min.json deleted file mode 100644 index 0ec2a8e3cc..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog-min.json +++ /dev/null @@ -1 +0,0 @@ -{"catalog":{"uuid":"ab1003f2-c716-4c18-873c-2ae4ae46d829","metadata":{"title":"SP800-53 LOW IMPACT BASELINE","last-modified":"2020-08-26T16:28:37.432-04:00","version":"FPD","oscal-version":"1.0.0-milestone3","properties":[{"name":"resolution-timestamp","value":"2020-08-31T17:39:43.230651Z"}],"links":[{"href":"NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml","rel":"resolution-source","text":"SP800-53 LOW IMPACT BASELINE"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"fcba95f8-df3b-47cd-ae6f-57089a2b7174","type":"organization","party-name":"Joint Task Force, Transformation Initiative","addresses":[{"postal-address":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}],"email-addresses":["sec-cert@nist.gov"]}],"responsible-parties":{"creator":{"party-uuids":["fcba95f8-df3b-47cd-ae6f-57089a2b7174"]},"contact":{"party-uuids":["fcba95f8-df3b-47cd-ae6f-57089a2b7174"]}}},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2"},{"id":"ac-1_prm_3","label":"organization-defined official"},{"id":"ac-1_prm_4","label":"organization-defined frequency"},{"id":"ac-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-1"},{"name":"sort-id","value":"AC-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ac-1_prm_2 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ac-1_prm_4 }}; and"},{"id":"ac-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ac-1_prm_5 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","parameters":[{"id":"ac-2_prm_1","label":"organization-defined attributes (as required)"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined policy, procedures, and conditions"},{"id":"ac-2_prm_4","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_5","label":"organization-defined time-period"},{"id":"ac-2_prm_6","label":"organization-defined time-period"},{"id":"ac-2_prm_7","label":"organization-defined time-period"},{"id":"ac-2_prm_8","label":"organization-defined attributes (as required)"},{"id":"ac-2_prm_9","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-2"},{"name":"sort-id","value":"AC-02"}],"links":[{"href":"#359f960c-2598-454c-ba3b-a30c553e498f","rel":"reference","text":"[SP 800-162]"},{"href":"#223b23a9-baea-4a50-8058-63cf7967b61f","rel":"reference","text":"[SP 800-178]"},{"href":"#06d3c11a-4a00-42d9-ad75-e6a777ffae5e","rel":"reference","text":"[SP 800-192]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ac-24","rel":"related","text":"AC-24"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-37","rel":"related","text":"SC-37"}],"parts":[{"id":"ac-2_smt","name":"statement","parts":[{"id":"ac-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Define and document the types of accounts allowed for use within the system;"},{"id":"ac-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assign account managers;"},{"id":"ac-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establish conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Specify:","parts":[{"id":"ac-2_smt.d.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Authorized users of the system;"},{"id":"ac-2_smt.d.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Group and role membership; and"},{"id":"ac-2_smt.d.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Access authorizations (i.e., privileges) and {{ ac-2_prm_1 }} for each account;"}]},{"id":"ac-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Require approvals by {{ ac-2_prm_2 }} for requests to create accounts;"},{"id":"ac-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Create, enable, modify, disable, and remove accounts in accordance with {{ ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Monitor the use of accounts;"},{"id":"ac-2_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Notify account managers and {{ ac-2_prm_4 }} within:","parts":[{"id":"ac-2_smt.h.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ac-2_prm_5 }} when accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n {{ ac-2_prm_6 }} when users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"\n {{ ac-2_prm_7 }} when system usage or need-to-know changes for an individual;"}]},{"id":"ac-2_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Authorize access to the system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"\n {{ ac-2_prm_8 }};"}]},{"id":"ac-2_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Review accounts for compliance with account management requirements {{ ac-2_prm_9 }};"},{"id":"ac-2_smt.k","name":"item","properties":[{"name":"label","value":"k."}],"prose":"Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and"},{"id":"ac-2_smt.l","name":"item","properties":[{"name":"label","value":"l."}],"prose":"Align account management processes with personnel termination and transfer processes."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy.\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training."}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","properties":[{"name":"label","value":"AC-3"},{"name":"sort-id","value":"AC-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#359f960c-2598-454c-ba3b-a30c553e498f","rel":"reference","text":"[SP 800-162]"},{"href":"#223b23a9-baea-4a50-8058-63cf7967b61f","rel":"reference","text":"[SP 800-178]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#ac-24","rel":"related","text":"AC-24"},{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-6","rel":"related","text":"IA-6"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ia-11","rel":"related","text":"IA-11"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pm-2","rel":"related","text":"PM-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-4","rel":"related","text":"SC-4"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-31","rel":"related","text":"SC-31"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family."}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","parameters":[{"id":"ac-7_prm_1","label":"organization-defined number"},{"id":"ac-7_prm_2","label":"organization-defined time-period"},{"id":"ac-7_prm_3"},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time-period"},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"},{"id":"ac-7_prm_6","depends-on":"ac-7_prm_3","label":"organization-defined action"}],"properties":[{"name":"label","value":"AC-7"},{"name":"sort-id","value":"AC-07"}],"links":[{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ia-5","rel":"related","text":"IA-5"}],"parts":[{"id":"ac-7_smt","name":"statement","parts":[{"id":"ac-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforce a limit of {{ ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Automatically {{ ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address.\nTechniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need."}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","parameters":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner"},{"id":"ac-8_prm_2","label":"organization-defined conditions"}],"properties":[{"name":"label","value":"AC-8"},{"name":"sort-id","value":"AC-08"}],"links":[{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-8_smt","name":"statement","parts":[{"id":"ac-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Display {{ ac-8_prm_1 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:","parts":[{"id":"ac-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government system;"},{"id":"ac-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and"},{"id":"ac-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Display system use information {{ ac-8_prm_2 }}, before granting further access to the publicly accessible system;"},{"id":"ac-8_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Include a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content."}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","parameters":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"properties":[{"name":"label","value":"AC-14"},{"name":"sort-id","value":"AC-14"}],"links":[{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#pl-2","rel":"related","text":"PL-2"}],"parts":[{"id":"ac-14_smt","name":"statement","parts":[{"id":"ac-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify {{ ac-14_prm_1 }} that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and"},{"id":"ac-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none."}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","properties":[{"name":"label","value":"AC-17"},{"name":"sort-id","value":"AC-17"}],"links":[{"href":"#7768c184-088d-4ee8-a316-f9286b52df7f","rel":"reference","text":"[SP 800-46]"},{"href":"#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","rel":"reference","text":"[SP 800-77]"},{"href":"#36132a58-56fd-4980-9f6c-c010d3faf52b","rel":"reference","text":"[SP 800-113]"},{"href":"#49fa1ee1-aaf7-4270-bb5a-a86497f717dc","rel":"reference","text":"[SP 800-114]"},{"href":"#60b24979-65b8-4ca5-a442-11b74339fab5","rel":"reference","text":"[SP 800-121]"},{"href":"#30213e10-2aca-47b3-8cdb-61303e0959f5","rel":"reference","text":"[IR 7966]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-17","rel":"related","text":"PE-17"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-17_smt","name":"statement","parts":[{"id":"ac-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorize each type of remote access to the system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3."}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","properties":[{"name":"label","value":"AC-18"},{"name":"sort-id","value":"AC-18"}],"links":[{"href":"#41e2e2c6-2260-4258-85c8-09db17c43103","rel":"reference","text":"[SP 800-94]"},{"href":"#6bed1550-cd5d-4e80-8d83-4e597c1514fe","rel":"reference","text":"[SP 800-97]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-40","rel":"related","text":"SC-40"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-18_smt","name":"statement","parts":[{"id":"ac-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and"},{"id":"ac-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorize each type of wireless access to the system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication."}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","properties":[{"name":"label","value":"AC-19"},{"name":"sort-id","value":"AC-19"}],"links":[{"href":"#49fa1ee1-aaf7-4270-bb5a-a86497f717dc","rel":"reference","text":"[SP 800-114]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-11","rel":"related","text":"AC-11"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-19_smt","name":"statement","parts":[{"id":"ac-19_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and"},{"id":"ac-19_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorize the connection of mobile devices to organizational systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled."}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Systems","parameters":[{"id":"ac-20_prm_1"},{"id":"ac-20_prm_2","depends-on":"ac-20_prm_1","label":"organization-defined terms and conditions"},{"id":"ac-20_prm_3","depends-on":"ac-20_prm_1","label":"organization-defined controls asserted to be implemented on external systems"}],"properties":[{"name":"label","value":"AC-20"},{"name":"sort-id","value":"AC-20"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","rel":"reference","text":"[SP 800-171]"},{"href":"#aad55f03-8ece-4b21-b09c-9ef65b5a9f55","rel":"reference","text":"[SP 800-171B]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-7","rel":"related","text":"SC-7"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"Establish {{ ac-20_prm_1 }}, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Access the system from external systems; and"},{"id":"ac-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries.\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\nThis control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems."}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","parameters":[{"id":"ac-22_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-22"},{"name":"sort-id","value":"AC-22"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-13","rel":"related","text":"AU-13"}],"parts":[{"id":"ac-22_smt","name":"statement","parts":[{"id":"ac-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Designate individuals authorized to make information publicly accessible;"},{"id":"ac-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review the content on the publicly accessible system for nonpublic information {{ ac-22_prm_1 }} and remove such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible."}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2"},{"id":"at-1_prm_3","label":"organization-defined official"},{"id":"at-1_prm_4","label":"organization-defined frequency"},{"id":"at-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-1"},{"name":"sort-id","value":"AT-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ at-1_prm_2 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ at-1_prm_4 }}; and"},{"id":"at-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ at-1_prm_5 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"at-2","class":"SP800-53","title":"Awareness Training","parameters":[{"id":"at-2_prm_1","label":"organization-defined frequency"},{"id":"at-2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-2"},{"name":"sort-id","value":"AT-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-13","rel":"related","text":"PM-13"},{"href":"#pm-21","rel":"related","text":"PM-21"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-16","rel":"related","text":"SA-16"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"}]},{"id":"at-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update awareness training {{ at-2_prm_2 }}."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective."}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","properties":[{"name":"label","value":"AT-2(2)"},{"name":"sort-id","value":"AT-02(02)"}],"links":[{"href":"#pm-12","rel":"related","text":"PM-12"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"Provide awareness training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations."}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","parameters":[{"id":"at-3_prm_1","label":"organization-defined roles and responsibilities"},{"id":"at-3_prm_2","label":"organization-defined frequency"},{"id":"at-3_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-3"},{"name":"sort-id","value":"AT-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#ir-10","rel":"related","text":"IR-10"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-13","rel":"related","text":"PM-13"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-16","rel":"related","text":"SA-16"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"}]},{"id":"at-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update role-based training {{ at-3_prm_3 }}."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information.\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective."}]},{"id":"at-4","class":"SP800-53","title":"Training Records","parameters":[{"id":"at-4_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"AT-4"},{"name":"sort-id","value":"AT-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2"},{"id":"au-1_prm_3","label":"organization-defined official"},{"id":"au-1_prm_4","label":"organization-defined frequency"},{"id":"au-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AU-1"},{"name":"sort-id","value":"AU-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ au-1_prm_2 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ au-1_prm_4 }}; and"},{"id":"au-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ au-1_prm_5 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","parameters":[{"id":"au-2_prm_1","label":"organization-defined event types that the system is capable of logging"},{"id":"au-2_prm_2","label":"organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-2_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AU-2"},{"name":"sort-id","value":"AU-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#02d8ec60-6197-43f8-9f47-18732127963e","rel":"reference","text":"[SP 800-92]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pm-21","rel":"related","text":"PM-21"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-10","rel":"related","text":"SI-10"},{"href":"#si-11","rel":"related","text":"SI-11"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ au-2_prm_3 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\nTo balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage.\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","properties":[{"name":"label","value":"AU-3"},{"name":"sort-id","value":"AU-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-8","rel":"related","text":"AU-8"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-11","rel":"related","text":"SI-11"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage."}]},{"id":"au-4","class":"SP800-53","title":"Audit Log Storage Capacity","parameters":[{"id":"au-4_prm_1","label":"organization-defined audit log retention requirements"}],"properties":[{"name":"label","value":"AU-4"},{"name":"sort-id","value":"AU-04"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"Allocate audit log storage capacity to accommodate {{ au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability."}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Logging Process Failures","parameters":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined time-period"},{"id":"au-5_prm_3","label":"organization-defined additional actions"}],"properties":[{"name":"label","value":"AU-5"},{"name":"sort-id","value":"AU-05"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"au-5_smt","name":"statement","parts":[{"id":"au-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Alert {{ au-5_prm_1 }} within {{ au-5_prm_2 }} in the event of an audit logging process failure; and"},{"id":"au-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Take the following additional actions: {{ au-5_prm_3 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel."}]},{"id":"au-6","class":"SP800-53","title":"Audit Record Review, Analysis, and Reporting","parameters":[{"id":"au-6_prm_1","label":"organization-defined frequency"},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AU-6"},{"name":"sort-id","value":"AU-06"}],"links":[{"href":"#35dfd59f-eef2-4f71-bdb5-6d878267456a","rel":"reference","text":"[SP 800-86]"},{"href":"#1e2c475a-84ae-4c60-b420-8fb2ea552b71","rel":"reference","text":"[SP 800-101]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"au-6_smt","name":"statement","parts":[{"id":"au-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Review and analyze system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};"},{"id":"au-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Report findings to {{ au-6_prm_3 }}; and"},{"id":"au-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received."}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","parameters":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"properties":[{"name":"label","value":"AU-8"},{"name":"sort-id","value":"AU-08"}],"links":[{"href":"#17ca9481-ea11-4ef2-81c1-885fd37d4be5","rel":"reference","text":"[IETF 5905]"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#sc-45","rel":"related","text":"SC-45"}],"parts":[{"id":"au-8_smt","name":"statement","parts":[{"id":"au-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Use internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Record time stamps for audit records that meet {{ au-8_prm_1 }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities."}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","properties":[{"name":"label","value":"AU-9"},{"name":"sort-id","value":"AU-09"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#au-15","rel":"related","text":"AU-15"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"Protect audit information and audit logging tools from unauthorized access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls."}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","parameters":[{"id":"au-11_prm_1","label":"organization-defined time-period consistent with records retention policy"}],"properties":[{"name":"label","value":"AU-11"},{"name":"sort-id","value":"AU-11"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention."}]},{"id":"au-12","class":"SP800-53","title":"Audit Record Generation","parameters":[{"id":"au-12_prm_1","label":"organization-defined system components"},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AU-12"},{"name":"sort-id","value":"AU-12"}],"links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-10","rel":"related","text":"SI-10"}],"parts":[{"id":"au-12_smt","name":"statement","parts":[{"id":"au-12_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on {{ au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allow {{ au-12_prm_2 }} to select the event types that are to be logged by specific components of the system; and"},{"id":"au-12_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records."}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2"},{"id":"ca-1_prm_3","label":"organization-defined official"},{"id":"ca-1_prm_4","label":"organization-defined frequency"},{"id":"ca-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-1"},{"name":"sort-id","value":"CA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ca-1_prm_4 }}; and"},{"id":"ca-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ca-1_prm_5 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","parameters":[{"id":"ca-2_prm_1","label":"organization-defined frequency"},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles"}],"properties":[{"name":"label","value":"CA-2"},{"name":"sort-id","value":"CA-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Provide the results of the control assessment to {{ ca-2_prm_2 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\nOrganizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control."}]},{"id":"ca-3","class":"SP800-53","title":"Information Exchange","parameters":[{"id":"ca-3_prm_1"},{"id":"ca-3_prm_2","depends-on":"ca-3_prm_1","label":"organization-defined type of agreement"},{"id":"ca-3_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-3"},{"name":"sort-id","value":"CA-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#2e66c31a-190e-49ad-8e00-f306f8a0df17","rel":"reference","text":"[SP 800-47]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-3_smt","name":"statement","parts":[{"id":"ca-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approve and manage the exchange of information between the system and other systems using {{ ca-3_prm_1 }};"},{"id":"ca-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the agreements {{ ca-3_prm_3 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk.\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks."}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","parameters":[{"id":"ca-5_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-5"},{"name":"sort-id","value":"CA-05"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB."}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","parameters":[{"id":"ca-6_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-6"},{"name":"sort-id","value":"CA-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ ca-6_prm_1 }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","parameters":[{"id":"ca-7_prm_1","label":"organization-defined system-level metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-7"},{"name":"sort-id","value":"CA-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#851b5ba4-6aa0-4583-857c-4c360cbdf2a0","rel":"reference","text":"[IR 8011 v1]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#pm-31","rel":"related","text":"PM-31"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-6","rel":"related","text":"SR-6"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }};"},{"id":"ca-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ ca-7_prm_4 }}\n {{ ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4."}],"controls":[{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","properties":[{"name":"label","value":"CA-7(4)"},{"name":"sort-id","value":"CA-07(04)"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","parameters":[{"id":"ca-9_prm_1","label":"organization-defined system components or classes of components"},{"id":"ca-9_prm_2","label":"organization-defined conditions"},{"id":"ca-9_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-9"},{"name":"sort-id","value":"CA-09"}],"links":[{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-9_smt","name":"statement","parts":[{"id":"ca-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorize internal connections of {{ ca-9_prm_1 }} to the system;"},{"id":"ca-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;"},{"id":"ca-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Terminate internal system connections after {{ ca-9_prm_2 }}; and"},{"id":"ca-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review {{ ca-9_prm_3 }} the continued need for each internal connection."}]},{"id":"ca-9_gdn","name":"guidance","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions."}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2"},{"id":"cm-1_prm_3","label":"organization-defined official"},{"id":"cm-1_prm_4","label":"organization-defined frequency"},{"id":"cm-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-1"},{"name":"sort-id","value":"CM-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ cm-1_prm_2 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ cm-1_prm_4 }}; and"},{"id":"cm-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ cm-1_prm_5 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","parameters":[{"id":"cm-2_prm_1","label":"organization-defined frequency"},{"id":"cm-2_prm_2","label":"Assignment organization-defined circumstances"}],"properties":[{"name":"label","value":"CM-2"},{"name":"sort-id","value":"CM-02"}],"links":[{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#cp-12","rel":"related","text":"CP-12"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-18","rel":"related","text":"SC-18"}],"parts":[{"id":"cm-2_smt","name":"statement","parts":[{"id":"cm-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and maintain under configuration control, a current baseline configuration of the system; and"},{"id":"cm-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the baseline configuration of the system:","parts":[{"id":"cm-2_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ cm-2_prm_1 }};"},{"id":"cm-2_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When required due to {{ cm-2_prm_2 }}; and"},{"id":"cm-2_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"When system components are installed or upgraded."}]}]},{"id":"cm-2_gdn","name":"guidance","prose":"Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture."}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","properties":[{"name":"label","value":"CM-4"},{"name":"sort-id","value":"CM-04"}],"links":[{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-2","rel":"related","text":"SI-2"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required."}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","properties":[{"name":"label","value":"CM-5"},{"name":"sort-id","value":"CM-05"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-10","rel":"related","text":"SI-10"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."},{"id":"cm-5_gdn","name":"guidance","prose":"Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)."}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","parameters":[{"id":"cm-6_prm_1","label":"organization-defined common secure configurations"},{"id":"cm-6_prm_2","label":"organization-defined system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"properties":[{"name":"label","value":"CM-6"},{"name":"sort-id","value":"CM-06"}],"links":[{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f","rel":"reference","text":"[SP 800-126]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#06842bea-64c9-4e20-807a-b8fc003fa737","rel":"reference","text":"[USGCB]"},{"href":"#5cc04a1c-5489-4751-a493-746a9639067b","rel":"reference","text":"[NCPR]"},{"href":"#294eed19-7471-4517-9480-2ec73e7c6a78","rel":"reference","text":"[DOD STIG]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-6","rel":"related","text":"SI-6"}],"parts":[{"id":"cm-6_smt","name":"statement","parts":[{"id":"cm-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish and document configuration settings for components employed within the system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the configuration settings;"},{"id":"cm-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identify, document, and approve any deviations from established configuration settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Monitor and control changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\nImplementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings."}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","parameters":[{"id":"cm-7_prm_1","label":"organization-defined mission essential capabilities"},{"id":"cm-7_prm_2","label":"organization-defined prohibited or restricted functions, ports, protocols, software, and/or services"}],"properties":[{"name":"label","value":"CM-7"},{"name":"sort-id","value":"CM-07"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#893d1736-324c-41d6-a5f4-d526b5ca981a","rel":"reference","text":"[SP 800-167]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"cm-7_smt","name":"statement","parts":[{"id":"cm-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Configure the system to provide only {{ cm-7_prm_1 }}; and"},{"id":"cm-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ cm-7_prm_2 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3)."}]},{"id":"cm-8","class":"SP800-53","title":"System Component Inventory","parameters":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-8"},{"name":"sort-id","value":"CM-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"cm-8_smt","name":"statement","parts":[{"id":"cm-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and document an inventory of system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Accurately reflects the system;"},{"id":"cm-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Includes all components within the system;"},{"id":"cm-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Includes the following information to achieve system component accountability: {{ cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the system component inventory {{ cm-8_prm_2 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location."}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","properties":[{"name":"label","value":"CM-10"},{"name":"sort-id","value":"CM-10"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#sc-7","rel":"related","text":"SC-7"}],"parts":[{"id":"cm-10_smt","name":"statement","parts":[{"id":"cm-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Use software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement."}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","parameters":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-11"},{"name":"sort-id","value":"CM-11"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"cm-11_smt","name":"statement","parts":[{"id":"cm-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish {{ cm-11_prm_1 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Enforce software installation policies through the following methods: {{ cm-11_prm_2 }}; and"},{"id":"cm-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Monitor policy compliance {{ cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods."}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2"},{"id":"cp-1_prm_3","label":"organization-defined official"},{"id":"cp-1_prm_4","label":"organization-defined frequency"},{"id":"cp-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CP-1"},{"name":"sort-id","value":"CP-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cp-1_smt","name":"statement","parts":[{"id":"cp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ cp-1_prm_2 }} contingency planning policy that:","parts":[{"id":"cp-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;"}]},{"id":"cp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ cp-1_prm_3 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and"},{"id":"cp-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current contingency planning:","parts":[{"id":"cp-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ cp-1_prm_4 }}; and"},{"id":"cp-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ cp-1_prm_5 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","parameters":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and/or by role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency"},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and/or by role) and organizational elements"}],"properties":[{"name":"label","value":"CP-2"},{"name":"sort-id","value":"CP-02"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#7a93e915-fd58-4147-be12-e48044c367e6","rel":"reference","text":"[IR 8179]"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#cp-11","rel":"related","text":"CP-11"},{"href":"#cp-13","rel":"related","text":"CP-13"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-20","rel":"related","text":"SA-20"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-23","rel":"related","text":"SC-23"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cp-2_smt","name":"statement","parts":[{"id":"cp-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a contingency plan for the system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute copies of the contingency plan to {{ cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinate contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review the contingency plan for the system {{ cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Communicate contingency plan changes to {{ cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Protect the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.\nIn addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family."}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","parameters":[{"id":"cp-3_prm_1","label":"organization-defined time-period"},{"id":"cp-3_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CP-3"},{"name":"sort-id","value":"CP-03"}],"links":[{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-9","rel":"related","text":"IR-9"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"Provide contingency training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ cp-3_prm_1 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by system changes; and"},{"id":"cp-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n {{ cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan."}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","parameters":[{"id":"cp-4_prm_1","label":"organization-defined frequency"},{"id":"cp-4_prm_2","label":"organization-defined tests"}],"properties":[{"name":"label","value":"CP-4"},{"name":"sort-id","value":"CP-04"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#20bf433b-074c-47a0-8fca-cd591772ccd6","rel":"reference","text":"[SP 800-84]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"cp-4_smt","name":"statement","parts":[{"id":"cp-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Test the contingency plan for the system {{ cp-4_prm_1 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ cp-4_prm_2 }}."},{"id":"cp-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Initiate corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions."}]},{"id":"cp-9","class":"SP800-53","title":"System Backup","parameters":[{"id":"cp-9_prm_1","label":"organization-defined system components"},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_4","label":"organization-defined frequency consistent with recovery time and recovery point objectives"}],"properties":[{"name":"label","value":"CP-9"},{"name":"sort-id","value":"CP-09"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#ae412317-c2b4-47bb-b47b-c329ce0d7a0b","rel":"reference","text":"[SP 800-130]"},{"href":"#38dbdf55-9a14-446f-b563-c48e4e3d37fb","rel":"reference","text":"[SP 800-152]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-13","rel":"related","text":"SI-13"}],"parts":[{"id":"cp-9_smt","name":"statement","parts":[{"id":"cp-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conduct backups of user-level information contained in {{ cp-9_prm_1 }}\n {{ cp-9_prm_2 }};"},{"id":"cp-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Conduct backups of system-level information contained in the system {{ cp-9_prm_3 }};"},{"id":"cp-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conduct backups of system documentation, including security and privacy-related documentation {{ cp-9_prm_4 }}; and"},{"id":"cp-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect the confidentiality, integrity, and availability of backup information."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."}]},{"id":"cp-10","class":"SP800-53","title":"System Recovery and Reconstitution","parameters":[{"id":"cp-10_prm_1","label":"organization-defined time-period consistent with recovery time and recovery point objectives"}],"properties":[{"name":"label","value":"CP-10"},{"name":"sort-id","value":"CP-10"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-24","rel":"related","text":"SC-24"},{"href":"#si-13","rel":"related","text":"SI-13"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ cp-10_prm_1 }} after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning."}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2"},{"id":"ia-1_prm_3","label":"organization-defined official"},{"id":"ia-1_prm_4","label":"organization-defined frequency"},{"id":"ia-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IA-1"},{"name":"sort-id","value":"IA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ia-1_smt","name":"statement","parts":[{"id":"ia-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ia-1_prm_2 }} identification and authentication policy that:","parts":[{"id":"ia-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ia-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;"}]},{"id":"ia-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ia-1_prm_3 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and"},{"id":"ia-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current identification and authentication:","parts":[{"id":"ia-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ia-1_prm_4 }}; and"},{"id":"ia-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ia-1_prm_5 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","properties":[{"name":"label","value":"IA-2"},{"name":"sort-id","value":"IA-02"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#bb55e71a-e059-4263-8dd8-bc96fd3f063d","rel":"reference","text":"[SP 800-79-2]"},{"href":"#f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa","rel":"reference","text":"[SP 800-156]"},{"href":"#a8f55663-86c5-415b-aabe-d2a126981d65","rel":"reference","text":"[SP 800-166]"},{"href":"#d4779b49-8acc-45ef-b4f0-30f945e81d1b","rel":"reference","text":"[IR 7539]"},{"href":"#daf69edb-a0ef-4447-9880-8c4bf553181f","rel":"reference","text":"[IR 7676]"},{"href":"#a49f67fc-827c-40e6-9a37-2b1cbe8142fd","rel":"reference","text":"[IR 7817]"},{"href":"#972c10bd-aedf-485f-b0db-f46a402127e2","rel":"reference","text":"[IR 7849]"},{"href":"#197f7ba7-9af8-4a67-b3a4-5523d850e53b","rel":"reference","text":"[IR 7870]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#30213e10-2aca-47b3-8cdb-61303e0959f5","rel":"reference","text":"[IR 7966]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8."}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Multifactor Authentication to Privileged Accounts","properties":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"IA-02(01)"}],"links":[{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"Implement multifactor authentication for access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","prose":"Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Multifactor Authentication to Non-privileged Accounts","properties":[{"name":"label","value":"IA-2(2)"},{"name":"sort-id","value":"IA-02(02)"}],"links":[{"href":"#ac-5","rel":"related","text":"AC-5"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"Implement multifactor authentication for access to non-privileged accounts."},{"id":"ia-2.2_gdn","name":"guidance","prose":"Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Access to Accounts — Replay Resistant","parameters":[{"id":"ia-2.8_prm_1"}],"properties":[{"name":"label","value":"IA-2(8)"},{"name":"sort-id","value":"IA-02(08)"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"Implement replay-resistant authentication mechanisms for access to {{ ia-2.8_prm_1 }}."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators."}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","properties":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"IA-02(12)"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential."}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","parameters":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"IA-4"},{"name":"sort-id","value":"IA-04"}],"links":[{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ia-9","rel":"related","text":"IA-9"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#sc-37","rel":"related","text":"SC-37"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"Manage system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ ia-4_prm_1 }} to assign an individual, group, role, service, or device identifier;"},{"id":"ia-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, service, or device; and"},{"id":"ia-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ ia-4_prm_2 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices."}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","parameters":[{"id":"ia-5_prm_1","label":"organization-defined time-period by authenticator type"}],"properties":[{"name":"label","value":"IA-5"},{"name":"sort-id","value":"IA-05"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#d4779b49-8acc-45ef-b4f0-30f945e81d1b","rel":"reference","text":"[IR 7539]"},{"href":"#a49f67fc-827c-40e6-9a37-2b1cbe8142fd","rel":"reference","text":"[IR 7817]"},{"href":"#972c10bd-aedf-485f-b0db-f46a402127e2","rel":"reference","text":"[IR 7849]"},{"href":"#197f7ba7-9af8-4a67-b3a4-5523d850e53b","rel":"reference","text":"[IR 7870]"},{"href":"#24738ee6-b3f3-4e37-825b-58775846bdbc","rel":"reference","text":"[IR 8040]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ia-9","rel":"related","text":"IA-9"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"Manage system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"},{"id":"ia-5_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Changing default authenticators prior to first use;"},{"id":"ia-5_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Changing or refreshing authenticators {{ ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed."}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","parameters":[{"id":"ia-5.1_prm_1","label":"organization-defined frequency"},{"id":"ia-5.1_prm_2","label":"organization-defined composition and complexity rules"}],"properties":[{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"IA-05(01)"}],"links":[{"href":"#ia-6","rel":"related","text":"IA-6"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"For password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ ia-5.1_prm_1 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords;"},{"id":"ia-5.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Transmit only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Store passwords using an approved hash algorithm and salt, preferably using a keyed hash;"},{"id":"ia-5.1_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Require immediate selection of a new password upon account recovery;"},{"id":"ia-5.1_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Allow user selection of long passwords and passphrases, including spaces and all printable characters;"},{"id":"ia-5.1_smt.g","name":"item","properties":[{"name":"label","value":"(g)"}],"prose":"Employ automated tools to assist the user in selecting strong password authenticators; and"},{"id":"ia-5.1_smt.h","name":"item","properties":[{"name":"label","value":"(h)"}],"prose":"Enforce the following composition and complexity rules: {{ ia-5.1_prm_2 }}."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof."}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","properties":[{"name":"label","value":"IA-6"},{"name":"sort-id","value":"IA-06"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it."}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","properties":[{"name":"label","value":"IA-7"},{"name":"sort-id","value":"IA-07"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role."}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","properties":[{"name":"label","value":"IA-8"},{"name":"sort-id","value":"IA-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#bb55e71a-e059-4263-8dd8-bc96fd3f063d","rel":"reference","text":"[SP 800-79-2]"},{"href":"#ad7d575f-b5fe-489b-8d48-36a93d964a5f","rel":"reference","text":"[SP 800-116]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-10","rel":"related","text":"IA-10"},{"href":"#ia-11","rel":"related","text":"IA-11"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-8","rel":"related","text":"SC-8"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk."}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","properties":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"IA-08(01)"}],"links":[{"href":"#pe-3","rel":"related","text":"PE-3"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2]."}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of External Credentials","properties":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"IA-08(02)"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"Accept only external credentials that are NIST-compliant."},{"id":"ia-8.2_gdn","name":"guidance","prose":"Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels."}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Nist-issued Profiles","properties":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"IA-08(04)"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"Conform to NIST-issued profiles for identity management."},{"id":"ia-8.4_gdn","name":"guidance","prose":"Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols."}]}]},{"id":"ia-11","class":"SP800-53","title":"Re-authentication","parameters":[{"id":"ia-11_prm_1","label":"organization-defined circumstances or situations requiring re-authentication"}],"properties":[{"name":"label","value":"IA-11"},{"name":"sort-id","value":"IA-11"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-11","rel":"related","text":"AC-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"}],"parts":[{"id":"ia-11_smt","name":"statement","prose":"Require users to re-authenticate when {{ ia-11_prm_1 }}."},{"id":"ia-11_gdn","name":"guidance","prose":"In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically."}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2"},{"id":"ir-1_prm_3","label":"organization-defined official"},{"id":"ir-1_prm_4","label":"organization-defined frequency"},{"id":"ir-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IR-1"},{"name":"sort-id","value":"IR-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","rel":"reference","text":"[SP 800-83]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ir-1_prm_2 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ir-1_prm_4 }}; and"},{"id":"ir-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ir-1_prm_5 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","parameters":[{"id":"ir-2_prm_1","label":"organization-defined time-period"},{"id":"ir-2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IR-2"},{"name":"sort-id","value":"IR-02"}],"links":[{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-9","rel":"related","text":"IR-9"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ ir-2_prm_1 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n {{ ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3."}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","properties":[{"name":"label","value":"IR-4"},{"name":"sort-id","value":"IR-04"}],"links":[{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#35dfd59f-eef2-4f71-bdb5-6d878267456a","rel":"reference","text":"[SP 800-86]"},{"href":"#1e2c475a-84ae-4c60-b420-8fb2ea552b71","rel":"reference","text":"[SP 800-101]"},{"href":"#ad3e8f21-07c6-4968-b002-00b64dfa70ae","rel":"reference","text":"[SP 800-150]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#08f518f7-f9b9-4bee-8986-860214f46b16","rel":"reference","text":"[SP 800-184]"},{"href":"#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","rel":"reference","text":"[IR 7559]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-10","rel":"related","text":"IR-10"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk."}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","properties":[{"name":"label","value":"IR-5"},{"name":"sort-id","value":"IR-05"}],"links":[{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document security, privacy, and supply chain incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports."}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","parameters":[{"id":"ir-6_prm_1","label":"organization-defined time-period"},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"properties":[{"name":"label","value":"IR-6"},{"name":"sort-id","value":"IR-06"}],"links":[{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-9","rel":"related","text":"IR-9"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","properties":[{"name":"label","value":"IR-7"},{"name":"sort-id","value":"IR-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","rel":"reference","text":"[IR 7559]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pm-26","rel":"related","text":"PM-26"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","parameters":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined frequency"},{"id":"ir-8_prm_3","label":"organization-defined entities, personnel, or roles"},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and/or by role) and organizational elements"},{"id":"ir-8_prm_5","label":"organization-defined incident response personnel (identified by name and/or by role) and organizational elements"}],"properties":[{"name":"label","value":"IR-8"},{"name":"sort-id","value":"IR-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#389fe193-866e-46b1-bf1d-38904b56aa7b","rel":"reference","text":"[OMB M-17-12]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-8","rel":"related","text":"SR-8"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ ir-8_prm_1 }}\n {{ ir-8_prm_2 }}; and"},{"id":"ir-8_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}."}]},{"id":"ir-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ ir-8_prm_4 }};"},{"id":"ir-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ ir-8_prm_5 }}; and"},{"id":"ir-8_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2"},{"id":"ma-1_prm_3","label":"organization-defined official"},{"id":"ma-1_prm_4","label":"organization-defined frequency"},{"id":"ma-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MA-1"},{"name":"sort-id","value":"MA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ma-1_smt","name":"statement","parts":[{"id":"ma-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ma-1_prm_2 }} maintenance policy that:","parts":[{"id":"ma-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ma-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;"}]},{"id":"ma-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ma-1_prm_3 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and"},{"id":"ma-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current maintenance:","parts":[{"id":"ma-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ma-1_prm_4 }}; and"},{"id":"ma-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ma-1_prm_5 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","parameters":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined information"},{"id":"ma-2_prm_3","label":"organization-defined information"}],"properties":[{"name":"label","value":"MA-2"},{"name":"sort-id","value":"MA-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"ma-2_smt","name":"statement","parts":[{"id":"ma-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Require that {{ ma-2_prm_1 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ ma-2_prm_2 }};"},{"id":"ma-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and"},{"id":"ma-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Include the following information in organizational maintenance records: {{ ma-2_prm_3 }}."}]},{"id":"ma-2_gdn","name":"guidance","prose":"Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems."}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","properties":[{"name":"label","value":"MA-4"},{"name":"sort-id","value":"MA-04"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#bbc7085f-b383-444e-af74-722a55cccc0f","rel":"reference","text":"[FIPS 197]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#fed6a3b5-2b74-499f-9172-46671f7c24c8","rel":"reference","text":"[SP 800-88]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-10","rel":"related","text":"SC-10"}],"parts":[{"id":"ma-4_smt","name":"statement","parts":[{"id":"ma-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approve and monitor nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;"},{"id":"ma-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Maintain records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Terminate session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls."}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","properties":[{"name":"label","value":"MA-5"},{"name":"sort-id","value":"MA-05"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"ma-5_smt","name":"statement","parts":[{"id":"ma-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods."}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2"},{"id":"mp-1_prm_3","label":"organization-defined official"},{"id":"mp-1_prm_4","label":"organization-defined frequency"},{"id":"mp-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MP-1"},{"name":"sort-id","value":"MP-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ mp-1_prm_2 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ mp-1_prm_4 }}; and"},{"id":"mp-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ mp-1_prm_5 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","parameters":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"MP-2"},{"name":"sort-id","value":"MP-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#1b14b50f-7154-4226-958c-7dfff8276755","rel":"reference","text":"[SP 800-111]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"Restrict access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media."}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","parameters":[{"id":"mp-6_prm_1","label":"organization-defined system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"properties":[{"name":"label","value":"MP-6"},{"name":"sort-id","value":"MP-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#fed6a3b5-2b74-499f-9172-46671f7c24c8","rel":"reference","text":"[SP 800-88]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#a52271dc-11b5-423a-8b6f-14867bd94259","rel":"reference","text":"[NSA MEDIA]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#si-18","rel":"related","text":"SI-18"},{"href":"#si-19","rel":"related","text":"SI-19"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and"},{"id":"mp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information."}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","parameters":[{"id":"mp-7_prm_1"},{"id":"mp-7_prm_2","label":"organization-defined types of system media"},{"id":"mp-7_prm_3","label":"organization-defined systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined controls"}],"properties":[{"name":"label","value":"MP-7"},{"name":"sort-id","value":"MP-07"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#1b14b50f-7154-4226-958c-7dfff8276755","rel":"reference","text":"[SP 800-111]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#sc-41","rel":"related","text":"SC-41"}],"parts":[{"id":"mp-7_smt","name":"statement","parts":[{"id":"mp-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"\n {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}; and"},{"id":"mp-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner."}]},{"id":"mp-7_gdn","name":"guidance","prose":"System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices."}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2"},{"id":"pe-1_prm_3","label":"organization-defined official"},{"id":"pe-1_prm_4","label":"organization-defined frequency"},{"id":"pe-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-1"},{"name":"sort-id","value":"PE-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pe-1_smt","name":"statement","parts":[{"id":"pe-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ pe-1_prm_2 }} physical and environmental protection policy that:","parts":[{"id":"pe-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pe-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;"}]},{"id":"pe-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ pe-1_prm_3 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and"},{"id":"pe-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current physical and environmental protection:","parts":[{"id":"pe-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ pe-1_prm_4 }}; and"},{"id":"pe-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ pe-1_prm_5 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","parameters":[{"id":"pe-2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-2"},{"name":"sort-id","value":"PE-02"}],"links":[{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#pe-8","rel":"related","text":"PE-8"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"}],"parts":[{"id":"pe-2_smt","name":"statement","parts":[{"id":"pe-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;"},{"id":"pe-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Issue authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review the access list detailing authorized facility access by individuals {{ pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Remove individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible."}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","parameters":[{"id":"pe-3_prm_1","label":"organization-defined entry and exit points to the facility where the system resides"},{"id":"pe-3_prm_2"},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems or devices"},{"id":"pe-3_prm_4","label":"organization-defined entry or exit points"},{"id":"pe-3_prm_5","label":"organization-defined controls"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and monitoring"},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency"},{"id":"pe-3_prm_9","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-3"},{"name":"sort-id","value":"PE-03"}],"links":[{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#ad7d575f-b5fe-489b-8d48-36a93d964a5f","rel":"reference","text":"[SP 800-116]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#pe-8","rel":"related","text":"PE-8"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#sr-3","rel":"related","text":"SR-3"}],"parts":[{"id":"pe-3_smt","name":"statement","parts":[{"id":"pe-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforce physical access authorizations at {{ pe-3_prm_1 }} by:","parts":[{"id":"pe-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Controlling ingress and egress to the facility using {{ pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintain physical access audit logs for {{ pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ pe-3_prm_5 }};"},{"id":"pe-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Escort visitors and monitor visitor activity {{ pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Secure keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Inventory {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }}; and"},{"id":"pe-3_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Change combinations and keys {{ pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components."}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","parameters":[{"id":"pe-6_prm_1","label":"organization-defined frequency"},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"properties":[{"name":"label","value":"PE-6"},{"name":"sort-id","value":"PE-06"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"}],"parts":[{"id":"pe-6_smt","name":"statement","parts":[{"id":"pe-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review physical access logs {{ pe-6_prm_1 }} and upon occurrence of {{ pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinate results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses."}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","parameters":[{"id":"pe-8_prm_1","label":"organization-defined time-period"},{"id":"pe-8_prm_2","label":"organization-defined frequency"},{"id":"pe-8_prm_3","label":"organization-defined personnel"}],"properties":[{"name":"label","value":"PE-8"},{"name":"sort-id","value":"PE-08"}],"links":[{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ pe-8_prm_1 }};"},{"id":"pe-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ pe-8_prm_2 }}; and"},{"id":"pe-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ pe-8_prm_3 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas."}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","properties":[{"name":"label","value":"PE-12"},{"name":"sort-id","value":"PE-12"}],"links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites."}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","properties":[{"name":"label","value":"PE-13"},{"name":"sort-id","value":"PE-13"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"Employ and maintain fire detection and suppression systems that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors."}]},{"id":"pe-14","class":"SP800-53","title":"Environmental Controls","parameters":[{"id":"pe-14_prm_1"},{"id":"pe-14_prm_2","depends-on":"pe-14_prm_1","label":"organization-defined environmental control"},{"id":"pe-14_prm_3","label":"organization-defined acceptable levels"},{"id":"pe-14_prm_4","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-14"},{"name":"sort-id","value":"PE-14"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#pe-21","rel":"related","text":"PE-21"}],"parts":[{"id":"pe-14_smt","name":"statement","parts":[{"id":"pe-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintain {{ pe-14_prm_1 }} levels within the facility where the system resides at {{ pe-14_prm_3 }}; and"},{"id":"pe-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Monitor environmental control levels {{ pe-14_prm_4 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure."}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","properties":[{"name":"label","value":"PE-15"},{"name":"sort-id","value":"PE-15"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pe-10","rel":"related","text":"PE-10"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations."}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","parameters":[{"id":"pe-16_prm_1","label":"organization-defined types of system components"}],"properties":[{"name":"label","value":"PE-16"},{"name":"sort-id","value":"PE-16"}],"links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-6","rel":"related","text":"SR-6"}],"parts":[{"id":"pe-16_smt","name":"statement","parts":[{"id":"pe-16_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorize and control {{ pe-16_prm_1 }} entering and exiting the facility; and"},{"id":"pe-16_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintain records of the system components."}]},{"id":"pe-16_gdn","name":"guidance","prose":"Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries."}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2"},{"id":"pl-1_prm_3","label":"organization-defined official"},{"id":"pl-1_prm_4","label":"organization-defined frequency"},{"id":"pl-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-1"},{"name":"sort-id","value":"PL-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ pl-1_prm_2 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ pl-1_prm_4 }}; and"},{"id":"pl-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ pl-1_prm_5 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","parameters":[{"id":"pl-2_prm_1","label":"organization-defined individuals or groups"},{"id":"pl-2_prm_2","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-2"},{"name":"sort-id","value":"PL-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-22","rel":"related","text":"SA-22"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.10","name":"item","properties":[{"name":"label","value":"10."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.11","name":"item","properties":[{"name":"label","value":"11."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.12","name":"item","properties":[{"name":"label","value":"12."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and"},{"id":"pl-2_smt.a.13","name":"item","properties":[{"name":"label","value":"13."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }};"},{"id":"pl-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review the plans {{ pl-2_prm_3 }};"},{"id":"pl-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation.\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate."}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","parameters":[{"id":"pl-4_prm_1","label":"organization-defined frequency"},{"id":"pl-4_prm_2"},{"id":"pl-4_prm_3","depends-on":"pl-4_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-4"},{"name":"sort-id","value":"PL-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons."}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site/application Usage Restrictions","properties":[{"name":"label","value":"PL-4(1)"},{"name":"sort-id","value":"PL-04(01)"}],"links":[{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#au-13","rel":"related","text":"AU-13"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites/applications;"},{"id":"pl-4.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information."}]}]},{"id":"pl-10","class":"SP800-53","title":"Baseline Selection","properties":[{"name":"label","value":"PL-10"},{"name":"sort-id","value":"PL-10"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#31f3c9de-c57c-4281-929b-f9951f9640f1","rel":"reference","text":"[SP 800-53B]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ee96f130-3f91-46ed-a4d8-57e5f220a623","rel":"reference","text":"[CNSSI 1253]"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"pl-10_smt","name":"statement","prose":"Select a control baseline for the system."},{"id":"pl-10_gdn","name":"guidance","prose":"Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments."}]},{"id":"pl-11","class":"SP800-53","title":"Baseline Tailoring","properties":[{"name":"label","value":"PL-11"},{"name":"sort-id","value":"PL-11"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#31f3c9de-c57c-4281-929b-f9951f9640f1","rel":"reference","text":"[SP 800-53B]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ee96f130-3f91-46ed-a4d8-57e5f220a623","rel":"reference","text":"[CNSSI 1253]"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"pl-11_smt","name":"statement","prose":"Tailor the selected control baseline by applying specified tailoring actions."},{"id":"pl-11_gdn","name":"guidance","prose":"The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities."}]}]},{"id":"pm","class":"family","title":"Program Management","controls":[{"id":"pm-1","class":"SP800-53","title":"Information Security Program Plan","parameters":[{"id":"pm-1_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-1"},{"name":"sort-id","value":"PM-01"}],"links":[{"href":"#14958422-54f6-471f-a345-802dca594dd8","rel":"reference","text":"[FISMA]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"pm-1_smt","name":"statement","parts":[{"id":"pm-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide information security program plan that:","parts":[{"id":"pm-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;"},{"id":"pm-1_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Reflects the coordination among organizational entities responsible for information security; and"},{"id":"pm-1_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"}]},{"id":"pm-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review the organization-wide information security program plan {{ pm-1_prm_1 }};"},{"id":"pm-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and"},{"id":"pm-1_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect the information security program plan from unauthorized disclosure and modification."}]},{"id":"pm-1_gdn","name":"guidance","prose":"An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents.\nInformation security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls."}]},{"id":"pm-2","class":"SP800-53","title":"Information Security Program Leadership Role","properties":[{"name":"label","value":"PM-2"},{"name":"sort-id","value":"PM-02"}],"links":[{"href":"#ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3","rel":"reference","text":"[OMB M-17-25]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"}],"parts":[{"id":"pm-2_smt","name":"statement","prose":"Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program."},{"id":"pm-2_gdn","name":"guidance","prose":"The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer."}]},{"id":"pm-3","class":"SP800-53","title":"Information Security and Privacy Resources","properties":[{"name":"label","value":"PM-3"},{"name":"sort-id","value":"PM-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#sa-2","rel":"related","text":"SA-2"}],"parts":[{"id":"pm-3_smt","name":"statement","parts":[{"id":"pm-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;"},{"id":"pm-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and"},{"id":"pm-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Make available for expenditure, the planned information security and privacy resources."}]},{"id":"pm-3_gdn","name":"guidance","prose":"Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process."}]},{"id":"pm-4","class":"SP800-53","title":"Plan of Action and Milestones Process","properties":[{"name":"label","value":"PM-4"},{"name":"sort-id","value":"PM-04"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-3","rel":"related","text":"PM-3"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pm-4_smt","name":"statement","parts":[{"id":"pm-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:","parts":[{"id":"pm-4_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are developed and maintained;"},{"id":"pm-4_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and"},{"id":"pm-4_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Are reported in accordance with established reporting requirements."}]},{"id":"pm-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-4_gdn","name":"guidance","prose":"The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5."}]},{"id":"pm-5","class":"SP800-53","title":"System Inventory","parameters":[{"id":"pm-5_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-5"},{"name":"sort-id","value":"PM-05"}],"links":[{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"}],"parts":[{"id":"pm-5_smt","name":"statement","prose":"Develop and update {{ pm-5_prm_1 }} an inventory of organizational systems."},{"id":"pm-5_gdn","name":"guidance","prose":"[OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8."}],"controls":[{"id":"pm-5.1","class":"SP800-53-enhancement","title":"Inventory of Personally Identifiable Information","parameters":[{"id":"pm-5.1_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-5(1)"},{"name":"sort-id","value":"PM-05(01)"}],"links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-12","rel":"related","text":"CM-12"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pm-5.1_smt","name":"statement","prose":"Establish, maintain, and update {{ pm-5.1_prm_1 }} an inventory of all systems, applications, and projects that process personally identifiable information."},{"id":"pm-5.1_gdn","name":"guidance","prose":"An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein."}]}]},{"id":"pm-6","class":"SP800-53","title":"Measures of Performance","properties":[{"name":"label","value":"PM-6"},{"name":"sort-id","value":"PM-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#8ba0d54e-fa16-4f5d-baa1-763ec3e33e26","rel":"reference","text":"[SP 800-55]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ca-7","rel":"related","text":"CA-7"}],"parts":[{"id":"pm-6_smt","name":"statement","prose":"Develop, monitor, and report on the results of information security and privacy measures of performance."},{"id":"pm-6_gdn","name":"guidance","prose":"Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program."}]},{"id":"pm-7","class":"SP800-53","title":"Enterprise Architecture","properties":[{"name":"label","value":"PM-7"},{"name":"sort-id","value":"PM-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-17","rel":"related","text":"SA-17"}],"parts":[{"id":"pm-7_smt","name":"statement","prose":"Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."},{"id":"pm-7_gdn","name":"guidance","prose":"The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines."}],"controls":[{"id":"pm-7.1","class":"SP800-53-enhancement","title":"Offloading","parameters":[{"id":"pm-7.1_prm_1","label":"organization-defined non-essential functions or services"}],"properties":[{"name":"label","value":"PM-7(1)"},{"name":"sort-id","value":"PM-07(01)"}],"links":[{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"pm-7.1_smt","name":"statement","prose":"Offload {{ pm-7.1_prm_1 }} to other systems, system components, or an external provider."},{"id":"pm-7.1_gdn","name":"guidance","prose":"Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services."}]}]},{"id":"pm-8","class":"SP800-53","title":"Critical Infrastructure Plan","properties":[{"name":"label","value":"PM-8"},{"name":"sort-id","value":"PM-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#cde25174-38e0-4a00-8919-8ee3674b8088","rel":"reference","text":"[HSPD 7]"},{"href":"#24b7b1ec-6430-41de-9353-29fdb1b488fc","rel":"reference","text":"[DHS NIPP]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#pe-18","rel":"related","text":"PE-18"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pm-8_smt","name":"statement","prose":"Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan."},{"id":"pm-8_gdn","name":"guidance","prose":"Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."}]},{"id":"pm-9","class":"SP800-53","title":"Risk Management Strategy","parameters":[{"id":"pm-9_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-9"},{"name":"sort-id","value":"PM-09"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#at-1","rel":"related","text":"AT-1"},{"href":"#ca-1","rel":"related","text":"CA-1"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cp-1","rel":"related","text":"CP-1"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ma-1","rel":"related","text":"MA-1"},{"href":"#mp-1","rel":"related","text":"MP-1"},{"href":"#pe-1","rel":"related","text":"PE-1"},{"href":"#pl-1","rel":"related","text":"PL-1"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-2","rel":"related","text":"PM-2"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#ps-1","rel":"related","text":"PS-1"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-1","rel":"related","text":"SA-1"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-1","rel":"related","text":"SC-1"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-1","rel":"related","text":"SI-1"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"pm-9_smt","name":"statement","parts":[{"id":"pm-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a comprehensive strategy to manage:","parts":[{"id":"pm-9_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and"},{"id":"pm-9_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Privacy risk to individuals resulting from the authorized processing of personally identifiable information;"}]},{"id":"pm-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the risk management strategy consistently across the organization; and"},{"id":"pm-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes."}]},{"id":"pm-9_gdn","name":"guidance","prose":"An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive."}]},{"id":"pm-10","class":"SP800-53","title":"Authorization Process","properties":[{"name":"label","value":"PM-10"},{"name":"sort-id","value":"PM-10"}],"links":[{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pl-2","rel":"related","text":"PL-2"}],"parts":[{"id":"pm-10_smt","name":"statement","parts":[{"id":"pm-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;"},{"id":"pm-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and"},{"id":"pm-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Integrate the authorization processes into an organization-wide risk management program."}]},{"id":"pm-10_gdn","name":"guidance","prose":"Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation."}]},{"id":"pm-11","class":"SP800-53","title":"Mission and Business Process Definition","parameters":[{"id":"pm-11_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-11"},{"name":"sort-id","value":"PM-11"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-2","rel":"related","text":"SA-2"}],"parts":[{"id":"pm-11_smt","name":"statement","parts":[{"id":"pm-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"},{"id":"pm-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and"},{"id":"pm-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and revise the mission and business processes {{ pm-11_prm_1 }}."}]},{"id":"pm-11_gdn","name":"guidance","prose":"Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures."}]},{"id":"pm-12","class":"SP800-53","title":"Insider Threat Program","properties":[{"name":"label","value":"PM-12"},{"name":"sort-id","value":"PM-12"}],"links":[{"href":"#2b5e12fb-633f-49e6-8aff-81d75bf53545","rel":"reference","text":"[EO 13587]"},{"href":"#286d42a1-efbe-49a2-9ce1-4c9bf68feb3b","rel":"reference","text":"[ODNI NITP]"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-16","rel":"related","text":"PM-16"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#pm-14","rel":"related","text":"PM-14"}],"parts":[{"id":"pm-12_smt","name":"statement","prose":"Implement an insider threat program that includes a cross-discipline insider threat incident handling team."},{"id":"pm-12_gdn","name":"guidance","prose":"Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture.\nInsider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}]},{"id":"pm-13","class":"SP800-53","title":"Security and Privacy Workforce","properties":[{"name":"label","value":"PM-13"},{"name":"sort-id","value":"PM-13"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#f4c3f657-de83-47ae-9aec-e144de8268d1","rel":"reference","text":"[SP 800-181]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"}],"parts":[{"id":"pm-13_smt","name":"statement","prose":"Establish a security and privacy workforce development and improvement program."},{"id":"pm-13_gdn","name":"guidance","prose":"Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals."}]},{"id":"pm-14","class":"SP800-53","title":"Testing, Training, and Monitoring","properties":[{"name":"label","value":"PM-14"},{"name":"sort-id","value":"PM-14"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"pm-14_smt","name":"statement","parts":[{"id":"pm-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:","parts":[{"id":"pm-14_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are developed and maintained; and"},{"id":"pm-14_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Continue to be executed; and"}]},{"id":"pm-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-14_gdn","name":"guidance","prose":"This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments."}]},{"id":"pm-15","class":"SP800-53","title":"Security and Privacy Groups and Associations","properties":[{"name":"label","value":"PM-15"},{"name":"sort-id","value":"PM-15"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-5","rel":"related","text":"SI-5"}],"parts":[{"id":"pm-15_smt","name":"statement","prose":"Establish and institutionalize contact with selected groups and associations within the security and privacy communities:","parts":[{"id":"pm-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"To facilitate ongoing security and privacy education and training for organizational personnel;"},{"id":"pm-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"To maintain currency with recommended security and privacy practices, techniques, and technologies; and"},{"id":"pm-15_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"To share current security and privacy information, including threats, vulnerabilities, and incidents."}]},{"id":"pm-15_gdn","name":"guidance","prose":"Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."}]},{"id":"pm-16","class":"SP800-53","title":"Threat Awareness Program","properties":[{"name":"label","value":"PM-16"},{"name":"sort-id","value":"PM-16"}],"links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pm-12","rel":"related","text":"PM-12"}],"parts":[{"id":"pm-16_smt","name":"statement","prose":"Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence."},{"id":"pm-16_gdn","name":"guidance","prose":"Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared."}],"controls":[{"id":"pm-16.1","class":"SP800-53-enhancement","title":"Automated Means for Sharing Threat Intelligence","properties":[{"name":"label","value":"PM-16(1)"},{"name":"sort-id","value":"PM-16(01)"}],"parts":[{"id":"pm-16.1_smt","name":"statement","prose":"Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information."},{"id":"pm-16.1_gdn","name":"guidance","prose":"To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures."}]}]},{"id":"pm-17","class":"SP800-53","title":"Protecting Controlled Unclassified Information on External Systems","parameters":[{"id":"pm-17_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-17"},{"name":"sort-id","value":"PM-17"}],"links":[{"href":"#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc","rel":"reference","text":"[32 CFR 2002]"},{"href":"#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","rel":"reference","text":"[SP 800-171]"},{"href":"#dd87fdf0-840d-4392-9de4-220b2327e340","rel":"reference","text":"[NARA CUI]"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#pm-10","rel":"related","text":"PM-10"}],"parts":[{"id":"pm-17_smt","name":"statement","parts":[{"id":"pm-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards."},{"id":"pm-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update the policy and procedures {{ pm-17_prm_1 }}."}]},{"id":"pm-17_gdn","name":"guidance","prose":"Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes."}]},{"id":"pm-18","class":"SP800-53","title":"Privacy Program Plan","properties":[{"name":"label","value":"PM-18"},{"name":"sort-id","value":"PM-18"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-19","rel":"related","text":"PM-19"}],"parts":[{"id":"pm-18_smt","name":"statement","parts":[{"id":"pm-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:","parts":[{"id":"pm-18_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;"},{"id":"pm-18_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-18_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;"},{"id":"pm-18_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;"},{"id":"pm-18_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Reflects coordination among organizational entities responsible for the different aspects of privacy; and"},{"id":"pm-18_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and"}]},{"id":"pm-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments."}]},{"id":"pm-18_gdn","name":"guidance","prose":"A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls."}]},{"id":"pm-19","class":"SP800-53","title":"Privacy Program Leadership Role","properties":[{"name":"label","value":"PM-19"},{"name":"sort-id","value":"PM-19"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#pm-20","rel":"related","text":"PM-20"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-24","rel":"related","text":"PM-24"}],"parts":[{"id":"pm-19_smt","name":"statement","prose":"Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."},{"id":"pm-19_gdn","name":"guidance","prose":"The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24)."}]},{"id":"pm-20","class":"SP800-53","title":"Dissemination of Privacy Program Information","properties":[{"name":"label","value":"PM-20"},{"name":"sort-id","value":"PM-20"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#f7d3617a-9a4f-4f1a-a688-845081b70390","rel":"reference","text":"[OMB M-17-06]"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#pt-7","rel":"related","text":"PT-7"},{"href":"#ra-8","rel":"related","text":"RA-8"}],"parts":[{"id":"pm-20_smt","name":"statement","prose":"Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:","parts":[{"id":"pm-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;"},{"id":"pm-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that organizational privacy practices and reports are publicly available; and"},{"id":"pm-20_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices."}]},{"id":"pm-20_gdn","name":"guidance","prose":"Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications."}]},{"id":"pm-21","class":"SP800-53","title":"Accounting of Disclosures","properties":[{"name":"label","value":"PM-21"},{"name":"sort-id","value":"PM-21"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pt-2","rel":"related","text":"PT-2"}],"parts":[{"id":"pm-21_smt","name":"statement","parts":[{"id":"pm-21_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:","parts":[{"id":"pm-21_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Date, nature, and purpose of each disclosure; and"},{"id":"pm-21_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Name and address, or other contact information of the person or organization to which the disclosure was made;"}]},{"id":"pm-21_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and"},{"id":"pm-21_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request."}]},{"id":"pm-21_gdn","name":"guidance","prose":"The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions."}]},{"id":"pm-22","class":"SP800-53","title":"Personally Identifiable Information Quality Management","properties":[{"name":"label","value":"PM-22"},{"name":"sort-id","value":"PM-22"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#eadef75e-7e4d-4554-b818-44946c1dde0e","rel":"reference","text":"[SP 800-188]"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pm-22_smt","name":"statement","prose":"Develop and document policies and procedures for:","parts":[{"id":"pm-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;"},{"id":"pm-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Correcting or deleting inaccurate or outdated personally identifiable information;"},{"id":"pm-22_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and"},{"id":"pm-22_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Appeals of adverse decisions on correction or deletion requests."}]},{"id":"pm-22_gdn","name":"guidance","prose":"Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem."}]},{"id":"pm-23","class":"SP800-53","title":"Data Governance Body","parameters":[{"id":"pm-23_prm_1","label":"organization-defined roles"},{"id":"pm-23_prm_2","label":"organization-defined responsibilities"}],"properties":[{"name":"label","value":"PM-23"},{"name":"sort-id","value":"PM-23"}],"links":[{"href":"#43facb7b-0afb-480f-8191-34790d5b444b","rel":"reference","text":"[EVIDACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#d843e915-eeb6-4bbe-8cab-ccc802088703","rel":"reference","text":"[OMB M-19-23]"},{"href":"#eadef75e-7e4d-4554-b818-44946c1dde0e","rel":"reference","text":"[SP 800-188]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-19","rel":"related","text":"SI-19"}],"parts":[{"id":"pm-23_smt","name":"statement","prose":"Establish a Data Governance Body consisting of {{ pm-23_prm_1 }} with {{ pm-23_prm_2 }}."},{"id":"pm-23_gdn","name":"guidance","prose":"A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23]."}]},{"id":"pm-24","class":"SP800-53","title":"Data Integrity Board","properties":[{"name":"label","value":"PM-24"},{"name":"sort-id","value":"PM-24"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pt-8","rel":"related","text":"PT-8"}],"parts":[{"id":"pm-24_smt","name":"statement","prose":"Establish a Data Integrity Board to:","parts":[{"id":"pm-24_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Review proposals to conduct or participate in a matching program; and"},{"id":"pm-24_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Conduct an annual review of all matching programs in which the agency has participated."}]},{"id":"pm-24_gdn","name":"guidance","prose":"A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy."}]},{"id":"pm-25","class":"SP800-53","title":"Minimization of Pii Used in Testing, Training, and Research","parameters":[{"id":"pm-25_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-25"},{"name":"sort-id","value":"PM-25"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#sa-3","rel":"related","text":"SA-3"}],"parts":[{"id":"pm-25_smt","name":"statement","parts":[{"id":"pm-25_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;"},{"id":"pm-25_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;"},{"id":"pm-25_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and"},{"id":"pm-25_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review and update policies and procedures {{ pm-25_prm_1 }}."}]},{"id":"pm-25_gdn","name":"guidance","prose":"The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2)."}]},{"id":"pm-26","class":"SP800-53","title":"Complaint Management","parameters":[{"id":"pm-26_prm_1","label":"organization-defined time-period"},{"id":"pm-26_prm_2","label":"organization-defined time-period"},{"id":"pm-26_prm_3","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PM-26"},{"name":"sort-id","value":"PM-26"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pm-26_smt","name":"statement","prose":"Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:","parts":[{"id":"pm-26_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Mechanisms that are easy to use and readily accessible by the public;"},{"id":"pm-26_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"All information necessary for successfully filing complaints;"},{"id":"pm-26_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }};"},{"id":"pm-26_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and"},{"id":"pm-26_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}."}]},{"id":"pm-26_gdn","name":"guidance","prose":"Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information."}]},{"id":"pm-27","class":"SP800-53","title":"Privacy Reporting","parameters":[{"id":"pm-27_prm_1","label":"organization-defined privacy reports"},{"id":"pm-27_prm_2","label":"organization-defined officials"},{"id":"pm-27_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-27"},{"name":"sort-id","value":"PM-27"}],"links":[{"href":"#14958422-54f6-471f-a345-802dca594dd8","rel":"reference","text":"[FISMA]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-19","rel":"related","text":"PM-19"}],"parts":[{"id":"pm-27_smt","name":"statement","parts":[{"id":"pm-27_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop {{ pm-27_prm_1 }} and disseminate to:","parts":[{"id":"pm-27_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and"},{"id":"pm-27_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and"}]},{"id":"pm-27_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update privacy reports {{ pm-27_prm_3 }}."}]},{"id":"pm-27_gdn","name":"guidance","prose":"Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements."}]},{"id":"pm-28","class":"SP800-53","title":"Risk Framing","parameters":[{"id":"pm-28_prm_1","label":"organization-defined personnel"},{"id":"pm-28_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-28"},{"name":"sort-id","value":"PM-28"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-7","rel":"related","text":"RA-7"}],"parts":[{"id":"pm-28_smt","name":"statement","parts":[{"id":"pm-28_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify and document:","parts":[{"id":"pm-28_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Assumptions affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Constraints affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Priorities and trade-offs considered by the organization for managing risk; and"},{"id":"pm-28_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Organizational risk tolerance; and"}]},{"id":"pm-28_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute the results of risk framing activities to {{ pm-28_prm_1 }};"},{"id":"pm-28_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update risk framing considerations {{ pm-28_prm_2 }}."}]},{"id":"pm-28_gdn","name":"guidance","prose":"Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management."}]},{"id":"pm-29","class":"SP800-53","title":"Risk Management Program Leadership Roles","properties":[{"name":"label","value":"PM-29"},{"name":"sort-id","value":"PM-29"}],"links":[{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#pm-2","rel":"related","text":"PM-2"},{"href":"#pm-19","rel":"related","text":"PM-19"}],"parts":[{"id":"pm-29_smt","name":"statement","parts":[{"id":"pm-29_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and"},{"id":"pm-29_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization."}]},{"id":"pm-29_gdn","name":"guidance","prose":"The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities."}]},{"id":"pm-30","class":"SP800-53","title":"Supply Chain Risk Management Strategy","parameters":[{"id":"pm-30_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-30"},{"name":"sort-id","value":"PM-30"}],"links":[{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-7","rel":"related","text":"SR-7"},{"href":"#sr-8","rel":"related","text":"SR-8"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"pm-30_smt","name":"statement","parts":[{"id":"pm-30_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;"},{"id":"pm-30_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the supply chain risk management strategy consistently across the organization; and"},{"id":"pm-30_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the supply chain risk management strategy on {{ pm-30_prm_1 }} or as required, to address organizational changes."}]},{"id":"pm-30_gdn","name":"guidance","prose":"An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level."}]},{"id":"pm-31","class":"SP800-53","title":"Continuous Monitoring Strategy","parameters":[{"id":"pm-31_prm_1","label":"organization-defined metrics"},{"id":"pm-31_prm_2","label":"organization-defined frequencies"},{"id":"pm-31_prm_3","label":"organization-defined frequencies"},{"id":"pm-31_prm_4","label":"organization-defined personnel or roles"},{"id":"pm-31_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-31"},{"name":"sort-id","value":"PM-31"}],"links":[{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"pm-31_smt","name":"statement","prose":"Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:","parts":[{"id":"pm-31_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }};"},{"id":"pm-31_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness;"},{"id":"pm-31_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"pm-31_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"pm-31_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"pm-31_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }}\n {{ pm-31_prm_5 }}."}]},{"id":"pm-31_gdn","name":"guidance","prose":"Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4."}]},{"id":"pm-32","class":"SP800-53","title":"Purposing","parameters":[{"id":"pm-32_prm_1","label":"organization-defined systems or systems components"}],"properties":[{"name":"label","value":"PM-32"},{"name":"sort-id","value":"PM-32"}],"links":[{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"}],"parts":[{"id":"pm-32_smt","name":"statement","prose":"Analyze {{ pm-32_prm_1 }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose."},{"id":"pm-32_gdn","name":"guidance","prose":"Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures."}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2"},{"id":"ps-1_prm_3","label":"organization-defined official"},{"id":"ps-1_prm_4","label":"organization-defined frequency"},{"id":"ps-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-1"},{"name":"sort-id","value":"PS-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ps-1_smt","name":"statement","parts":[{"id":"ps-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ps-1_prm_2 }} personnel security policy that:","parts":[{"id":"ps-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ps-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;"}]},{"id":"ps-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ps-1_prm_3 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and"},{"id":"ps-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current personnel security:","parts":[{"id":"ps-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ps-1_prm_4 }}; and"},{"id":"ps-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ps-1_prm_5 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","parameters":[{"id":"ps-2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-2"},{"name":"sort-id","value":"PS-02"}],"links":[{"href":"#2383ccfd-d8a0-4e3a-bf40-21288ae1e07a","rel":"reference","text":"[5 CFR 731]"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-21","rel":"related","text":"SA-21"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ps-2_smt","name":"statement","parts":[{"id":"ps-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assign a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establish screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update position risk designations {{ ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions."}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","parameters":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening"}],"properties":[{"name":"label","value":"PS-3"},{"name":"sort-id","value":"PS-03"}],"links":[{"href":"#52a8b0c6-0c6b-424b-928d-41c50ba87838","rel":"reference","text":"[EO 13526]"},{"href":"#2b5e12fb-633f-49e6-8aff-81d75bf53545","rel":"reference","text":"[EO 13587]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-21","rel":"related","text":"SA-21"}],"parts":[{"id":"ps-3_smt","name":"statement","parts":[{"id":"ps-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Screen individuals prior to authorizing access to the system; and"},{"id":"ps-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Rescreen individuals in accordance with {{ ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","parameters":[{"id":"ps-4_prm_1","label":"organization-defined time-period"},{"id":"ps-4_prm_2","label":"organization-defined information security topics"}],"properties":[{"name":"label","value":"PS-4"},{"name":"sort-id","value":"PS-04"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"Upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Disable system access within {{ ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Terminate or revoke any authenticators and credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conduct exit interviews that include a discussion of {{ ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Retrieve all security-related organizational system-related property; and"},{"id":"ps-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Retain access to organizational information and systems formerly controlled by terminated individual."}]},{"id":"ps-4_gdn","name":"guidance","prose":"System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified."}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","parameters":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time-period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PS-5"},{"name":"sort-id","value":"PS-05"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-7","rel":"related","text":"PS-7"}],"parts":[{"id":"ps-5_smt","name":"statement","parts":[{"id":"ps-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Initiate {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Notify {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts."}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","parameters":[{"id":"ps-6_prm_1","label":"organization-defined frequency"},{"id":"ps-6_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-6"},{"name":"sort-id","value":"PS-06"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-21","rel":"related","text":"SA-21"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."}]},{"id":"ps-7","class":"SP800-53","title":"External Personnel Security","parameters":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PS-7"},{"name":"sort-id","value":"PS-07"}],"links":[{"href":"#ed919d0d-8e21-4df6-801d-3fbc4cb8a505","rel":"reference","text":"[SP 800-35]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-21","rel":"related","text":"SA-21"}],"parts":[{"id":"ps-7_smt","name":"statement","parts":[{"id":"ps-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish personnel security requirements, including security roles and responsibilities for external providers;"},{"id":"ps-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Require external providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Require external providers to notify {{ ps-7_prm_1 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Monitor provider compliance with personnel security requirements."}]},{"id":"ps-7_gdn","name":"guidance","prose":"External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated."}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","parameters":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PS-8"},{"name":"sort-id","value":"PS-08"}],"links":[{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#at-1","rel":"related","text":"AT-1"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#ca-1","rel":"related","text":"CA-1"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cp-1","rel":"related","text":"CP-1"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ma-1","rel":"related","text":"MA-1"},{"href":"#mp-1","rel":"related","text":"MP-1"},{"href":"#pe-1","rel":"related","text":"PE-1"},{"href":"#pl-1","rel":"related","text":"PL-1"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#ps-1","rel":"related","text":"PS-1"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#sa-1","rel":"related","text":"SA-1"},{"href":"#sc-1","rel":"related","text":"SC-1"},{"href":"#si-1","rel":"related","text":"SI-1"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#pt-1","rel":"related","text":"PT-1"}],"parts":[{"id":"ps-8_smt","name":"statement","parts":[{"id":"ps-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Notify {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions."}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2"},{"id":"ra-1_prm_3","label":"organization-defined official"},{"id":"ra-1_prm_4","label":"organization-defined frequency"},{"id":"ra-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-1"},{"name":"sort-id","value":"RA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ra-1_prm_2 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ra-1_prm_4 }}; and"},{"id":"ra-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ra-1_prm_5 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","properties":[{"name":"label","value":"RA-2"},{"name":"sort-id","value":"RA-02"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ra-2_smt","name":"statement","parts":[{"id":"ra-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Categorize the system and information it processes, stores, and transmits;"},{"id":"ra-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document the security categorization results, including supporting rationale, in the security plan for the system; and"},{"id":"ra-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals.\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts.\nSecurity categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant."}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","parameters":[{"id":"ra-3_prm_1"},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document"},{"id":"ra-3_prm_3","label":"organization-defined frequency"},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-3"},{"name":"sort-id","value":"RA-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-18","rel":"related","text":"PE-18"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ ra-3_prm_1 }};"},{"id":"ra-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ ra-3_prm_3 }};"},{"id":"ra-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ ra-3_prm_4 }}; and"},{"id":"ra-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities.\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\nIn addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."}],"controls":[{"id":"ra-3.1","class":"SP800-53-enhancement","title":"Supply Chain Risk Assessment","parameters":[{"id":"ra-3.1_prm_1","label":"organization-defined systems, system components, and system services"},{"id":"ra-3.1_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-3(1)"},{"name":"sort-id","value":"RA-03(01)"}],"links":[{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#pm-17","rel":"related","text":"PM-17"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"ra-3.1_smt","name":"statement","parts":[{"id":"ra-3.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Assess supply chain risks associated with {{ ra-3.1_prm_1 }}; and"},{"id":"ra-3.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Update the supply chain risk assessment {{ ra-3.1_prm_2 }}, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_gdn","name":"guidance","prose":"Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Monitoring and Scanning","parameters":[{"id":"ra-5_prm_1","label":"organization-defined frequency and/or randomly in accordance with organization-defined process"},{"id":"ra-5_prm_2","label":"organization-defined response times"},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"RA-5"},{"name":"sort-id","value":"RA-05"}],"links":[{"href":"#1126ec09-2b27-4a21-80b2-fef70b31c49d","rel":"reference","text":"[SP 800-40]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f","rel":"reference","text":"[SP 800-126]"},{"href":"#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c","rel":"reference","text":"[IR 7788]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"ra-5_smt","name":"statement","parts":[{"id":"ra-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor and scan for vulnerabilities in the system and hosted applications {{ ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Analyze vulnerability scan reports and results from vulnerability monitoring;"},{"id":"ra-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Remediate legitimate vulnerabilities {{ ra-5_prm_2 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Share information obtained from the vulnerability monitoring process and control assessments with {{ ra-5_prm_3 }} to help eliminate similar vulnerabilities in other systems; and"},{"id":"ra-5_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\nVulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\nOrganizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points."}],"controls":[{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update System Vulnerabilities","parameters":[{"id":"ra-5.2_prm_1"},{"id":"ra-5.2_prm_2","depends-on":"ra-5.2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-5(2)"},{"name":"sort-id","value":"RA-05(02)"}],"links":[{"href":"#si-5","rel":"related","text":"SI-5"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"Update the system vulnerabilities to be scanned {{ ra-5.2_prm_1 }}."},{"id":"ra-5.2_gdn","name":"guidance","prose":"Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner."}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","properties":[{"name":"label","value":"RA-7"},{"name":"sort-id","value":"RA-07"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2"},{"id":"sa-1_prm_3","label":"organization-defined official"},{"id":"sa-1_prm_4","label":"organization-defined frequency"},{"id":"sa-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SA-1"},{"name":"sort-id","value":"SA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ sa-1_prm_2 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ sa-1_prm_4 }}; and"},{"id":"sa-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ sa-1_prm_5 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","properties":[{"name":"label","value":"SA-2"},{"name":"sort-id","value":"SA-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pm-3","rel":"related","text":"PM-3"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle."}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","parameters":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"properties":[{"name":"label","value":"SA-3"},{"name":"sort-id","value":"SA-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","rel":"reference","text":"[SP 800-171]"},{"href":"#aad55f03-8ece-4b21-b09c-9ef65b5a9f55","rel":"reference","text":"[SP 800-171B]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-22","rel":"related","text":"SA-22"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-9","rel":"related","text":"SR-9"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ sa-3_prm_1 }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle."}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","parameters":[{"id":"sa-4_prm_1"},{"id":"sa-4_prm_2","depends-on":"sa-4_prm_1","label":"organization-defined contract language"}],"properties":[{"name":"label","value":"SA-4"},{"name":"sort-id","value":"SA-04"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#6ddb507b-6ddb-4e15-a8d4-0854e704446e","rel":"reference","text":"[ISO 15408-1]"},{"href":"#18abb755-c10f-407d-b0ef-4f99e5ec4a49","rel":"reference","text":"[ISO 15408-2]"},{"href":"#2ce3a8bf-7f8b-4249-bd16-808231415b14","rel":"reference","text":"[ISO 15408-3]"},{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#ed919d0d-8e21-4df6-801d-3fbc4cb8a505","rel":"reference","text":"[SP 800-35]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#d4779b49-8acc-45ef-b4f0-30f945e81d1b","rel":"reference","text":"[IR 7539]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#daf69edb-a0ef-4447-9880-8c4bf553181f","rel":"reference","text":"[IR 7676]"},{"href":"#197f7ba7-9af8-4a67-b3a4-5523d850e53b","rel":"reference","text":"[IR 7870]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#5dac2312-1d0d-416f-aebb-400fa9775b74","rel":"reference","text":"[NIAP CCEVS]"},{"href":"#634dec27-df88-4c30-b1a4-b57cdfd24f20","rel":"reference","text":"[NSA CSFC]"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-16","rel":"related","text":"SA-16"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-21","rel":"related","text":"SA-21"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle.\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement."}],"controls":[{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","properties":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"SA-04(10)"}],"links":[{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pm-9","rel":"related","text":"PM-9"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."},{"id":"sa-4.10_gdn","name":"guidance","prose":"Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations."}]}]},{"id":"sa-5","class":"SP800-53","title":"System Documentation","parameters":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SA-5"},{"name":"sort-id","value":"SA-05"}],"links":[{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-16","rel":"related","text":"SA-16"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-3","rel":"related","text":"SR-3"}],"parts":[{"id":"sa-5_smt","name":"statement","parts":[{"id":"sa-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Obtain administrator documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security and privacy functions and mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative or privileged functions;"}]},{"id":"sa-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Obtain user documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and"},{"id":"sa-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;"}]},{"id":"sa-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes {{ sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect documentation as required, in accordance with the organizational risk management strategy; and"},{"id":"sa-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Distribute documentation to {{ sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation."}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","parameters":[{"id":"sa-8_prm_1","label":"organization-defined systems security and privacy engineering principles"}],"properties":[{"name":"label","value":"SA-8"},{"name":"sort-id","value":"SA-08"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-20","rel":"related","text":"SA-20"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-32","rel":"related","text":"SC-32"},{"href":"#sc-39","rel":"related","text":"SC-39"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\nThe application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design."}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","parameters":[{"id":"sa-9_prm_1","label":"organization-defined controls"},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques"}],"properties":[{"name":"label","value":"SA-9"},{"name":"sort-id","value":"SA-09"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ed919d0d-8e21-4df6-801d-3fbc4cb8a505","rel":"reference","text":"[SP 800-35]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-2","rel":"related","text":"SA-2"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }};"},{"id":"sa-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."}]},{"id":"sa-22","class":"SP800-53","title":"Unsupported System Components","parameters":[{"id":"sa-22_prm_1"},{"id":"sa-22_prm_2","depends-on":"sa-22_prm_1","label":"organization-defined support from external providers"}],"properties":[{"name":"label","value":"SA-22"},{"name":"sort-id","value":"SA-22"}],"links":[{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sa-3","rel":"related","text":"SA-3"}],"parts":[{"id":"sa-22_smt","name":"statement","parts":[{"id":"sa-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or"},{"id":"sa-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provide the following options for alternative sources for continued support for unsupported components {{ sa-22_prm_1 }}."}]},{"id":"sa-22_gdn","name":"guidance","prose":"Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors."}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2"},{"id":"sc-1_prm_3","label":"organization-defined official"},{"id":"sc-1_prm_4","label":"organization-defined frequency"},{"id":"sc-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SC-1"},{"name":"sort-id","value":"SC-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"sc-1_smt","name":"statement","parts":[{"id":"sc-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ sc-1_prm_2 }} system and communications protection policy that:","parts":[{"id":"sc-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sc-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;"}]},{"id":"sc-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ sc-1_prm_3 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and"},{"id":"sc-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current system and communications protection:","parts":[{"id":"sc-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ sc-1_prm_4 }}; and"},{"id":"sc-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ sc-1_prm_5 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","parameters":[{"id":"sc-5_prm_1"},{"id":"sc-5_prm_2","label":"organization-defined types of denial of service events"},{"id":"sc-5_prm_3","label":"organization-defined controls by type of denial of service event"}],"properties":[{"name":"label","value":"SC-5"},{"name":"sort-id","value":"SC-05"}],"links":[{"href":"#3862cd94-ff25-4631-9a9a-b92c21a0a923","rel":"reference","text":"[SP 800-189]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#sc-6","rel":"related","text":"SC-6"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-40","rel":"related","text":"SC-40"}],"parts":[{"id":"sc-5_smt","name":"statement","parts":[{"id":"sc-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"\n {{ sc-5_prm_1 }} the effects of the following types of denial of service events: {{ sc-5_prm_2 }}; and"},{"id":"sc-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ the following controls to achieve the denial of service objective: {{ sc-5_prm_3 }}."}]},{"id":"sc-5_gdn","name":"guidance","prose":"Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events."}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","parameters":[{"id":"sc-7_prm_1"}],"properties":[{"name":"label","value":"SC-7"},{"name":"sort-id","value":"SC-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#db7877cf-1013-4fb1-b943-ca9361d16370","rel":"reference","text":"[SP 800-41]"},{"href":"#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","rel":"reference","text":"[SP 800-77]"},{"href":"#3862cd94-ff25-4631-9a9a-b92c21a0a923","rel":"reference","text":"[SP 800-189]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-32","rel":"related","text":"SC-32"},{"href":"#sc-43","rel":"related","text":"SC-43"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions."}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","parameters":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage, access, and destruction"}],"properties":[{"name":"label","value":"SC-12"},{"name":"sort-id","value":"SC-12"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#77dc1838-3664-4faa-bc6e-4e2a16e52f35","rel":"reference","text":"[SP 800-56A]"},{"href":"#f417e4ec-cadb-47a8-a363-6006b32c28ad","rel":"reference","text":"[SP 800-56B]"},{"href":"#7c3ba335-62bd-4f03-888f-960790409b11","rel":"reference","text":"[SP 800-56C]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#f437b52f-7f26-42aa-8e8f-999e7d67b2fe","rel":"reference","text":"[IR 7956]"},{"href":"#30213e10-2aca-47b3-8cdb-61303e0959f5","rel":"reference","text":"[IR 7966]"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-11","rel":"related","text":"SC-11"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-17","rel":"related","text":"SC-17"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#sc-40","rel":"related","text":"SC-40"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ sc-12_prm_1 }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment."}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","parameters":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses"},{"id":"sc-13_prm_2","label":"organization-defined types of cryptography for each specified cryptographic use"}],"properties":[{"name":"label","value":"SC-13"},{"name":"sort-id","value":"SC-13"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-23","rel":"related","text":"SC-23"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-40","rel":"related","text":"SC-40"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"sc-13_smt","name":"statement","parts":[{"id":"sc-13_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determine the {{ sc-13_prm_1 }}; and"},{"id":"sc-13_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the following types of cryptography required for each specified cryptographic use: {{ sc-13_prm_2 }}."}]},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices and Applications","parameters":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed"}],"properties":[{"name":"label","value":"SC-15"},{"name":"sort-id","value":"SC-15"}],"links":[{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#sc-42","rel":"related","text":"SC-42"}],"parts":[{"id":"sc-15_smt","name":"statement","parts":[{"id":"sc-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated."}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name/address Resolution Service (authoritative Source)","properties":[{"name":"label","value":"SC-20"},{"name":"sort-id","value":"SC-20"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#93d44344-59f9-4669-845d-6cc2a5852621","rel":"reference","text":"[SP 800-81-2]"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-22","rel":"related","text":"SC-22"}],"parts":[{"id":"sc-20_smt","name":"statement","parts":[{"id":"sc-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data."}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name/address Resolution Service (recursive or Caching Resolver)","properties":[{"name":"label","value":"SC-21"},{"name":"sort-id","value":"SC-21"}],"links":[{"href":"#93d44344-59f9-4669-845d-6cc2a5852621","rel":"reference","text":"[SP 800-81-2]"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-22","rel":"related","text":"SC-22"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data."}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name/address Resolution Service","properties":[{"name":"label","value":"SC-22"},{"name":"sort-id","value":"SC-22"}],"links":[{"href":"#93d44344-59f9-4669-845d-6cc2a5852621","rel":"reference","text":"[SP 800-81-2]"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-24","rel":"related","text":"SC-24"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists."}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","properties":[{"name":"label","value":"SC-39"},{"name":"sort-id","value":"SC-39"}],"links":[{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#si-16","rel":"related","text":"SI-16"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"Maintain a separate execution domain for each executing system process."},{"id":"sc-39_gdn","name":"guidance","prose":"Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies."}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2"},{"id":"si-1_prm_3","label":"organization-defined official"},{"id":"si-1_prm_4","label":"organization-defined frequency"},{"id":"si-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-1"},{"name":"sort-id","value":"SI-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ si-1_prm_2 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ si-1_prm_4 }}; and"},{"id":"si-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ si-1_prm_5 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","parameters":[{"id":"si-2_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"SI-2"},{"name":"sort-id","value":"SI-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#1126ec09-2b27-4a21-80b2-fef70b31c49d","rel":"reference","text":"[SP 800-40]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c","rel":"reference","text":"[IR 7788]"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-5","rel":"related","text":"SI-5"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-11","rel":"related","text":"SI-11"}],"parts":[{"id":"si-2_smt","name":"statement","parts":[{"id":"si-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify, report, and correct system flaws;"},{"id":"si-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Install security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Incorporate flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\nOrganization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures."}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","parameters":[{"id":"si-3_prm_1"},{"id":"si-3_prm_2","label":"organization-defined frequency"},{"id":"si-3_prm_3"},{"id":"si-3_prm_4"},{"id":"si-3_prm_5","depends-on":"si-3_prm_4","label":"organization-defined action"},{"id":"si-3_prm_6","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SI-3"},{"name":"sort-id","value":"SI-03"}],"links":[{"href":"#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","rel":"reference","text":"[SP 800-83]"},{"href":"#c972a85c-fa75-4596-be25-a338dc7e4e46","rel":"reference","text":"[SP 800-125B]"},{"href":"#64e044e4-b2a9-490f-a079-1106407c812f","rel":"reference","text":"[SP 800-177]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-23","rel":"related","text":"SC-23"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-44","rel":"related","text":"SC-44"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-8","rel":"related","text":"SI-8"},{"href":"#si-15","rel":"related","text":"SI-15"}],"parts":[{"id":"si-3_smt","name":"statement","parts":[{"id":"si-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement {{ si-3_prm_1 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Configure malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the system {{ si-3_prm_2 }} and real-time scans of files from external sources at {{ si-3_prm_3 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and"},{"id":"si-3_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n {{ si-3_prm_4 }}; and send alert to {{ si-3_prm_6 }} in response to malicious code detection."}]},{"id":"si-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system."}]},{"id":"si-3_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions.\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files."}]},{"id":"si-4","class":"SP800-53","title":"System Monitoring","parameters":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5"},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-4"},{"name":"sort-id","value":"SI-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","rel":"reference","text":"[SP 800-83]"},{"href":"#02d8ec60-6197-43f8-9f47-18732127963e","rel":"reference","text":"[SP 800-92]"},{"href":"#41e2e2c6-2260-4258-85c8-09db17c43103","rel":"reference","text":"[SP 800-94]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-10","rel":"related","text":"IA-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-31","rel":"related","text":"SC-31"},{"href":"#sc-35","rel":"related","text":"SC-35"},{"href":"#sc-36","rel":"related","text":"SC-36"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-6","rel":"related","text":"SI-6"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-10","rel":"related","text":"SR-10"}],"parts":[{"id":"si-4_smt","name":"statement","parts":[{"id":"si-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor the system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Identify unauthorized use of the system through the following techniques and methods: {{ si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Invoke internal monitoring capabilities or deploy monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Strategically within the system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Obtain legal opinion regarding system monitoring activities; and"},{"id":"si-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Provide {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n {{ si-4_prm_5 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\nDepending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","parameters":[{"id":"si-5_prm_1","label":"organization-defined external organizations"},{"id":"si-5_prm_2"},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"properties":[{"name":"label","value":"SI-5"},{"name":"sort-id","value":"SI-05"}],"links":[{"href":"#1126ec09-2b27-4a21-80b2-fef70b31c49d","rel":"reference","text":"[SP 800-40]"},{"href":"#pm-15","rel":"related","text":"PM-15"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#si-2","rel":"related","text":"SI-2"}],"parts":[{"id":"si-5_smt","name":"statement","parts":[{"id":"si-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receive system security alerts, advisories, and directives from {{ si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Generate internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Disseminate security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations."}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","properties":[{"name":"label","value":"SI-12"},{"name":"sort-id","value":"SI-12"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#at-1","rel":"related","text":"AT-1"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#ca-1","rel":"related","text":"CA-1"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cp-1","rel":"related","text":"CP-1"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ma-1","rel":"related","text":"MA-1"},{"href":"#mp-1","rel":"related","text":"MP-1"},{"href":"#pe-1","rel":"related","text":"PE-1"},{"href":"#pl-1","rel":"related","text":"PL-1"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#ps-1","rel":"related","text":"PS-1"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#sa-1","rel":"related","text":"SA-1"},{"href":"#sc-1","rel":"related","text":"SC-1"},{"href":"#si-1","rel":"related","text":"SI-1"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-3","rel":"related","text":"MP-3"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sr-1","rel":"related","text":"SR-1"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel."}]}]},{"id":"sr","class":"family","title":"Supply Chain Risk Management","controls":[{"id":"sr-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"sr-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sr-1_prm_2"},{"id":"sr-1_prm_3","label":"organization-defined official"},{"id":"sr-1_prm_4","label":"organization-defined frequency"},{"id":"sr-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SR-1"},{"name":"sort-id","value":"SR-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"sr-1_smt","name":"statement","parts":[{"id":"sr-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ sr-1_prm_1 }}:","parts":[{"id":"sr-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ sr-1_prm_2 }} supply chain risk management policy that:","parts":[{"id":"sr-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sr-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sr-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;"}]},{"id":"sr-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ sr-1_prm_3 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and"},{"id":"sr-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current supply chain risk management:","parts":[{"id":"sr-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ sr-1_prm_4 }}; and"},{"id":"sr-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ sr-1_prm_5 }}."}]}]},{"id":"sr-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"sr-2","class":"SP800-53","title":"Supply Chain Risk Management Plan","parameters":[{"id":"sr-2_prm_1","label":"organization-defined systems, system components, or system services"},{"id":"sr-2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SR-2"},{"name":"sort-id","value":"SR-02"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"sr-2_smt","name":"statement","parts":[{"id":"sr-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: {{ sr-2_prm_1 }};"},{"id":"sr-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the supply chain risk management plan consistently across the organization; and"},{"id":"sr-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the supply chain risk management plan {{ sr-2_prm_2 }} or as required, to address threat, organizational or environmental changes."}]},{"id":"sr-2_gdn","name":"guidance","prose":"The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans.\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8)."}],"controls":[{"id":"sr-2.1","class":"SP800-53-enhancement","title":"Establish Scrm Team","parameters":[{"id":"sr-2.1_prm_1","label":"organization-defined personnel, roles, and responsibilities"},{"id":"sr-2.1_prm_2","label":"organization-defined supply chain risk management activities"}],"properties":[{"name":"label","value":"SR-2(1)"},{"name":"sort-id","value":"SR-02(01)"}],"parts":[{"id":"sr-2.1_smt","name":"statement","prose":"Establish a supply chain risk management team consisting of {{ sr-2.1_prm_1 }} to lead and support the following SCRM activities: {{ sr-2.1_prm_2 }}."},{"id":"sr-2.1_gdn","name":"guidance","prose":"To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team."}]}]},{"id":"sr-3","class":"SP800-53","title":"Supply Chain Controls and Processes","parameters":[{"id":"sr-3_prm_1","label":"organization-defined system or system component"},{"id":"sr-3_prm_2","label":"organization-defined supply chain personnel"},{"id":"sr-3_prm_3","label":"organization-defined supply chain controls"},{"id":"sr-3_prm_4"},{"id":"sr-3_prm_5","depends-on":"sr-3_prm_4","label":"organization-defined document"}],"properties":[{"name":"label","value":"SR-3"},{"name":"sort-id","value":"SR-03"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#sa-2","rel":"related","text":"SA-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-29","rel":"related","text":"SC-29"},{"href":"#sc-30","rel":"related","text":"SC-30"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"sr-3_smt","name":"statement","parts":[{"id":"sr-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ sr-3_prm_1 }} in coordination with {{ sr-3_prm_2 }};"},{"id":"sr-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ sr-3_prm_3 }}; and"},{"id":"sr-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document the selected and implemented supply chain processes and controls in {{ sr-3_prm_4 }}."}]},{"id":"sr-3_gdn","name":"guidance","prose":"Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain."}]},{"id":"sr-5","class":"SP800-53","title":"Acquisition Strategies, Tools, and Methods","parameters":[{"id":"sr-5_prm_1","label":"organization-defined acquisition strategies, contract tools, and procurement methods"}],"properties":[{"name":"label","value":"SR-5"},{"name":"sort-id","value":"SR-05"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#sa-2","rel":"related","text":"SA-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-10","rel":"related","text":"SR-10"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"sr-5_smt","name":"statement","prose":"Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ sr-5_prm_1 }}."},{"id":"sr-5_gdn","name":"guidance","prose":"The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements."}]},{"id":"sr-8","class":"SP800-53","title":"Notification Agreements","parameters":[{"id":"sr-8_prm_1"},{"id":"sr-8_prm_2","depends-on":"sr-8_prm_1","label":"organization-defined information"}],"properties":[{"name":"label","value":"SR-8"},{"name":"sort-id","value":"SR-08"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"}],"parts":[{"id":"sr-8_smt","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ sr-8_prm_1 }}."},{"id":"sr-8_gdn","name":"guidance","prose":"The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes."}]},{"id":"sr-10","class":"SP800-53","title":"Inspection of Systems or Components","parameters":[{"id":"sr-10_prm_1"},{"id":"sr-10_prm_2","depends-on":"sr-10_prm_1","label":"organization-defined frequency"},{"id":"sr-10_prm_3","depends-on":"sr-10_prm_1","label":"organization-defined indications of need for inspection"},{"id":"sr-10_prm_4","label":"organization-defined systems or system components"}],"properties":[{"name":"label","value":"SR-10"},{"name":"sort-id","value":"SR-10"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"sr-10_smt","name":"statement","prose":"Inspect the following systems or system components {{ sr-10_prm_1 }} to detect tampering: {{ sr-10_prm_4 }}."},{"id":"sr-10_gdn","name":"guidance","prose":"Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations."}]},{"id":"sr-11","class":"SP800-53","title":"Component Authenticity","parameters":[{"id":"sr-11_prm_1"},{"id":"sr-11_prm_2","depends-on":"sr-11_prm_1","label":"organization-defined external reporting organizations"},{"id":"sr-11_prm_3","depends-on":"sr-11_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SR-11"},{"name":"sort-id","value":"SR-11"}],"links":[{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-10","rel":"related","text":"SR-10"}],"parts":[{"id":"sr-11_smt","name":"statement","parts":[{"id":"sr-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and"},{"id":"sr-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Report counterfeit system components to {{ sr-11_prm_1 }}."}]},{"id":"sr-11_gdn","name":"guidance","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA."}],"controls":[{"id":"sr-11.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","parameters":[{"id":"sr-11.1_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SR-11(1)"},{"name":"sort-id","value":"SR-11(01)"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"}],"parts":[{"id":"sr-11.1_smt","name":"statement","prose":"Train {{ sr-11.1_prm_1 }} to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_gdn","name":"guidance","prose":"None."}]},{"id":"sr-11.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","parameters":[{"id":"sr-11.2_prm_1","label":"organization-defined system components"}],"properties":[{"name":"label","value":"SR-11(2)"},{"name":"sort-id","value":"SR-11(02)"}],"links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#sa-10","rel":"related","text":"SA-10"}],"parts":[{"id":"sr-11.2_smt","name":"statement","prose":"Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ sr-11.2_prm_1 }}."},{"id":"sr-11.2_gdn","name":"guidance","prose":"None."}]},{"id":"sr-11.3","class":"SP800-53-enhancement","title":"Component Disposal","parameters":[{"id":"sr-11.3_prm_1","label":"organization-defined techniques and methods"}],"properties":[{"name":"label","value":"SR-11(3)"},{"name":"sort-id","value":"SR-11(03)"}],"links":[{"href":"#mp-6","rel":"related","text":"MP-6"}],"parts":[{"id":"sr-11.3_smt","name":"statement","prose":"Dispose of system components using the following techniques and methods: {{ sr-11.3_prm_1 }}."},{"id":"sr-11.3_gdn","name":"guidance","prose":"Proper disposal of system components helps to prevent such components from entering the gray market."}]}]}]}],"back-matter":{"resources":[{"uuid":"a7dfa526-b81f-41d7-9875-c8b0faafe74b","title":"[PRIVACT]","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf"}]},{"uuid":"43facb7b-0afb-480f-8191-34790d5b444b","title":"[EVIDACT]","citation":{"text":"Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019."},"rlinks":[{"href":"https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf"}]},{"uuid":"52a8b0c6-0c6b-424b-928d-41c50ba87838","title":"[EO 13526]","citation":{"text":"Executive Order 13526, *Classified National Security Information*, December 2009."},"rlinks":[{"href":"https://www.archives.gov/isoo/policy-documents/cnsi-eo.html"}]},{"uuid":"14958422-54f6-471f-a345-802dca594dd8","title":"[FISMA]","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf"}]},{"uuid":"2b5e12fb-633f-49e6-8aff-81d75bf53545","title":"[EO 13587]","citation":{"text":"Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information*, October 2011."},"rlinks":[{"href":"https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"cde25174-38e0-4a00-8919-8ee3674b8088","title":"[HSPD 7]","citation":{"text":"Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003."},"rlinks":[{"href":"https://www.dhs.gov/homeland-security-presidential-directive-7"}]},{"uuid":"2383ccfd-d8a0-4e3a-bf40-21288ae1e07a","title":"[5 CFR 731]","citation":{"text":"Code of Federal Regulations, Title 5, *Administrative Personnel*, Section 731.106, *Designation of Public Trust Positions and Investigative Requirements*(5 C.F.R. 731.106)."},"rlinks":[{"href":"https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf"}]},{"uuid":"742b7c0e-218e-4fca-9c3d-5f264bbaf2bc","title":"[32 CFR 2002]","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information*(32 C.F.R 2002)."},"rlinks":[{"href":"https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information"}]},{"uuid":"286d42a1-efbe-49a2-9ce1-4c9bf68feb3b","title":"[ODNI NITP]","citation":{"text":"Office of the Director National Intelligence, *National Insider Threat Policy*\n "},"rlinks":[{"href":"https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf"}]},{"uuid":"395f6bb9-bcc2-41fc-977f-04372f4a6a82","title":"[OMB A-108]","citation":{"text":"Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf"}]},{"uuid":"a646d45d-775f-4887-86d3-5a00ffbc4090","title":"[OMB A-130]","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016."},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf"}]},{"uuid":"f7d3617a-9a4f-4f1a-a688-845081b70390","title":"[OMB M-17-06]","citation":{"text":"Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf"}]},{"uuid":"389fe193-866e-46b1-bf1d-38904b56aa7b","title":"[OMB M-17-12]","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. **\n "},"rlinks":[{"href":"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf"}]},{"uuid":"ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3","title":"[OMB M-17-25]","citation":{"text":"Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure*, May 2017. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf"}]},{"uuid":"d843e915-eeb6-4bbe-8cab-ccc802088703","title":"[OMB M-19-23]","citation":{"text":"Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance*, July 2019. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf"}]},{"uuid":"ee96f130-3f91-46ed-a4d8-57e5f220a623","title":"[CNSSI 1253]","citation":{"text":"Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems*, March 2014."},"rlinks":[{"href":"https://www.cnss.gov/CNSS/issuances/Instructions.cfm"}]},{"uuid":"24b7b1ec-6430-41de-9353-29fdb1b488fc","title":"[DHS NIPP]","citation":{"text":"Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009."},"rlinks":[{"href":"https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf"}]},{"uuid":"6ddb507b-6ddb-4e15-a8d4-0854e704446e","title":"[ISO 15408-1]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf"}]},{"uuid":"18abb755-c10f-407d-b0ef-4f99e5ec4a49","title":"[ISO 15408-2]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf"}]},{"uuid":"2ce3a8bf-7f8b-4249-bd16-808231415b14","title":"[ISO 15408-3]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf"}]},{"uuid":"aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","title":"[FIPS 140-3]","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.140-3"}]},{"uuid":"d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","title":"[FIPS 180-4]","citation":{"text":"National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.180-4"}]},{"uuid":"0b9fe06d-1b89-4dba-b9f8-3baf51504b17","title":"[FIPS 186-4]","citation":{"text":"National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.186-4"}]},{"uuid":"bbc7085f-b383-444e-af74-722a55cccc0f","title":"[FIPS 197]","citation":{"text":"National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.197"}]},{"uuid":"b3e26423-0687-47c7-ba9a-a96870d58a27","title":"[FIPS 199]","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.199"}]},{"uuid":"f2163084-3287-45e2-9ee7-95f020415495","title":"[FIPS 200]","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.200"}]},{"uuid":"ab414c48-b7a2-4ffe-b74d-4d8b8120adce","title":"[FIPS 201-2]","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.201-2"}]},{"uuid":"11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","title":"[FIPS 202]","citation":{"text":"National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.202"}]},{"uuid":"12702585-0c72-43c9-9185-a76a59f74233","title":"[SP 800-12]","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-12r1"}]},{"uuid":"ae962073-f9bb-4210-b1ad-53ef6f6afad6","title":"[SP 800-18]","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-18r1"}]},{"uuid":"1d9f757b-00d5-4db1-b15b-0ad641c6df7c","title":"[SP 800-30]","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-30r1"}]},{"uuid":"65774382-fcc6-4bbc-89fc-9d35aab19952","title":"[SP 800-34]","citation":{"text":"Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-34r1"}]},{"uuid":"ed919d0d-8e21-4df6-801d-3fbc4cb8a505","title":"[SP 800-35]","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-35"}]},{"uuid":"e07d73ea-96b9-4330-aff2-e0215f455343","title":"[SP 800-37]","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-37r2"}]},{"uuid":"451e9636-402e-4c27-b3f5-e0e50f957f27","title":"[SP 800-39]","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-39"}]},{"uuid":"1126ec09-2b27-4a21-80b2-fef70b31c49d","title":"[SP 800-40]","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-40r3"}]},{"uuid":"db7877cf-1013-4fb1-b943-ca9361d16370","title":"[SP 800-41]","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-41r1"}]},{"uuid":"7768c184-088d-4ee8-a316-f9286b52df7f","title":"[SP 800-46]","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-46r2"}]},{"uuid":"2e66c31a-190e-49ad-8e00-f306f8a0df17","title":"[SP 800-47]","citation":{"text":"Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-47"}]},{"uuid":"2e29c363-d5be-47ba-92f5-f8a58a69b65e","title":"[SP 800-50]","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-50"}]},{"uuid":"5db6dfe4-788e-4183-93b9-f6fb29d75e41","title":"[SP 800-53A]","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-53Ar4"}]},{"uuid":"31f3c9de-c57c-4281-929b-f9951f9640f1","title":"[SP 800-53B]","citation":{"text":"National Institute of Standards and Technology Special Publication 800-53B, *Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations*. Projected for publication in 2020."}},{"uuid":"8ba0d54e-fa16-4f5d-baa1-763ec3e33e26","title":"[SP 800-55]","citation":{"text":"Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-55r1"}]},{"uuid":"77dc1838-3664-4faa-bc6e-4e2a16e52f35","title":"[SP 800-56A]","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-56Ar3"}]},{"uuid":"f417e4ec-cadb-47a8-a363-6006b32c28ad","title":"[SP 800-56B]","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-56Br2"}]},{"uuid":"7c3ba335-62bd-4f03-888f-960790409b11","title":"[SP 800-56C]","citation":{"text":"Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-56Cr1"}]},{"uuid":"770f9bdc-4023-48ef-8206-c65397f061ea","title":"[SP 800-57-1]","citation":{"text":"Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-57pt1r4"}]},{"uuid":"69644a9e-438a-47c3-bac9-cf28b5baf848","title":"[SP 800-57-2]","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-57pt2r1"}]},{"uuid":"9933c883-e8f3-4a83-9a9a-d1e058038080","title":"[SP 800-57-3]","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-57pt3r1"}]},{"uuid":"68949f14-9cf5-4116-91d8-e820b9df3ffd","title":"[SP 800-60 v1]","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-60v1r1"}]},{"uuid":"e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","title":"[SP 800-60 v2]","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-60v2r1"}]},{"uuid":"7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","title":"[SP 800-61]","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-61r2"}]},{"uuid":"549993c0-9bdd-4d49-875c-f56950cc5f30","title":"[SP 800-63-3]","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-63-3"}]},{"uuid":"14a7d982-9747-48e0-a877-3e8fbf6ae381","title":"[SP 800-70]","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-70r4"}]},{"uuid":"3d6b3a16-94e7-4a43-8648-8bdeaadb271b","title":"[SP 800-73-4]","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-73-4"}]},{"uuid":"d5ef0056-c807-44c3-a7b5-6eb491538f8e","title":"[SP 800-76-2]","citation":{"text":"Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-76-2"}]},{"uuid":"8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","title":"[SP 800-77]","citation":{"text":"Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-77"}]},{"uuid":"013e098f-0680-4856-a130-b768c69dab9c","title":"[SP 800-78-4]","citation":{"text":"Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-78-4"}]},{"uuid":"bb55e71a-e059-4263-8dd8-bc96fd3f063d","title":"[SP 800-79-2]","citation":{"text":"Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-79-2"}]},{"uuid":"93d44344-59f9-4669-845d-6cc2a5852621","title":"[SP 800-81-2]","citation":{"text":"Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-81-2"}]},{"uuid":"8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","title":"[SP 800-83]","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-83r1"}]},{"uuid":"20bf433b-074c-47a0-8fca-cd591772ccd6","title":"[SP 800-84]","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-84"}]},{"uuid":"35dfd59f-eef2-4f71-bdb5-6d878267456a","title":"[SP 800-86]","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-86"}]},{"uuid":"fed6a3b5-2b74-499f-9172-46671f7c24c8","title":"[SP 800-88]","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-88r1"}]},{"uuid":"02d8ec60-6197-43f8-9f47-18732127963e","title":"[SP 800-92]","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-92"}]},{"uuid":"41e2e2c6-2260-4258-85c8-09db17c43103","title":"[SP 800-94]","citation":{"text":"Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-94"}]},{"uuid":"6bed1550-cd5d-4e80-8d83-4e597c1514fe","title":"[SP 800-97]","citation":{"text":"Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-97"}]},{"uuid":"9183bd83-170e-4701-b32c-97e08ef8bedb","title":"[SP 800-100]","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-100"}]},{"uuid":"1e2c475a-84ae-4c60-b420-8fb2ea552b71","title":"[SP 800-101]","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-101r1"}]},{"uuid":"1b14b50f-7154-4226-958c-7dfff8276755","title":"[SP 800-111]","citation":{"text":"Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-111"}]},{"uuid":"36132a58-56fd-4980-9f6c-c010d3faf52b","title":"[SP 800-113]","citation":{"text":"Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-113"}]},{"uuid":"49fa1ee1-aaf7-4270-bb5a-a86497f717dc","title":"[SP 800-114]","citation":{"text":"Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-114r1"}]},{"uuid":"a6b97214-55d4-4b86-a3a4-53d5911d96f7","title":"[SP 800-115]","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-115"}]},{"uuid":"ad7d575f-b5fe-489b-8d48-36a93d964a5f","title":"[SP 800-116]","citation":{"text":"Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-116r1"}]},{"uuid":"60b24979-65b8-4ca5-a442-11b74339fab5","title":"[SP 800-121]","citation":{"text":"Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-121r2"}]},{"uuid":"18c6942b-95f8-414c-b548-c8e6b8d8a172","title":"[SP 800-124]","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-124r1"}]},{"uuid":"c972a85c-fa75-4596-be25-a338dc7e4e46","title":"[SP 800-125B]","citation":{"text":"Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-125B"}]},{"uuid":"0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f","title":"[SP 800-126]","citation":{"text":"Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-126r3"}]},{"uuid":"a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","title":"[SP 800-128]","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-128"}]},{"uuid":"ae412317-c2b4-47bb-b47b-c329ce0d7a0b","title":"[SP 800-130]","citation":{"text":"Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-130"}]},{"uuid":"c3b34083-77b2-4dab-a980-73068f8933bd","title":"[SP 800-137]","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-137"}]},{"uuid":"ad3e8f21-07c6-4968-b002-00b64dfa70ae","title":"[SP 800-150]","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-150"}]},{"uuid":"38dbdf55-9a14-446f-b563-c48e4e3d37fb","title":"[SP 800-152]","citation":{"text":"Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-152"}]},{"uuid":"f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa","title":"[SP 800-156]","citation":{"text":"Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-156"}]},{"uuid":"8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","title":"[SP 800-160 v1]","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-160v1"}]},{"uuid":"8411e6e8-09bd-431d-bbcb-3423d36ad880","title":"[SP 800-160 v2]","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-160v2"}]},{"uuid":"66476e76-46b4-47fb-be19-d13e6f3840df","title":"[SP 800-161]","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-161"}]},{"uuid":"359f960c-2598-454c-ba3b-a30c553e498f","title":"[SP 800-162]","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-162"}]},{"uuid":"a8f55663-86c5-415b-aabe-d2a126981d65","title":"[SP 800-166]","citation":{"text":"Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-166"}]},{"uuid":"893d1736-324c-41d6-a5f4-d526b5ca981a","title":"[SP 800-167]","citation":{"text":"Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-167"}]},{"uuid":"0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","title":"[SP 800-171]","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-171r2"}]},{"uuid":"aad55f03-8ece-4b21-b09c-9ef65b5a9f55","title":"[SP 800-171B]","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B."},"rlinks":[{"href":"https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf"}]},{"uuid":"64e044e4-b2a9-490f-a079-1106407c812f","title":"[SP 800-177]","citation":{"text":"Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-177r1"}]},{"uuid":"223b23a9-baea-4a50-8058-63cf7967b61f","title":"[SP 800-178]","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-178"}]},{"uuid":"f4c3f657-de83-47ae-9aec-e144de8268d1","title":"[SP 800-181]","citation":{"text":"Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-181"}]},{"uuid":"08f518f7-f9b9-4bee-8986-860214f46b16","title":"[SP 800-184]","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-184"}]},{"uuid":"eadef75e-7e4d-4554-b818-44946c1dde0e","title":"[SP 800-188]","citation":{"text":"Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188."},"rlinks":[{"href":"https://csrc.nist.gov/publications/detail/sp/800-188/draft"}]},{"uuid":"3862cd94-ff25-4631-9a9a-b92c21a0a923","title":"[SP 800-189]","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-189"}]},{"uuid":"06d3c11a-4a00-42d9-ad75-e6a777ffae5e","title":"[SP 800-192]","citation":{"text":"Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-192"}]},{"uuid":"d4779b49-8acc-45ef-b4f0-30f945e81d1b","title":"[IR 7539]","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7539"}]},{"uuid":"09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","title":"[IR 7559]","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7559"}]},{"uuid":"7b03adec-4405-4aac-94a0-6a9eb3f42e31","title":"[IR 7622]","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7622"}]},{"uuid":"daf69edb-a0ef-4447-9880-8c4bf553181f","title":"[IR 7676]","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7676"}]},{"uuid":"bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c","title":"[IR 7788]","citation":{"text":"Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7788"}]},{"uuid":"a49f67fc-827c-40e6-9a37-2b1cbe8142fd","title":"[IR 7817]","citation":{"text":"Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7817"}]},{"uuid":"972c10bd-aedf-485f-b0db-f46a402127e2","title":"[IR 7849]","citation":{"text":"Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7849"}]},{"uuid":"197f7ba7-9af8-4a67-b3a4-5523d850e53b","title":"[IR 7870]","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7870"}]},{"uuid":"bb22d510-54a9-4588-b725-00d37576562b","title":"[IR 7874]","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7874"}]},{"uuid":"f437b52f-7f26-42aa-8e8f-999e7d67b2fe","title":"[IR 7956]","citation":{"text":"Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7956"}]},{"uuid":"30213e10-2aca-47b3-8cdb-61303e0959f5","title":"[IR 7966]","citation":{"text":"Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7966"}]},{"uuid":"851b5ba4-6aa0-4583-857c-4c360cbdf2a0","title":"[IR 8011 v1]","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8011-1"}]},{"uuid":"7e7538d7-9c3a-4e5f-bbb4-638cec975415","title":"[IR 8023]","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8023"}]},{"uuid":"24738ee6-b3f3-4e37-825b-58775846bdbc","title":"[IR 8040]","citation":{"text":"Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8040"}]},{"uuid":"817b4227-5857-494d-9032-915980b32f15","title":"[IR 8062]","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8062"}]},{"uuid":"7a93e915-fd58-4147-be12-e48044c367e6","title":"[IR 8179]","citation":{"text":"Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8179"}]},{"uuid":"294eed19-7471-4517-9480-2ec73e7c6a78","title":"[DOD STIG]","citation":{"text":"Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*."},"rlinks":[{"href":"https://iase.disa.mil/stigs/Pages/index.aspx"}]},{"uuid":"17ca9481-ea11-4ef2-81c1-885fd37d4be5","title":"[IETF 5905]","citation":{"text":""}},{"uuid":"dd87fdf0-840d-4392-9de4-220b2327e340","title":"[NARA CUI]","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https://www.archives.gov/cui"}]},{"uuid":"5dac2312-1d0d-416f-aebb-400fa9775b74","title":"[NIAP CCEVS]","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https://www.niap-ccevs.org/"}]},{"uuid":"5cc04a1c-5489-4751-a493-746a9639067b","title":"[NCPR]","citation":{"text":"National Institute of Standards and Technology (2020) *National Checklist Program Repository*. Available at"},"rlinks":[{"href":"https://nvd.nist.gov/ncp/repository"}]},{"uuid":"634dec27-df88-4c30-b1a4-b57cdfd24f20","title":"[NSA CSFC]","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https://www.nsa.gov/resources/everyone/csfc"}]},{"uuid":"a52271dc-11b5-423a-8b6f-14867bd94259","title":"[NSA MEDIA]","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https://www.nsa.gov/resources/everyone/media-destruction"}]},{"uuid":"06842bea-64c9-4e20-807a-b8fc003fa737","title":"[USGCB]","citation":{"text":"National Institute of Standards and Technology (2020) *United States Government Configuration Baseline*. Available at"},"rlinks":[{"href":"https://csrc.nist.gov/projects/united-states-government-configuration-baseline"}]}]}}} \ No newline at end of file diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.json deleted file mode 100644 index 58a1b40aac..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.json +++ /dev/null @@ -1,27293 +0,0 @@ -{ - "catalog": { - "uuid": "ab1003f2-c716-4c18-873c-2ae4ae46d829", - "metadata": { - "title": "SP800-53 LOW IMPACT BASELINE", - "last-modified": "2020-08-26T16:28:37.432-04:00", - "version": "FPD", - "oscal-version": "1.0.0-milestone3", - "properties": [ - { - "name": "resolution-timestamp", - "value": "2020-08-31T17:39:43.230651Z" - } - ], - "links": [ - { - "href": "NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml", - "rel": "resolution-source", - "text": "SP800-53 LOW IMPACT BASELINE" - } - ], - "roles": [ - { - "id": "creator", - "title": "Document Creator" - }, - { - "id": "contact", - "title": "Contact" - } - ], - "parties": [ - { - "uuid": "fcba95f8-df3b-47cd-ae6f-57089a2b7174", - "type": "organization", - "party-name": "Joint Task Force, Transformation Initiative", - "addresses": [ - { - "postal-address": [ - "National Institute of Standards and Technology", - "Attn: Computer Security Division", - "Information Technology Laboratory", - "100 Bureau Drive (Mail Stop 8930)" - ], - "city": "Gaithersburg", - "state": "MD", - "postal-code": "20899-8930" - } - ], - "email-addresses": [ - "sec-cert@nist.gov" - ] - } - ], - "responsible-parties": { - "creator": { - "party-uuids": [ - "fcba95f8-df3b-47cd-ae6f-57089a2b7174" - ] - }, - "contact": { - "party-uuids": [ - "fcba95f8-df3b-47cd-ae6f-57089a2b7174" - ] - } - } - }, - "groups": [ - { - "id": "ac", - "class": "family", - "title": "Access Control", - "controls": [ - { - "id": "ac-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ac-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ac-1_prm_2" - }, - { - "id": "ac-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ac-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ac-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-1" - }, - { - "name": "sort-id", - "value": "AC-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ac-1_smt", - "name": "statement", - "parts": [ - { - "id": "ac-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ac-1_prm_1 }}:", - "parts": [ - { - "id": "ac-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ac-1_prm_2 }} access control policy that:", - "parts": [ - { - "id": "ac-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ac-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ac-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" - } - ] - }, - { - "id": "ac-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" - }, - { - "id": "ac-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current access control:", - "parts": [ - { - "id": "ac-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ac-1_prm_4 }}; and" - }, - { - "id": "ac-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ac-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ac-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ac-2", - "class": "SP800-53", - "title": "Account Management", - "parameters": [ - { - "id": "ac-2_prm_1", - "label": "organization-defined attributes (as required)" - }, - { - "id": "ac-2_prm_2", - "label": "organization-defined personnel or roles" - }, - { - "id": "ac-2_prm_3", - "label": "organization-defined policy, procedures, and conditions" - }, - { - "id": "ac-2_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "ac-2_prm_5", - "label": "organization-defined time-period" - }, - { - "id": "ac-2_prm_6", - "label": "organization-defined time-period" - }, - { - "id": "ac-2_prm_7", - "label": "organization-defined time-period" - }, - { - "id": "ac-2_prm_8", - "label": "organization-defined attributes (as required)" - }, - { - "id": "ac-2_prm_9", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2" - }, - { - "name": "sort-id", - "value": "AC-02" - } - ], - "links": [ - { - "href": "#359f960c-2598-454c-ba3b-a30c553e498f", - "rel": "reference", - "text": "[SP 800-162]" - }, - { - "href": "#223b23a9-baea-4a50-8058-63cf7967b61f", - "rel": "reference", - "text": "[SP 800-178]" - }, - { - "href": "#06d3c11a-4a00-42d9-ad75-e6a777ffae5e", - "rel": "reference", - "text": "[SP 800-192]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ac-24", - "rel": "related", - "text": "AC-24" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - } - ], - "parts": [ - { - "id": "ac-2_smt", - "name": "statement", - "parts": [ - { - "id": "ac-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Define and document the types of accounts allowed for use within the system;" - }, - { - "id": "ac-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Assign account managers;" - }, - { - "id": "ac-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Establish conditions for group and role membership;" - }, - { - "id": "ac-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Specify:", - "parts": [ - { - "id": "ac-2_smt.d.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Authorized users of the system;" - }, - { - "id": "ac-2_smt.d.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Group and role membership; and" - }, - { - "id": "ac-2_smt.d.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Access authorizations (i.e., privileges) and {{ ac-2_prm_1 }} for each account;" - } - ] - }, - { - "id": "ac-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Require approvals by {{ ac-2_prm_2 }} for requests to create accounts;" - }, - { - "id": "ac-2_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ ac-2_prm_3 }};" - }, - { - "id": "ac-2_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Monitor the use of accounts;" - }, - { - "id": "ac-2_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "h." - } - ], - "prose": "Notify account managers and {{ ac-2_prm_4 }} within:", - "parts": [ - { - "id": "ac-2_smt.h.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ac-2_prm_5 }} when accounts are no longer required;" - }, - { - "id": "ac-2_smt.h.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "\n {{ ac-2_prm_6 }} when users are terminated or transferred; and" - }, - { - "id": "ac-2_smt.h.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "\n {{ ac-2_prm_7 }} when system usage or need-to-know changes for an individual;" - } - ] - }, - { - "id": "ac-2_smt.i", - "name": "item", - "properties": [ - { - "name": "label", - "value": "i." - } - ], - "prose": "Authorize access to the system based on:", - "parts": [ - { - "id": "ac-2_smt.i.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "A valid access authorization;" - }, - { - "id": "ac-2_smt.i.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Intended system usage; and" - }, - { - "id": "ac-2_smt.i.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "\n {{ ac-2_prm_8 }};" - } - ] - }, - { - "id": "ac-2_smt.j", - "name": "item", - "properties": [ - { - "name": "label", - "value": "j." - } - ], - "prose": "Review accounts for compliance with account management requirements {{ ac-2_prm_9 }};" - }, - { - "id": "ac-2_smt.k", - "name": "item", - "properties": [ - { - "name": "label", - "value": "k." - } - ], - "prose": "Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and" - }, - { - "id": "ac-2_smt.l", - "name": "item", - "properties": [ - { - "name": "label", - "value": "l." - } - ], - "prose": "Align account management processes with personnel termination and transfer processes." - } - ] - }, - { - "id": "ac-2_gdn", - "name": "guidance", - "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy.\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." - } - ] - }, - { - "id": "ac-3", - "class": "SP800-53", - "title": "Access Enforcement", - "properties": [ - { - "name": "label", - "value": "AC-3" - }, - { - "name": "sort-id", - "value": "AC-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#359f960c-2598-454c-ba3b-a30c553e498f", - "rel": "reference", - "text": "[SP 800-162]" - }, - { - "href": "#223b23a9-baea-4a50-8058-63cf7967b61f", - "rel": "reference", - "text": "[SP 800-178]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ac-21", - "rel": "related", - "text": "AC-21" - }, - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#ac-24", - "rel": "related", - "text": "AC-24" - }, - { - "href": "#ac-25", - "rel": "related", - "text": "AC-25" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-6", - "rel": "related", - "text": "IA-6" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#ia-11", - "rel": "related", - "text": "IA-11" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pm-2", - "rel": "related", - "text": "PM-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-4", - "rel": "related", - "text": "SC-4" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-31", - "rel": "related", - "text": "SC-31" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-3_smt", - "name": "statement", - "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." - }, - { - "id": "ac-3_gdn", - "name": "guidance", - "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family." - } - ] - }, - { - "id": "ac-7", - "class": "SP800-53", - "title": "Unsuccessful Logon Attempts", - "parameters": [ - { - "id": "ac-7_prm_1", - "label": "organization-defined number" - }, - { - "id": "ac-7_prm_2", - "label": "organization-defined time-period" - }, - { - "id": "ac-7_prm_3" - }, - { - "id": "ac-7_prm_4", - "depends-on": "ac-7_prm_3", - "label": "organization-defined time-period" - }, - { - "id": "ac-7_prm_5", - "depends-on": "ac-7_prm_3", - "label": "organization-defined delay algorithm" - }, - { - "id": "ac-7_prm_6", - "depends-on": "ac-7_prm_3", - "label": "organization-defined action" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-7" - }, - { - "name": "sort-id", - "value": "AC-07" - } - ], - "links": [ - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-9", - "rel": "related", - "text": "AC-9" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - } - ], - "parts": [ - { - "id": "ac-7_smt", - "name": "statement", - "parts": [ - { - "id": "ac-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Enforce a limit of {{ ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ ac-7_prm_2 }}; and" - }, - { - "id": "ac-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Automatically {{ ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded." - } - ] - }, - { - "id": "ac-7_gdn", - "name": "guidance", - "prose": "This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address.\nTechniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." - } - ] - }, - { - "id": "ac-8", - "class": "SP800-53", - "title": "System Use Notification", - "parameters": [ - { - "id": "ac-8_prm_1", - "label": "organization-defined system use notification message or banner" - }, - { - "id": "ac-8_prm_2", - "label": "organization-defined conditions" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-8" - }, - { - "name": "sort-id", - "value": "AC-08" - } - ], - "links": [ - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-8_smt", - "name": "statement", - "parts": [ - { - "id": "ac-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Display {{ ac-8_prm_1 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", - "parts": [ - { - "id": "ac-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Users are accessing a U.S. Government system;" - }, - { - "id": "ac-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "System usage may be monitored, recorded, and subject to audit;" - }, - { - "id": "ac-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" - }, - { - "id": "ac-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Use of the system indicates consent to monitoring and recording;" - } - ] - }, - { - "id": "ac-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" - }, - { - "id": "ac-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "For publicly accessible systems:", - "parts": [ - { - "id": "ac-8_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Display system use information {{ ac-8_prm_2 }}, before granting further access to the publicly accessible system;" - }, - { - "id": "ac-8_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" - }, - { - "id": "ac-8_smt.c.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Include a description of the authorized uses of the system." - } - ] - } - ] - }, - { - "id": "ac-8_gdn", - "name": "guidance", - "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content." - } - ] - }, - { - "id": "ac-14", - "class": "SP800-53", - "title": "Permitted Actions Without Identification or Authentication", - "parameters": [ - { - "id": "ac-14_prm_1", - "label": "organization-defined user actions" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-14" - }, - { - "name": "sort-id", - "value": "AC-14" - } - ], - "links": [ - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - } - ], - "parts": [ - { - "id": "ac-14_smt", - "name": "statement", - "parts": [ - { - "id": "ac-14_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify {{ ac-14_prm_1 }} that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and" - }, - { - "id": "ac-14_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." - } - ] - }, - { - "id": "ac-14_gdn", - "name": "guidance", - "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none." - } - ] - }, - { - "id": "ac-17", - "class": "SP800-53", - "title": "Remote Access", - "properties": [ - { - "name": "label", - "value": "AC-17" - }, - { - "name": "sort-id", - "value": "AC-17" - } - ], - "links": [ - { - "href": "#7768c184-088d-4ee8-a316-f9286b52df7f", - "rel": "reference", - "text": "[SP 800-46]" - }, - { - "href": "#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "rel": "reference", - "text": "[SP 800-77]" - }, - { - "href": "#36132a58-56fd-4980-9f6c-c010d3faf52b", - "rel": "reference", - "text": "[SP 800-113]" - }, - { - "href": "#49fa1ee1-aaf7-4270-bb5a-a86497f717dc", - "rel": "reference", - "text": "[SP 800-114]" - }, - { - "href": "#60b24979-65b8-4ca5-a442-11b74339fab5", - "rel": "reference", - "text": "[SP 800-121]" - }, - { - "href": "#30213e10-2aca-47b3-8cdb-61303e0959f5", - "rel": "reference", - "text": "[IR 7966]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-17", - "rel": "related", - "text": "PE-17" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sc-10", - "rel": "related", - "text": "SC-10" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-17_smt", - "name": "statement", - "parts": [ - { - "id": "ac-17_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" - }, - { - "id": "ac-17_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Authorize each type of remote access to the system prior to allowing such connections." - } - ] - }, - { - "id": "ac-17_gdn", - "name": "guidance", - "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3." - } - ] - }, - { - "id": "ac-18", - "class": "SP800-53", - "title": "Wireless Access", - "properties": [ - { - "name": "label", - "value": "AC-18" - }, - { - "name": "sort-id", - "value": "AC-18" - } - ], - "links": [ - { - "href": "#41e2e2c6-2260-4258-85c8-09db17c43103", - "rel": "reference", - "text": "[SP 800-94]" - }, - { - "href": "#6bed1550-cd5d-4e80-8d83-4e597c1514fe", - "rel": "reference", - "text": "[SP 800-97]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-18_smt", - "name": "statement", - "parts": [ - { - "id": "ac-18_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" - }, - { - "id": "ac-18_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Authorize each type of wireless access to the system prior to allowing such connections." - } - ] - }, - { - "id": "ac-18_gdn", - "name": "guidance", - "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication." - } - ] - }, - { - "id": "ac-19", - "class": "SP800-53", - "title": "Access Control for Mobile Devices", - "properties": [ - { - "name": "label", - "value": "AC-19" - }, - { - "name": "sort-id", - "value": "AC-19" - } - ], - "links": [ - { - "href": "#49fa1ee1-aaf7-4270-bb5a-a86497f717dc", - "rel": "reference", - "text": "[SP 800-114]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-11", - "rel": "related", - "text": "AC-11" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-19_smt", - "name": "statement", - "parts": [ - { - "id": "ac-19_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" - }, - { - "id": "ac-19_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Authorize the connection of mobile devices to organizational systems." - } - ] - }, - { - "id": "ac-19_gdn", - "name": "guidance", - "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled." - } - ] - }, - { - "id": "ac-20", - "class": "SP800-53", - "title": "Use of External Systems", - "parameters": [ - { - "id": "ac-20_prm_1" - }, - { - "id": "ac-20_prm_2", - "depends-on": "ac-20_prm_1", - "label": "organization-defined terms and conditions" - }, - { - "id": "ac-20_prm_3", - "depends-on": "ac-20_prm_1", - "label": "organization-defined controls asserted to be implemented on external systems" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-20" - }, - { - "name": "sort-id", - "value": "AC-20" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "rel": "reference", - "text": "[SP 800-171]" - }, - { - "href": "#aad55f03-8ece-4b21-b09c-9ef65b5a9f55", - "rel": "reference", - "text": "[SP 800-171B]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - } - ], - "parts": [ - { - "id": "ac-20_smt", - "name": "statement", - "prose": "Establish {{ ac-20_prm_1 }}, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", - "parts": [ - { - "id": "ac-20_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Access the system from external systems; and" - }, - { - "id": "ac-20_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Process, store, or transmit organization-controlled information using external systems." - } - ] - }, - { - "id": "ac-20_gdn", - "name": "guidance", - "prose": "External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries.\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\nThis control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." - } - ] - }, - { - "id": "ac-22", - "class": "SP800-53", - "title": "Publicly Accessible Content", - "parameters": [ - { - "id": "ac-22_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-22" - }, - { - "name": "sort-id", - "value": "AC-22" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - } - ], - "parts": [ - { - "id": "ac-22_smt", - "name": "statement", - "parts": [ - { - "id": "ac-22_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Designate individuals authorized to make information publicly accessible;" - }, - { - "id": "ac-22_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" - }, - { - "id": "ac-22_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" - }, - { - "id": "ac-22_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review the content on the publicly accessible system for nonpublic information {{ ac-22_prm_1 }} and remove such information, if discovered." - } - ] - }, - { - "id": "ac-22_gdn", - "name": "guidance", - "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible." - } - ] - } - ] - }, - { - "id": "at", - "class": "family", - "title": "Awareness and Training", - "controls": [ - { - "id": "at-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "at-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "at-1_prm_2" - }, - { - "id": "at-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "at-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "at-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-1" - }, - { - "name": "sort-id", - "value": "AT-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "at-1_smt", - "name": "statement", - "parts": [ - { - "id": "at-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ at-1_prm_1 }}:", - "parts": [ - { - "id": "at-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ at-1_prm_2 }} awareness and training policy that:", - "parts": [ - { - "id": "at-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "at-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "at-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" - } - ] - }, - { - "id": "at-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" - }, - { - "id": "at-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current awareness and training:", - "parts": [ - { - "id": "at-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ at-1_prm_4 }}; and" - }, - { - "id": "at-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ at-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "at-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "at-2", - "class": "SP800-53", - "title": "Awareness Training", - "parameters": [ - { - "id": "at-2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "at-2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-2" - }, - { - "name": "sort-id", - "value": "AT-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-13", - "rel": "related", - "text": "PM-13" - }, - { - "href": "#pm-21", - "rel": "related", - "text": "PM-21" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - } - ], - "parts": [ - { - "id": "at-2_smt", - "name": "statement", - "parts": [ - { - "id": "at-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):", - "parts": [ - { - "id": "at-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and" - }, - { - "id": "at-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "When required by system changes; and" - } - ] - }, - { - "id": "at-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update awareness training {{ at-2_prm_2 }}." - } - ] - }, - { - "id": "at-2_gdn", - "name": "guidance", - "prose": "Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective." - } - ], - "controls": [ - { - "id": "at-2.2", - "class": "SP800-53-enhancement", - "title": "Insider Threat", - "properties": [ - { - "name": "label", - "value": "AT-2(2)" - }, - { - "name": "sort-id", - "value": "AT-02(02)" - } - ], - "links": [ - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - } - ], - "parts": [ - { - "id": "at-2.2_smt", - "name": "statement", - "prose": "Provide awareness training on recognizing and reporting potential indicators of insider threat." - }, - { - "id": "at-2.2_gdn", - "name": "guidance", - "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations." - } - ] - } - ] - }, - { - "id": "at-3", - "class": "SP800-53", - "title": "Role-based Training", - "parameters": [ - { - "id": "at-3_prm_1", - "label": "organization-defined roles and responsibilities" - }, - { - "id": "at-3_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "at-3_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-3" - }, - { - "name": "sort-id", - "value": "AT-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#ir-10", - "rel": "related", - "text": "IR-10" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-13", - "rel": "related", - "text": "PM-13" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "at-3_smt", - "name": "statement", - "parts": [ - { - "id": "at-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}:", - "parts": [ - { - "id": "at-3_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and" - }, - { - "id": "at-3_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "When required by system changes; and" - } - ] - }, - { - "id": "at-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update role-based training {{ at-3_prm_3 }}." - } - ] - }, - { - "id": "at-3_gdn", - "name": "guidance", - "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information.\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective." - } - ] - }, - { - "id": "at-4", - "class": "SP800-53", - "title": "Training Records", - "parameters": [ - { - "id": "at-4_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-4" - }, - { - "name": "sort-id", - "value": "AT-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "at-4_smt", - "name": "statement", - "parts": [ - { - "id": "at-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" - }, - { - "id": "at-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain individual training records for {{ at-4_prm_1 }}." - } - ] - }, - { - "id": "at-4_gdn", - "name": "guidance", - "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." - } - ] - } - ] - }, - { - "id": "au", - "class": "family", - "title": "Audit and Accountability", - "controls": [ - { - "id": "au-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "au-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "au-1_prm_2" - }, - { - "id": "au-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "au-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "au-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-1" - }, - { - "name": "sort-id", - "value": "AU-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "au-1_smt", - "name": "statement", - "parts": [ - { - "id": "au-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ au-1_prm_1 }}:", - "parts": [ - { - "id": "au-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ au-1_prm_2 }} audit and accountability policy that:", - "parts": [ - { - "id": "au-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "au-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "au-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" - } - ] - }, - { - "id": "au-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" - }, - { - "id": "au-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current audit and accountability:", - "parts": [ - { - "id": "au-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ au-1_prm_4 }}; and" - }, - { - "id": "au-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ au-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "au-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "au-2", - "class": "SP800-53", - "title": "Event Logging", - "parameters": [ - { - "id": "au-2_prm_1", - "label": "organization-defined event types that the system is capable of logging" - }, - { - "id": "au-2_prm_2", - "label": "organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type" - }, - { - "id": "au-2_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-2" - }, - { - "name": "sort-id", - "value": "AU-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#02d8ec60-6197-43f8-9f47-18732127963e", - "rel": "reference", - "text": "[SP 800-92]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pm-21", - "rel": "related", - "text": "PM-21" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - }, - { - "href": "#si-11", - "rel": "related", - "text": "SI-11" - } - ], - "parts": [ - { - "id": "au-2_smt", - "name": "statement", - "parts": [ - { - "id": "au-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }};" - }, - { - "id": "au-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" - }, - { - "id": "au-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Specify the following event types for logging within the system: {{ au-2_prm_2 }};" - }, - { - "id": "au-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" - }, - { - "id": "au-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Review and update the event types selected for logging {{ au-2_prm_3 }}." - } - ] - }, - { - "id": "au-2_gdn", - "name": "guidance", - "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\nTo balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage.\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." - } - ] - }, - { - "id": "au-3", - "class": "SP800-53", - "title": "Content of Audit Records", - "properties": [ - { - "name": "label", - "value": "AU-3" - }, - { - "name": "sort-id", - "value": "AU-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-8", - "rel": "related", - "text": "AU-8" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-11", - "rel": "related", - "text": "SI-11" - } - ], - "parts": [ - { - "id": "au-3_smt", - "name": "statement", - "prose": "Ensure that audit records contain information that establishes the following:", - "parts": [ - { - "id": "au-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "What type of event occurred;" - }, - { - "id": "au-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "When the event occurred;" - }, - { - "id": "au-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Where the event occurred;" - }, - { - "id": "au-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Source of the event;" - }, - { - "id": "au-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Outcome of the event; and" - }, - { - "id": "au-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." - } - ] - }, - { - "id": "au-3_gdn", - "name": "guidance", - "prose": "Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage." - } - ] - }, - { - "id": "au-4", - "class": "SP800-53", - "title": "Audit Log Storage Capacity", - "parameters": [ - { - "id": "au-4_prm_1", - "label": "organization-defined audit log retention requirements" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-4" - }, - { - "name": "sort-id", - "value": "AU-04" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "au-4_smt", - "name": "statement", - "prose": "Allocate audit log storage capacity to accommodate {{ au-4_prm_1 }}." - }, - { - "id": "au-4_gdn", - "name": "guidance", - "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." - } - ] - }, - { - "id": "au-5", - "class": "SP800-53", - "title": "Response to Audit Logging Process Failures", - "parameters": [ - { - "id": "au-5_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "au-5_prm_2", - "label": "organization-defined time-period" - }, - { - "id": "au-5_prm_3", - "label": "organization-defined additional actions" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-5" - }, - { - "name": "sort-id", - "value": "AU-05" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "au-5_smt", - "name": "statement", - "parts": [ - { - "id": "au-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Alert {{ au-5_prm_1 }} within {{ au-5_prm_2 }} in the event of an audit logging process failure; and" - }, - { - "id": "au-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Take the following additional actions: {{ au-5_prm_3 }}." - } - ] - }, - { - "id": "au-5_gdn", - "name": "guidance", - "prose": "Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." - } - ] - }, - { - "id": "au-6", - "class": "SP800-53", - "title": "Audit Record Review, Analysis, and Reporting", - "parameters": [ - { - "id": "au-6_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "au-6_prm_2", - "label": "organization-defined inappropriate or unusual activity" - }, - { - "id": "au-6_prm_3", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-6" - }, - { - "name": "sort-id", - "value": "AU-06" - } - ], - "links": [ - { - "href": "#35dfd59f-eef2-4f71-bdb5-6d878267456a", - "rel": "reference", - "text": "[SP 800-86]" - }, - { - "href": "#1e2c475a-84ae-4c60-b420-8fb2ea552b71", - "rel": "reference", - "text": "[SP 800-101]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-16", - "rel": "related", - "text": "AU-16" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "au-6_smt", - "name": "statement", - "parts": [ - { - "id": "au-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Review and analyze system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};" - }, - { - "id": "au-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Report findings to {{ au-6_prm_3 }}; and" - }, - { - "id": "au-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." - } - ] - }, - { - "id": "au-6_gdn", - "name": "guidance", - "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." - } - ] - }, - { - "id": "au-8", - "class": "SP800-53", - "title": "Time Stamps", - "parameters": [ - { - "id": "au-8_prm_1", - "label": "organization-defined granularity of time measurement" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-8" - }, - { - "name": "sort-id", - "value": "AU-08" - } - ], - "links": [ - { - "href": "#17ca9481-ea11-4ef2-81c1-885fd37d4be5", - "rel": "reference", - "text": "[IETF 5905]" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#sc-45", - "rel": "related", - "text": "SC-45" - } - ], - "parts": [ - { - "id": "au-8_smt", - "name": "statement", - "parts": [ - { - "id": "au-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Use internal system clocks to generate time stamps for audit records; and" - }, - { - "id": "au-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Record time stamps for audit records that meet {{ au-8_prm_1 }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." - } - ] - }, - { - "id": "au-8_gdn", - "name": "guidance", - "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." - } - ] - }, - { - "id": "au-9", - "class": "SP800-53", - "title": "Protection of Audit Information", - "properties": [ - { - "name": "label", - "value": "AU-9" - }, - { - "name": "sort-id", - "value": "AU-09" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#au-15", - "rel": "related", - "text": "AU-15" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "au-9_smt", - "name": "statement", - "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion." - }, - { - "id": "au-9_gdn", - "name": "guidance", - "prose": "Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." - } - ] - }, - { - "id": "au-11", - "class": "SP800-53", - "title": "Audit Record Retention", - "parameters": [ - { - "id": "au-11_prm_1", - "label": "organization-defined time-period consistent with records retention policy" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-11" - }, - { - "name": "sort-id", - "value": "AU-11" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "au-11_smt", - "name": "statement", - "prose": "Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." - }, - { - "id": "au-11_gdn", - "name": "guidance", - "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention." - } - ] - }, - { - "id": "au-12", - "class": "SP800-53", - "title": "Audit Record Generation", - "parameters": [ - { - "id": "au-12_prm_1", - "label": "organization-defined system components" - }, - { - "id": "au-12_prm_2", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-12" - }, - { - "name": "sort-id", - "value": "AU-12" - } - ], - "links": [ - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - } - ], - "parts": [ - { - "id": "au-12_smt", - "name": "statement", - "parts": [ - { - "id": "au-12_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on {{ au-12_prm_1 }};" - }, - { - "id": "au-12_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Allow {{ au-12_prm_2 }} to select the event types that are to be logged by specific components of the system; and" - }, - { - "id": "au-12_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." - } - ] - }, - { - "id": "au-12_gdn", - "name": "guidance", - "prose": "Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." - } - ] - } - ] - }, - { - "id": "ca", - "class": "family", - "title": "Assessment, Authorization, and Monitoring", - "controls": [ - { - "id": "ca-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ca-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ca-1_prm_2" - }, - { - "id": "ca-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ca-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ca-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-1" - }, - { - "name": "sort-id", - "value": "CA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-1_smt", - "name": "statement", - "parts": [ - { - "id": "ca-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ca-1_prm_1 }}:", - "parts": [ - { - "id": "ca-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that:", - "parts": [ - { - "id": "ca-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ca-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ca-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" - } - ] - }, - { - "id": "ca-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" - }, - { - "id": "ca-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current assessment, authorization, and monitoring:", - "parts": [ - { - "id": "ca-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ca-1_prm_4 }}; and" - }, - { - "id": "ca-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ca-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ca-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ca-2", - "class": "SP800-53", - "title": "Control Assessments", - "parameters": [ - { - "id": "ca-2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ca-2_prm_2", - "label": "organization-defined individuals or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-2" - }, - { - "name": "sort-id", - "value": "CA-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - } - ], - "parts": [ - { - "id": "ca-2_smt", - "name": "statement", - "parts": [ - { - "id": "ca-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a control assessment plan that describes the scope of the assessment including:", - "parts": [ - { - "id": "ca-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Controls and control enhancements under assessment;" - }, - { - "id": "ca-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Assessment procedures to be used to determine control effectiveness; and" - }, - { - "id": "ca-2_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" - } - ] - }, - { - "id": "ca-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" - }, - { - "id": "ca-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" - }, - { - "id": "ca-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Produce a control assessment report that document the results of the assessment; and" - }, - { - "id": "ca-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Provide the results of the control assessment to {{ ca-2_prm_2 }}." - } - ] - }, - { - "id": "ca-2_gdn", - "name": "guidance", - "prose": "Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\nOrganizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control." - } - ] - }, - { - "id": "ca-3", - "class": "SP800-53", - "title": "Information Exchange", - "parameters": [ - { - "id": "ca-3_prm_1" - }, - { - "id": "ca-3_prm_2", - "depends-on": "ca-3_prm_1", - "label": "organization-defined type of agreement" - }, - { - "id": "ca-3_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-3" - }, - { - "name": "sort-id", - "value": "CA-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#2e66c31a-190e-49ad-8e00-f306f8a0df17", - "rel": "reference", - "text": "[SP 800-47]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#au-16", - "rel": "related", - "text": "AU-16" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-3_smt", - "name": "statement", - "parts": [ - { - "id": "ca-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Approve and manage the exchange of information between the system and other systems using {{ ca-3_prm_1 }};" - }, - { - "id": "ca-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" - }, - { - "id": "ca-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the agreements {{ ca-3_prm_3 }}." - } - ] - }, - { - "id": "ca-3_gdn", - "name": "guidance", - "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk.\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks." - } - ] - }, - { - "id": "ca-5", - "class": "SP800-53", - "title": "Plan of Action and Milestones", - "parameters": [ - { - "id": "ca-5_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-5" - }, - { - "name": "sort-id", - "value": "CA-05" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-5_smt", - "name": "statement", - "parts": [ - { - "id": "ca-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" - }, - { - "id": "ca-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities." - } - ] - }, - { - "id": "ca-5_gdn", - "name": "guidance", - "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB." - } - ] - }, - { - "id": "ca-6", - "class": "SP800-53", - "title": "Authorization", - "parameters": [ - { - "id": "ca-6_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-6" - }, - { - "name": "sort-id", - "value": "CA-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-6_smt", - "name": "statement", - "parts": [ - { - "id": "ca-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Assign a senior official as the authorizing official for the system;" - }, - { - "id": "ca-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" - }, - { - "id": "ca-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ensure that the authorizing official for the system, before commencing operations:", - "parts": [ - { - "id": "ca-6_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Accepts the use of common controls inherited by the system; and" - }, - { - "id": "ca-6_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Authorizes the system to operate;" - } - ] - }, - { - "id": "ca-6_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" - }, - { - "id": "ca-6_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Update the authorizations {{ ca-6_prm_1 }}." - } - ] - }, - { - "id": "ca-6_gdn", - "name": "guidance", - "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." - } - ] - }, - { - "id": "ca-7", - "class": "SP800-53", - "title": "Continuous Monitoring", - "parameters": [ - { - "id": "ca-7_prm_1", - "label": "organization-defined system-level metrics" - }, - { - "id": "ca-7_prm_2", - "label": "organization-defined frequencies" - }, - { - "id": "ca-7_prm_3", - "label": "organization-defined frequencies" - }, - { - "id": "ca-7_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "ca-7_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-7" - }, - { - "name": "sort-id", - "value": "CA-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#851b5ba4-6aa0-4583-857c-4c360cbdf2a0", - "rel": "reference", - "text": "[IR 8011 v1]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pe-14", - "rel": "related", - "text": "PE-14" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-6", - "rel": "related", - "text": "PM-6" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#pm-31", - "rel": "related", - "text": "PM-31" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - } - ], - "parts": [ - { - "id": "ca-7_smt", - "name": "statement", - "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", - "parts": [ - { - "id": "ca-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }};" - }, - { - "id": "ca-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness;" - }, - { - "id": "ca-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" - }, - { - "id": "ca-7_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" - }, - { - "id": "ca-7_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Correlation and analysis of information generated by control assessments and monitoring;" - }, - { - "id": "ca-7_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" - }, - { - "id": "ca-7_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Reporting the security and privacy status of the system to {{ ca-7_prm_4 }}\n {{ ca-7_prm_5 }}." - } - ] - }, - { - "id": "ca-7_gdn", - "name": "guidance", - "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4." - } - ], - "controls": [ - { - "id": "ca-7.4", - "class": "SP800-53-enhancement", - "title": "Risk Monitoring", - "properties": [ - { - "name": "label", - "value": "CA-7(4)" - }, - { - "name": "sort-id", - "value": "CA-07(04)" - } - ], - "parts": [ - { - "id": "ca-7.4_smt", - "name": "statement", - "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", - "parts": [ - { - "id": "ca-7.4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Effectiveness monitoring;" - }, - { - "id": "ca-7.4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Compliance monitoring; and" - }, - { - "id": "ca-7.4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Change monitoring." - } - ] - }, - { - "id": "ca-7.4_gdn", - "name": "guidance", - "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." - } - ] - } - ] - }, - { - "id": "ca-9", - "class": "SP800-53", - "title": "Internal System Connections", - "parameters": [ - { - "id": "ca-9_prm_1", - "label": "organization-defined system components or classes of components" - }, - { - "id": "ca-9_prm_2", - "label": "organization-defined conditions" - }, - { - "id": "ca-9_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-9" - }, - { - "name": "sort-id", - "value": "CA-09" - } - ], - "links": [ - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-9_smt", - "name": "statement", - "parts": [ - { - "id": "ca-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Authorize internal connections of {{ ca-9_prm_1 }} to the system;" - }, - { - "id": "ca-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" - }, - { - "id": "ca-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Terminate internal system connections after {{ ca-9_prm_2 }}; and" - }, - { - "id": "ca-9_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review {{ ca-9_prm_3 }} the continued need for each internal connection." - } - ] - }, - { - "id": "ca-9_gdn", - "name": "guidance", - "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." - } - ] - } - ] - }, - { - "id": "cm", - "class": "family", - "title": "Configuration Management", - "controls": [ - { - "id": "cm-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "cm-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "cm-1_prm_2" - }, - { - "id": "cm-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "cm-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "cm-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-1" - }, - { - "name": "sort-id", - "value": "CM-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cm-1_smt", - "name": "statement", - "parts": [ - { - "id": "cm-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ cm-1_prm_1 }}:", - "parts": [ - { - "id": "cm-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ cm-1_prm_2 }} configuration management policy that:", - "parts": [ - { - "id": "cm-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "cm-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "cm-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" - } - ] - }, - { - "id": "cm-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" - }, - { - "id": "cm-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current configuration management:", - "parts": [ - { - "id": "cm-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ cm-1_prm_4 }}; and" - }, - { - "id": "cm-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ cm-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "cm-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "cm-2", - "class": "SP800-53", - "title": "Baseline Configuration", - "parameters": [ - { - "id": "cm-2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "cm-2_prm_2", - "label": "Assignment organization-defined circumstances" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-2" - }, - { - "name": "sort-id", - "value": "CM-02" - } - ], - "links": [ - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#cp-12", - "rel": "related", - "text": "CP-12" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - } - ], - "parts": [ - { - "id": "cm-2_smt", - "name": "statement", - "parts": [ - { - "id": "cm-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" - }, - { - "id": "cm-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the baseline configuration of the system:", - "parts": [ - { - "id": "cm-2_smt.b.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ cm-2_prm_1 }};" - }, - { - "id": "cm-2_smt.b.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "When required due to {{ cm-2_prm_2 }}; and" - }, - { - "id": "cm-2_smt.b.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "When system components are installed or upgraded." - } - ] - } - ] - }, - { - "id": "cm-2_gdn", - "name": "guidance", - "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." - } - ] - }, - { - "id": "cm-4", - "class": "SP800-53", - "title": "Impact Analyses", - "properties": [ - { - "name": "label", - "value": "CM-4" - }, - { - "name": "sort-id", - "value": "CM-04" - } - ], - "links": [ - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - } - ], - "parts": [ - { - "id": "cm-4_smt", - "name": "statement", - "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." - }, - { - "id": "cm-4_gdn", - "name": "guidance", - "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required." - } - ] - }, - { - "id": "cm-5", - "class": "SP800-53", - "title": "Access Restrictions for Change", - "properties": [ - { - "name": "label", - "value": "CM-5" - }, - { - "name": "sort-id", - "value": "CM-05" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - } - ], - "parts": [ - { - "id": "cm-5_smt", - "name": "statement", - "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." - }, - { - "id": "cm-5_gdn", - "name": "guidance", - "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." - } - ] - }, - { - "id": "cm-6", - "class": "SP800-53", - "title": "Configuration Settings", - "parameters": [ - { - "id": "cm-6_prm_1", - "label": "organization-defined common secure configurations" - }, - { - "id": "cm-6_prm_2", - "label": "organization-defined system components" - }, - { - "id": "cm-6_prm_3", - "label": "organization-defined operational requirements" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-6" - }, - { - "name": "sort-id", - "value": "CM-06" - } - ], - "links": [ - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f", - "rel": "reference", - "text": "[SP 800-126]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#06842bea-64c9-4e20-807a-b8fc003fa737", - "rel": "reference", - "text": "[USGCB]" - }, - { - "href": "#5cc04a1c-5489-4751-a493-746a9639067b", - "rel": "reference", - "text": "[NCPR]" - }, - { - "href": "#294eed19-7471-4517-9480-2ec73e7c6a78", - "rel": "reference", - "text": "[DOD STIG]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-6", - "rel": "related", - "text": "SI-6" - } - ], - "parts": [ - { - "id": "cm-6_smt", - "name": "statement", - "parts": [ - { - "id": "cm-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish and document configuration settings for components employed within the system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;" - }, - { - "id": "cm-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the configuration settings;" - }, - { - "id": "cm-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Identify, document, and approve any deviations from established configuration settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and" - }, - { - "id": "cm-6_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." - } - ] - }, - { - "id": "cm-6_gdn", - "name": "guidance", - "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\nImplementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." - } - ] - }, - { - "id": "cm-7", - "class": "SP800-53", - "title": "Least Functionality", - "parameters": [ - { - "id": "cm-7_prm_1", - "label": "organization-defined mission essential capabilities" - }, - { - "id": "cm-7_prm_2", - "label": "organization-defined prohibited or restricted functions, ports, protocols, software, and/or services" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-7" - }, - { - "name": "sort-id", - "value": "CM-07" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#893d1736-324c-41d6-a5f4-d526b5ca981a", - "rel": "reference", - "text": "[SP 800-167]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "cm-7_smt", - "name": "statement", - "parts": [ - { - "id": "cm-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Configure the system to provide only {{ cm-7_prm_1 }}; and" - }, - { - "id": "cm-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ cm-7_prm_2 }}." - } - ] - }, - { - "id": "cm-7_gdn", - "name": "guidance", - "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3)." - } - ] - }, - { - "id": "cm-8", - "class": "SP800-53", - "title": "System Component Inventory", - "parameters": [ - { - "id": "cm-8_prm_1", - "label": "organization-defined information deemed necessary to achieve effective system component accountability" - }, - { - "id": "cm-8_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-8" - }, - { - "name": "sort-id", - "value": "CM-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "cm-8_smt", - "name": "statement", - "parts": [ - { - "id": "cm-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and document an inventory of system components that:", - "parts": [ - { - "id": "cm-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Accurately reflects the system;" - }, - { - "id": "cm-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Includes all components within the system;" - }, - { - "id": "cm-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" - }, - { - "id": "cm-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Includes the following information to achieve system component accountability: {{ cm-8_prm_1 }}; and" - } - ] - }, - { - "id": "cm-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the system component inventory {{ cm-8_prm_2 }}." - } - ] - }, - { - "id": "cm-8_gdn", - "name": "guidance", - "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location." - } - ] - }, - { - "id": "cm-10", - "class": "SP800-53", - "title": "Software Usage Restrictions", - "properties": [ - { - "name": "label", - "value": "CM-10" - }, - { - "name": "sort-id", - "value": "CM-10" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - } - ], - "parts": [ - { - "id": "cm-10_smt", - "name": "statement", - "parts": [ - { - "id": "cm-10_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" - }, - { - "id": "cm-10_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" - }, - { - "id": "cm-10_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." - } - ] - }, - { - "id": "cm-10_gdn", - "name": "guidance", - "prose": "Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement." - } - ] - }, - { - "id": "cm-11", - "class": "SP800-53", - "title": "User-installed Software", - "parameters": [ - { - "id": "cm-11_prm_1", - "label": "organization-defined policies" - }, - { - "id": "cm-11_prm_2", - "label": "organization-defined methods" - }, - { - "id": "cm-11_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-11" - }, - { - "name": "sort-id", - "value": "CM-11" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "cm-11_smt", - "name": "statement", - "parts": [ - { - "id": "cm-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish {{ cm-11_prm_1 }} governing the installation of software by users;" - }, - { - "id": "cm-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Enforce software installation policies through the following methods: {{ cm-11_prm_2 }}; and" - }, - { - "id": "cm-11_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Monitor policy compliance {{ cm-11_prm_3 }}." - } - ] - }, - { - "id": "cm-11_gdn", - "name": "guidance", - "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." - } - ] - } - ] - }, - { - "id": "cp", - "class": "family", - "title": "Contingency Planning", - "controls": [ - { - "id": "cp-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "cp-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "cp-1_prm_2" - }, - { - "id": "cp-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "cp-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "cp-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-1" - }, - { - "name": "sort-id", - "value": "CP-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cp-1_smt", - "name": "statement", - "parts": [ - { - "id": "cp-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ cp-1_prm_1 }}:", - "parts": [ - { - "id": "cp-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ cp-1_prm_2 }} contingency planning policy that:", - "parts": [ - { - "id": "cp-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "cp-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "cp-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" - } - ] - }, - { - "id": "cp-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ cp-1_prm_3 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" - }, - { - "id": "cp-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current contingency planning:", - "parts": [ - { - "id": "cp-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ cp-1_prm_4 }}; and" - }, - { - "id": "cp-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ cp-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "cp-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "cp-2", - "class": "SP800-53", - "title": "Contingency Plan", - "parameters": [ - { - "id": "cp-2_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "cp-2_prm_2", - "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - }, - { - "id": "cp-2_prm_3", - "label": "organization-defined frequency" - }, - { - "id": "cp-2_prm_4", - "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-2" - }, - { - "name": "sort-id", - "value": "CP-02" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#7a93e915-fd58-4147-be12-e48044c367e6", - "rel": "reference", - "text": "[IR 8179]" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#cp-11", - "rel": "related", - "text": "CP-11" - }, - { - "href": "#cp-13", - "rel": "related", - "text": "CP-13" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-20", - "rel": "related", - "text": "SA-20" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cp-2_smt", - "name": "statement", - "parts": [ - { - "id": "cp-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a contingency plan for the system that:", - "parts": [ - { - "id": "cp-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Identifies essential missions and business functions and associated contingency requirements;" - }, - { - "id": "cp-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Provides recovery objectives, restoration priorities, and metrics;" - }, - { - "id": "cp-2_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" - }, - { - "id": "cp-2_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure;" - }, - { - "id": "cp-2_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and" - }, - { - "id": "cp-2_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Is reviewed and approved by {{ cp-2_prm_1 }};" - } - ] - }, - { - "id": "cp-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute copies of the contingency plan to {{ cp-2_prm_2 }};" - }, - { - "id": "cp-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Coordinate contingency planning activities with incident handling activities;" - }, - { - "id": "cp-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review the contingency plan for the system {{ cp-2_prm_3 }};" - }, - { - "id": "cp-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" - }, - { - "id": "cp-2_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Communicate contingency plan changes to {{ cp-2_prm_4 }}; and" - }, - { - "id": "cp-2_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Protect the contingency plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "cp-2_gdn", - "name": "guidance", - "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.\nIn addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family." - } - ] - }, - { - "id": "cp-3", - "class": "SP800-53", - "title": "Contingency Training", - "parameters": [ - { - "id": "cp-3_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "cp-3_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-3" - }, - { - "name": "sort-id", - "value": "CP-03" - } - ], - "links": [ - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - } - ], - "parts": [ - { - "id": "cp-3_smt", - "name": "statement", - "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", - "parts": [ - { - "id": "cp-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Within {{ cp-3_prm_1 }} of assuming a contingency role or responsibility;" - }, - { - "id": "cp-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "When required by system changes; and" - }, - { - "id": "cp-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "\n {{ cp-3_prm_2 }} thereafter." - } - ] - }, - { - "id": "cp-3_gdn", - "name": "guidance", - "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan." - } - ] - }, - { - "id": "cp-4", - "class": "SP800-53", - "title": "Contingency Plan Testing", - "parameters": [ - { - "id": "cp-4_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "cp-4_prm_2", - "label": "organization-defined tests" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-4" - }, - { - "name": "sort-id", - "value": "CP-04" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#20bf433b-074c-47a0-8fca-cd591772ccd6", - "rel": "reference", - "text": "[SP 800-84]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "cp-4_smt", - "name": "statement", - "parts": [ - { - "id": "cp-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Test the contingency plan for the system {{ cp-4_prm_1 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ cp-4_prm_2 }}." - }, - { - "id": "cp-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review the contingency plan test results; and" - }, - { - "id": "cp-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Initiate corrective actions, if needed." - } - ] - }, - { - "id": "cp-4_gdn", - "name": "guidance", - "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." - } - ] - }, - { - "id": "cp-9", - "class": "SP800-53", - "title": "System Backup", - "parameters": [ - { - "id": "cp-9_prm_1", - "label": "organization-defined system components" - }, - { - "id": "cp-9_prm_2", - "label": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "id": "cp-9_prm_3", - "label": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "id": "cp-9_prm_4", - "label": "organization-defined frequency consistent with recovery time and recovery point objectives" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-9" - }, - { - "name": "sort-id", - "value": "CP-09" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#ae412317-c2b4-47bb-b47b-c329ce0d7a0b", - "rel": "reference", - "text": "[SP 800-130]" - }, - { - "href": "#38dbdf55-9a14-446f-b563-c48e4e3d37fb", - "rel": "reference", - "text": "[SP 800-152]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - } - ], - "parts": [ - { - "id": "cp-9_smt", - "name": "statement", - "parts": [ - { - "id": "cp-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Conduct backups of user-level information contained in {{ cp-9_prm_1 }}\n {{ cp-9_prm_2 }};" - }, - { - "id": "cp-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Conduct backups of system-level information contained in the system {{ cp-9_prm_3 }};" - }, - { - "id": "cp-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Conduct backups of system documentation, including security and privacy-related documentation {{ cp-9_prm_4 }}; and" - }, - { - "id": "cp-9_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect the confidentiality, integrity, and availability of backup information." - } - ] - }, - { - "id": "cp-9_gdn", - "name": "guidance", - "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." - } - ] - }, - { - "id": "cp-10", - "class": "SP800-53", - "title": "System Recovery and Reconstitution", - "parameters": [ - { - "id": "cp-10_prm_1", - "label": "organization-defined time-period consistent with recovery time and recovery point objectives" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-10" - }, - { - "name": "sort-id", - "value": "CP-10" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-24", - "rel": "related", - "text": "SC-24" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - } - ], - "parts": [ - { - "id": "cp-10_smt", - "name": "statement", - "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ cp-10_prm_1 }} after a disruption, compromise, or failure." - }, - { - "id": "cp-10_gdn", - "name": "guidance", - "prose": "Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." - } - ] - } - ] - }, - { - "id": "ia", - "class": "family", - "title": "Identification and Authentication", - "controls": [ - { - "id": "ia-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ia-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ia-1_prm_2" - }, - { - "id": "ia-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ia-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ia-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-1" - }, - { - "name": "sort-id", - "value": "IA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ia-1_smt", - "name": "statement", - "parts": [ - { - "id": "ia-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ia-1_prm_1 }}:", - "parts": [ - { - "id": "ia-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ia-1_prm_2 }} identification and authentication policy that:", - "parts": [ - { - "id": "ia-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ia-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ia-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" - } - ] - }, - { - "id": "ia-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ia-1_prm_3 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" - }, - { - "id": "ia-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current identification and authentication:", - "parts": [ - { - "id": "ia-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ia-1_prm_4 }}; and" - }, - { - "id": "ia-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ia-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ia-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ia-2", - "class": "SP800-53", - "title": "Identification and Authentication (organizational Users)", - "properties": [ - { - "name": "label", - "value": "IA-2" - }, - { - "name": "sort-id", - "value": "IA-02" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#bb55e71a-e059-4263-8dd8-bc96fd3f063d", - "rel": "reference", - "text": "[SP 800-79-2]" - }, - { - "href": "#f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa", - "rel": "reference", - "text": "[SP 800-156]" - }, - { - "href": "#a8f55663-86c5-415b-aabe-d2a126981d65", - "rel": "reference", - "text": "[SP 800-166]" - }, - { - "href": "#d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "rel": "reference", - "text": "[IR 7539]" - }, - { - "href": "#daf69edb-a0ef-4447-9880-8c4bf553181f", - "rel": "reference", - "text": "[IR 7676]" - }, - { - "href": "#a49f67fc-827c-40e6-9a37-2b1cbe8142fd", - "rel": "reference", - "text": "[IR 7817]" - }, - { - "href": "#972c10bd-aedf-485f-b0db-f46a402127e2", - "rel": "reference", - "text": "[IR 7849]" - }, - { - "href": "#197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "rel": "reference", - "text": "[IR 7870]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#30213e10-2aca-47b3-8cdb-61303e0959f5", - "rel": "reference", - "text": "[IR 7966]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "ia-2_smt", - "name": "statement", - "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users." - }, - { - "id": "ia-2_gdn", - "name": "guidance", - "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8." - } - ], - "controls": [ - { - "id": "ia-2.1", - "class": "SP800-53-enhancement", - "title": "Multifactor Authentication to Privileged Accounts", - "properties": [ - { - "name": "label", - "value": "IA-2(1)" - }, - { - "name": "sort-id", - "value": "IA-02(01)" - } - ], - "links": [ - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - } - ], - "parts": [ - { - "id": "ia-2.1_smt", - "name": "statement", - "prose": "Implement multifactor authentication for access to privileged accounts." - }, - { - "id": "ia-2.1_gdn", - "name": "guidance", - "prose": "Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." - } - ] - }, - { - "id": "ia-2.2", - "class": "SP800-53-enhancement", - "title": "Multifactor Authentication to Non-privileged Accounts", - "properties": [ - { - "name": "label", - "value": "IA-2(2)" - }, - { - "name": "sort-id", - "value": "IA-02(02)" - } - ], - "links": [ - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - } - ], - "parts": [ - { - "id": "ia-2.2_smt", - "name": "statement", - "prose": "Implement multifactor authentication for access to non-privileged accounts." - }, - { - "id": "ia-2.2_gdn", - "name": "guidance", - "prose": "Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." - } - ] - }, - { - "id": "ia-2.8", - "class": "SP800-53-enhancement", - "title": "Access to Accounts — Replay Resistant", - "parameters": [ - { - "id": "ia-2.8_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-2(8)" - }, - { - "name": "sort-id", - "value": "IA-02(08)" - } - ], - "parts": [ - { - "id": "ia-2.8_smt", - "name": "statement", - "prose": "Implement replay-resistant authentication mechanisms for access to {{ ia-2.8_prm_1 }}." - }, - { - "id": "ia-2.8_gdn", - "name": "guidance", - "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators." - } - ] - }, - { - "id": "ia-2.12", - "class": "SP800-53-enhancement", - "title": "Acceptance of PIV Credentials", - "properties": [ - { - "name": "label", - "value": "IA-2(12)" - }, - { - "name": "sort-id", - "value": "IA-02(12)" - } - ], - "parts": [ - { - "id": "ia-2.12_smt", - "name": "statement", - "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials." - }, - { - "id": "ia-2.12_gdn", - "name": "guidance", - "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential." - } - ] - } - ] - }, - { - "id": "ia-4", - "class": "SP800-53", - "title": "Identifier Management", - "parameters": [ - { - "id": "ia-4_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ia-4_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-4" - }, - { - "name": "sort-id", - "value": "IA-04" - } - ], - "links": [ - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ia-9", - "rel": "related", - "text": "IA-9" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - } - ], - "parts": [ - { - "id": "ia-4_smt", - "name": "statement", - "prose": "Manage system identifiers by:", - "parts": [ - { - "id": "ia-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Receiving authorization from {{ ia-4_prm_1 }} to assign an individual, group, role, service, or device identifier;" - }, - { - "id": "ia-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" - }, - { - "id": "ia-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" - }, - { - "id": "ia-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Preventing reuse of identifiers for {{ ia-4_prm_2 }}." - } - ] - }, - { - "id": "ia-4_gdn", - "name": "guidance", - "prose": "Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." - } - ] - }, - { - "id": "ia-5", - "class": "SP800-53", - "title": "Authenticator Management", - "parameters": [ - { - "id": "ia-5_prm_1", - "label": "organization-defined time-period by authenticator type" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-5" - }, - { - "name": "sort-id", - "value": "IA-05" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "rel": "reference", - "text": "[IR 7539]" - }, - { - "href": "#a49f67fc-827c-40e6-9a37-2b1cbe8142fd", - "rel": "reference", - "text": "[IR 7817]" - }, - { - "href": "#972c10bd-aedf-485f-b0db-f46a402127e2", - "rel": "reference", - "text": "[IR 7849]" - }, - { - "href": "#197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "rel": "reference", - "text": "[IR 7870]" - }, - { - "href": "#24738ee6-b3f3-4e37-825b-58775846bdbc", - "rel": "reference", - "text": "[IR 8040]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ia-9", - "rel": "related", - "text": "IA-9" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - } - ], - "parts": [ - { - "id": "ia-5_smt", - "name": "statement", - "prose": "Manage system authenticators by:", - "parts": [ - { - "id": "ia-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" - }, - { - "id": "ia-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" - }, - { - "id": "ia-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" - }, - { - "id": "ia-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" - }, - { - "id": "ia-5_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;" - }, - { - "id": "ia-5_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Changing default authenticators prior to first use;" - }, - { - "id": "ia-5_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Changing or refreshing authenticators {{ ia-5_prm_1 }};" - }, - { - "id": "ia-5_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "h." - } - ], - "prose": "Protecting authenticator content from unauthorized disclosure and modification;" - }, - { - "id": "ia-5_smt.i", - "name": "item", - "properties": [ - { - "name": "label", - "value": "i." - } - ], - "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" - }, - { - "id": "ia-5_smt.j", - "name": "item", - "properties": [ - { - "name": "label", - "value": "j." - } - ], - "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." - } - ] - }, - { - "id": "ia-5_gdn", - "name": "guidance", - "prose": "Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." - } - ], - "controls": [ - { - "id": "ia-5.1", - "class": "SP800-53-enhancement", - "title": "Password-based Authentication", - "parameters": [ - { - "id": "ia-5.1_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ia-5.1_prm_2", - "label": "organization-defined composition and complexity rules" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-5(1)" - }, - { - "name": "sort-id", - "value": "IA-05(01)" - } - ], - "links": [ - { - "href": "#ia-6", - "rel": "related", - "text": "IA-6" - } - ], - "parts": [ - { - "id": "ia-5.1_smt", - "name": "statement", - "prose": "For password-based authentication:", - "parts": [ - { - "id": "ia-5.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ ia-5.1_prm_1 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" - }, - { - "id": "ia-5.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords;" - }, - { - "id": "ia-5.1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Transmit only cryptographically-protected passwords;" - }, - { - "id": "ia-5.1_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(d)" - } - ], - "prose": "Store passwords using an approved hash algorithm and salt, preferably using a keyed hash;" - }, - { - "id": "ia-5.1_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(e)" - } - ], - "prose": "Require immediate selection of a new password upon account recovery;" - }, - { - "id": "ia-5.1_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(f)" - } - ], - "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" - }, - { - "id": "ia-5.1_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(g)" - } - ], - "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" - }, - { - "id": "ia-5.1_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(h)" - } - ], - "prose": "Enforce the following composition and complexity rules: {{ ia-5.1_prm_2 }}." - } - ] - }, - { - "id": "ia-5.1_gdn", - "name": "guidance", - "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof." - } - ] - } - ] - }, - { - "id": "ia-6", - "class": "SP800-53", - "title": "Authenticator Feedback", - "properties": [ - { - "name": "label", - "value": "IA-6" - }, - { - "name": "sort-id", - "value": "IA-06" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - } - ], - "parts": [ - { - "id": "ia-6_smt", - "name": "statement", - "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." - }, - { - "id": "ia-6_gdn", - "name": "guidance", - "prose": "Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it." - } - ] - }, - { - "id": "ia-7", - "class": "SP800-53", - "title": "Cryptographic Module Authentication", - "properties": [ - { - "name": "label", - "value": "IA-7" - }, - { - "name": "sort-id", - "value": "IA-07" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "ia-7_smt", - "name": "statement", - "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." - }, - { - "id": "ia-7_gdn", - "name": "guidance", - "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." - } - ] - }, - { - "id": "ia-8", - "class": "SP800-53", - "title": "Identification and Authentication (non-organizational Users)", - "properties": [ - { - "name": "label", - "value": "IA-8" - }, - { - "name": "sort-id", - "value": "IA-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#bb55e71a-e059-4263-8dd8-bc96fd3f063d", - "rel": "reference", - "text": "[SP 800-79-2]" - }, - { - "href": "#ad7d575f-b5fe-489b-8d48-36a93d964a5f", - "rel": "reference", - "text": "[SP 800-116]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-10", - "rel": "related", - "text": "IA-10" - }, - { - "href": "#ia-11", - "rel": "related", - "text": "IA-11" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - } - ], - "parts": [ - { - "id": "ia-8_smt", - "name": "statement", - "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." - }, - { - "id": "ia-8_gdn", - "name": "guidance", - "prose": "Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." - } - ], - "controls": [ - { - "id": "ia-8.1", - "class": "SP800-53-enhancement", - "title": "Acceptance of PIV Credentials from Other Agencies", - "properties": [ - { - "name": "label", - "value": "IA-8(1)" - }, - { - "name": "sort-id", - "value": "IA-08(01)" - } - ], - "links": [ - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - } - ], - "parts": [ - { - "id": "ia-8.1_smt", - "name": "statement", - "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." - }, - { - "id": "ia-8.1_gdn", - "name": "guidance", - "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2]." - } - ] - }, - { - "id": "ia-8.2", - "class": "SP800-53-enhancement", - "title": "Acceptance of External Credentials", - "properties": [ - { - "name": "label", - "value": "IA-8(2)" - }, - { - "name": "sort-id", - "value": "IA-08(02)" - } - ], - "parts": [ - { - "id": "ia-8.2_smt", - "name": "statement", - "prose": "Accept only external credentials that are NIST-compliant." - }, - { - "id": "ia-8.2_gdn", - "name": "guidance", - "prose": "Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels." - } - ] - }, - { - "id": "ia-8.4", - "class": "SP800-53-enhancement", - "title": "Use of Nist-issued Profiles", - "properties": [ - { - "name": "label", - "value": "IA-8(4)" - }, - { - "name": "sort-id", - "value": "IA-08(04)" - } - ], - "parts": [ - { - "id": "ia-8.4_smt", - "name": "statement", - "prose": "Conform to NIST-issued profiles for identity management." - }, - { - "id": "ia-8.4_gdn", - "name": "guidance", - "prose": "Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols." - } - ] - } - ] - }, - { - "id": "ia-11", - "class": "SP800-53", - "title": "Re-authentication", - "parameters": [ - { - "id": "ia-11_prm_1", - "label": "organization-defined circumstances or situations requiring re-authentication" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-11" - }, - { - "name": "sort-id", - "value": "IA-11" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-11", - "rel": "related", - "text": "AC-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - } - ], - "parts": [ - { - "id": "ia-11_smt", - "name": "statement", - "prose": "Require users to re-authenticate when {{ ia-11_prm_1 }}." - }, - { - "id": "ia-11_gdn", - "name": "guidance", - "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically." - } - ] - } - ] - }, - { - "id": "ir", - "class": "family", - "title": "Incident Response", - "controls": [ - { - "id": "ir-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ir-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ir-1_prm_2" - }, - { - "id": "ir-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ir-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ir-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-1" - }, - { - "name": "sort-id", - "value": "IR-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "rel": "reference", - "text": "[SP 800-83]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ir-1_smt", - "name": "statement", - "parts": [ - { - "id": "ir-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ir-1_prm_1 }}:", - "parts": [ - { - "id": "ir-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ir-1_prm_2 }} incident response policy that:", - "parts": [ - { - "id": "ir-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ir-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ir-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" - } - ] - }, - { - "id": "ir-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" - }, - { - "id": "ir-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current incident response:", - "parts": [ - { - "id": "ir-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ir-1_prm_4 }}; and" - }, - { - "id": "ir-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ir-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ir-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ir-2", - "class": "SP800-53", - "title": "Incident Response Training", - "parameters": [ - { - "id": "ir-2_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ir-2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-2" - }, - { - "name": "sort-id", - "value": "IR-02" - } - ], - "links": [ - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - } - ], - "parts": [ - { - "id": "ir-2_smt", - "name": "statement", - "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", - "parts": [ - { - "id": "ir-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Within {{ ir-2_prm_1 }} of assuming an incident response role or responsibility or acquiring system access;" - }, - { - "id": "ir-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "When required by system changes; and" - }, - { - "id": "ir-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "\n {{ ir-2_prm_2 }} thereafter." - } - ] - }, - { - "id": "ir-2_gdn", - "name": "guidance", - "prose": "Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3." - } - ] - }, - { - "id": "ir-4", - "class": "SP800-53", - "title": "Incident Handling", - "properties": [ - { - "name": "label", - "value": "IR-4" - }, - { - "name": "sort-id", - "value": "IR-04" - } - ], - "links": [ - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#35dfd59f-eef2-4f71-bdb5-6d878267456a", - "rel": "reference", - "text": "[SP 800-86]" - }, - { - "href": "#1e2c475a-84ae-4c60-b420-8fb2ea552b71", - "rel": "reference", - "text": "[SP 800-101]" - }, - { - "href": "#ad3e8f21-07c6-4968-b002-00b64dfa70ae", - "rel": "reference", - "text": "[SP 800-150]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#08f518f7-f9b9-4bee-8986-860214f46b16", - "rel": "reference", - "text": "[SP 800-184]" - }, - { - "href": "#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "rel": "reference", - "text": "[IR 7559]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-10", - "rel": "related", - "text": "IR-10" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "ir-4_smt", - "name": "statement", - "parts": [ - { - "id": "ir-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" - }, - { - "id": "ir-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Coordinate incident handling activities with contingency planning activities;" - }, - { - "id": "ir-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" - }, - { - "id": "ir-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." - } - ] - }, - { - "id": "ir-4_gdn", - "name": "guidance", - "prose": "Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk." - } - ] - }, - { - "id": "ir-5", - "class": "SP800-53", - "title": "Incident Monitoring", - "properties": [ - { - "name": "label", - "value": "IR-5" - }, - { - "name": "sort-id", - "value": "IR-05" - } - ], - "links": [ - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "ir-5_smt", - "name": "statement", - "prose": "Track and document security, privacy, and supply chain incidents." - }, - { - "id": "ir-5_gdn", - "name": "guidance", - "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports." - } - ] - }, - { - "id": "ir-6", - "class": "SP800-53", - "title": "Incident Reporting", - "parameters": [ - { - "id": "ir-6_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ir-6_prm_2", - "label": "organization-defined authorities" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-6" - }, - { - "name": "sort-id", - "value": "IR-06" - } - ], - "links": [ - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - } - ], - "parts": [ - { - "id": "ir-6_smt", - "name": "statement", - "parts": [ - { - "id": "ir-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and" - }, - { - "id": "ir-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}." - } - ] - }, - { - "id": "ir-6_gdn", - "name": "guidance", - "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ] - }, - { - "id": "ir-7", - "class": "SP800-53", - "title": "Incident Response Assistance", - "properties": [ - { - "name": "label", - "value": "IR-7" - }, - { - "name": "sort-id", - "value": "IR-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "rel": "reference", - "text": "[IR 7559]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pm-26", - "rel": "related", - "text": "PM-26" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "ir-7_smt", - "name": "statement", - "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents." - }, - { - "id": "ir-7_gdn", - "name": "guidance", - "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." - } - ] - }, - { - "id": "ir-8", - "class": "SP800-53", - "title": "Incident Response Plan", - "parameters": [ - { - "id": "ir-8_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ir-8_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "ir-8_prm_3", - "label": "organization-defined entities, personnel, or roles" - }, - { - "id": "ir-8_prm_4", - "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - }, - { - "id": "ir-8_prm_5", - "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-8" - }, - { - "name": "sort-id", - "value": "IR-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#389fe193-866e-46b1-bf1d-38904b56aa7b", - "rel": "reference", - "text": "[OMB M-17-12]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-8", - "rel": "related", - "text": "SR-8" - } - ], - "parts": [ - { - "id": "ir-8_smt", - "name": "statement", - "parts": [ - { - "id": "ir-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop an incident response plan that:", - "parts": [ - { - "id": "ir-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Provides the organization with a roadmap for implementing its incident response capability;" - }, - { - "id": "ir-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Describes the structure and organization of the incident response capability;" - }, - { - "id": "ir-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" - }, - { - "id": "ir-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" - }, - { - "id": "ir-8_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Defines reportable incidents;" - }, - { - "id": "ir-8_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Provides metrics for measuring the incident response capability within the organization;" - }, - { - "id": "ir-8_smt.a.7", - "name": "item", - "properties": [ - { - "name": "label", - "value": "7." - } - ], - "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" - }, - { - "id": "ir-8_smt.a.8", - "name": "item", - "properties": [ - { - "name": "label", - "value": "8." - } - ], - "prose": "Is reviewed and approved by {{ ir-8_prm_1 }}\n {{ ir-8_prm_2 }}; and" - }, - { - "id": "ir-8_smt.a.9", - "name": "item", - "properties": [ - { - "name": "label", - "value": "9." - } - ], - "prose": "Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}." - } - ] - }, - { - "id": "ir-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute copies of the incident response plan to {{ ir-8_prm_4 }};" - }, - { - "id": "ir-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" - }, - { - "id": "ir-8_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Communicate incident response plan changes to {{ ir-8_prm_5 }}; and" - }, - { - "id": "ir-8_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Protect the incident response plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "ir-8_gdn", - "name": "guidance", - "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." - } - ] - } - ] - }, - { - "id": "ma", - "class": "family", - "title": "Maintenance", - "controls": [ - { - "id": "ma-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ma-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ma-1_prm_2" - }, - { - "id": "ma-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ma-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ma-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-1" - }, - { - "name": "sort-id", - "value": "MA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ma-1_smt", - "name": "statement", - "parts": [ - { - "id": "ma-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ma-1_prm_1 }}:", - "parts": [ - { - "id": "ma-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ma-1_prm_2 }} maintenance policy that:", - "parts": [ - { - "id": "ma-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ma-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ma-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" - } - ] - }, - { - "id": "ma-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ma-1_prm_3 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" - }, - { - "id": "ma-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current maintenance:", - "parts": [ - { - "id": "ma-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ma-1_prm_4 }}; and" - }, - { - "id": "ma-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ma-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ma-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ma-2", - "class": "SP800-53", - "title": "Controlled Maintenance", - "parameters": [ - { - "id": "ma-2_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ma-2_prm_2", - "label": "organization-defined information" - }, - { - "id": "ma-2_prm_3", - "label": "organization-defined information" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-2" - }, - { - "name": "sort-id", - "value": "MA-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "ma-2_smt", - "name": "statement", - "parts": [ - { - "id": "ma-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" - }, - { - "id": "ma-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" - }, - { - "id": "ma-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Require that {{ ma-2_prm_1 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" - }, - { - "id": "ma-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ ma-2_prm_2 }};" - }, - { - "id": "ma-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" - }, - { - "id": "ma-2_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Include the following information in organizational maintenance records: {{ ma-2_prm_3 }}." - } - ] - }, - { - "id": "ma-2_gdn", - "name": "guidance", - "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems." - } - ] - }, - { - "id": "ma-4", - "class": "SP800-53", - "title": "Nonlocal Maintenance", - "properties": [ - { - "name": "label", - "value": "MA-4" - }, - { - "name": "sort-id", - "value": "MA-04" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#bbc7085f-b383-444e-af74-722a55cccc0f", - "rel": "reference", - "text": "[FIPS 197]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#fed6a3b5-2b74-499f-9172-46671f7c24c8", - "rel": "reference", - "text": "[SP 800-88]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-10", - "rel": "related", - "text": "SC-10" - } - ], - "parts": [ - { - "id": "ma-4_smt", - "name": "statement", - "parts": [ - { - "id": "ma-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" - }, - { - "id": "ma-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" - }, - { - "id": "ma-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;" - }, - { - "id": "ma-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" - }, - { - "id": "ma-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Terminate session and network connections when nonlocal maintenance is completed." - } - ] - }, - { - "id": "ma-4_gdn", - "name": "guidance", - "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls." - } - ] - }, - { - "id": "ma-5", - "class": "SP800-53", - "title": "Maintenance Personnel", - "properties": [ - { - "name": "label", - "value": "MA-5" - }, - { - "name": "sort-id", - "value": "MA-05" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "ma-5_smt", - "name": "statement", - "parts": [ - { - "id": "ma-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" - }, - { - "id": "ma-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" - }, - { - "id": "ma-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." - } - ] - }, - { - "id": "ma-5_gdn", - "name": "guidance", - "prose": "Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods." - } - ] - } - ] - }, - { - "id": "mp", - "class": "family", - "title": "Media Protection", - "controls": [ - { - "id": "mp-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "mp-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "mp-1_prm_2" - }, - { - "id": "mp-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "mp-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "mp-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-1" - }, - { - "name": "sort-id", - "value": "MP-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "mp-1_smt", - "name": "statement", - "parts": [ - { - "id": "mp-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ mp-1_prm_1 }}:", - "parts": [ - { - "id": "mp-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ mp-1_prm_2 }} media protection policy that:", - "parts": [ - { - "id": "mp-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "mp-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "mp-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" - } - ] - }, - { - "id": "mp-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" - }, - { - "id": "mp-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current media protection:", - "parts": [ - { - "id": "mp-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ mp-1_prm_4 }}; and" - }, - { - "id": "mp-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ mp-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "mp-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "mp-2", - "class": "SP800-53", - "title": "Media Access", - "parameters": [ - { - "id": "mp-2_prm_1", - "label": "organization-defined types of digital and/or non-digital media" - }, - { - "id": "mp-2_prm_2", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-2" - }, - { - "name": "sort-id", - "value": "MP-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#1b14b50f-7154-4226-958c-7dfff8276755", - "rel": "reference", - "text": "[SP 800-111]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "mp-2_smt", - "name": "statement", - "prose": "Restrict access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}." - }, - { - "id": "mp-2_gdn", - "name": "guidance", - "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media." - } - ] - }, - { - "id": "mp-6", - "class": "SP800-53", - "title": "Media Sanitization", - "parameters": [ - { - "id": "mp-6_prm_1", - "label": "organization-defined system media" - }, - { - "id": "mp-6_prm_2", - "label": "organization-defined sanitization techniques and procedures" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-6" - }, - { - "name": "sort-id", - "value": "MP-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#fed6a3b5-2b74-499f-9172-46671f7c24c8", - "rel": "reference", - "text": "[SP 800-88]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#a52271dc-11b5-423a-8b6f-14867bd94259", - "rel": "reference", - "text": "[NSA MEDIA]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - }, - { - "href": "#si-19", - "rel": "related", - "text": "SI-19" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "mp-6_smt", - "name": "statement", - "parts": [ - { - "id": "mp-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and" - }, - { - "id": "mp-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." - } - ] - }, - { - "id": "mp-6_gdn", - "name": "guidance", - "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information." - } - ] - }, - { - "id": "mp-7", - "class": "SP800-53", - "title": "Media Use", - "parameters": [ - { - "id": "mp-7_prm_1" - }, - { - "id": "mp-7_prm_2", - "label": "organization-defined types of system media" - }, - { - "id": "mp-7_prm_3", - "label": "organization-defined systems or system components" - }, - { - "id": "mp-7_prm_4", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-7" - }, - { - "name": "sort-id", - "value": "MP-07" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#1b14b50f-7154-4226-958c-7dfff8276755", - "rel": "reference", - "text": "[SP 800-111]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#sc-41", - "rel": "related", - "text": "SC-41" - } - ], - "parts": [ - { - "id": "mp-7_smt", - "name": "statement", - "parts": [ - { - "id": "mp-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "\n {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}; and" - }, - { - "id": "mp-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." - } - ] - }, - { - "id": "mp-7_gdn", - "name": "guidance", - "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." - } - ] - } - ] - }, - { - "id": "pe", - "class": "family", - "title": "Physical and Environmental Protection", - "controls": [ - { - "id": "pe-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "pe-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pe-1_prm_2" - }, - { - "id": "pe-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "pe-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "pe-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-1" - }, - { - "name": "sort-id", - "value": "PE-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pe-1_smt", - "name": "statement", - "parts": [ - { - "id": "pe-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ pe-1_prm_1 }}:", - "parts": [ - { - "id": "pe-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ pe-1_prm_2 }} physical and environmental protection policy that:", - "parts": [ - { - "id": "pe-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "pe-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "pe-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" - } - ] - }, - { - "id": "pe-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ pe-1_prm_3 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" - }, - { - "id": "pe-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current physical and environmental protection:", - "parts": [ - { - "id": "pe-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ pe-1_prm_4 }}; and" - }, - { - "id": "pe-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ pe-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "pe-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "pe-2", - "class": "SP800-53", - "title": "Physical Access Authorizations", - "parameters": [ - { - "id": "pe-2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-2" - }, - { - "name": "sort-id", - "value": "PE-02" - } - ], - "links": [ - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#pe-5", - "rel": "related", - "text": "PE-5" - }, - { - "href": "#pe-8", - "rel": "related", - "text": "PE-8" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - } - ], - "parts": [ - { - "id": "pe-2_smt", - "name": "statement", - "parts": [ - { - "id": "pe-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" - }, - { - "id": "pe-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Issue authorization credentials for facility access;" - }, - { - "id": "pe-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review the access list detailing authorized facility access by individuals {{ pe-2_prm_1 }}; and" - }, - { - "id": "pe-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Remove individuals from the facility access list when access is no longer required." - } - ] - }, - { - "id": "pe-2_gdn", - "name": "guidance", - "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible." - } - ] - }, - { - "id": "pe-3", - "class": "SP800-53", - "title": "Physical Access Control", - "parameters": [ - { - "id": "pe-3_prm_1", - "label": "organization-defined entry and exit points to the facility where the system resides" - }, - { - "id": "pe-3_prm_2" - }, - { - "id": "pe-3_prm_3", - "depends-on": "pe-3_prm_2", - "label": "organization-defined physical access control systems or devices" - }, - { - "id": "pe-3_prm_4", - "label": "organization-defined entry or exit points" - }, - { - "id": "pe-3_prm_5", - "label": "organization-defined controls" - }, - { - "id": "pe-3_prm_6", - "label": "organization-defined circumstances requiring visitor escorts and monitoring" - }, - { - "id": "pe-3_prm_7", - "label": "organization-defined physical access devices" - }, - { - "id": "pe-3_prm_8", - "label": "organization-defined frequency" - }, - { - "id": "pe-3_prm_9", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-3" - }, - { - "name": "sort-id", - "value": "PE-03" - } - ], - "links": [ - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#ad7d575f-b5fe-489b-8d48-36a93d964a5f", - "rel": "reference", - "text": "[SP 800-116]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#pe-5", - "rel": "related", - "text": "PE-5" - }, - { - "href": "#pe-8", - "rel": "related", - "text": "PE-8" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - } - ], - "parts": [ - { - "id": "pe-3_smt", - "name": "statement", - "parts": [ - { - "id": "pe-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Enforce physical access authorizations at {{ pe-3_prm_1 }} by:", - "parts": [ - { - "id": "pe-3_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Verifying individual access authorizations before granting access to the facility; and" - }, - { - "id": "pe-3_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Controlling ingress and egress to the facility using {{ pe-3_prm_2 }};" - } - ] - }, - { - "id": "pe-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Maintain physical access audit logs for {{ pe-3_prm_4 }};" - }, - { - "id": "pe-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ pe-3_prm_5 }};" - }, - { - "id": "pe-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Escort visitors and monitor visitor activity {{ pe-3_prm_6 }};" - }, - { - "id": "pe-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Secure keys, combinations, and other physical access devices;" - }, - { - "id": "pe-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Inventory {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }}; and" - }, - { - "id": "pe-3_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Change combinations and keys {{ pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." - } - ] - }, - { - "id": "pe-3_gdn", - "name": "guidance", - "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." - } - ] - }, - { - "id": "pe-6", - "class": "SP800-53", - "title": "Monitoring Physical Access", - "parameters": [ - { - "id": "pe-6_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "pe-6_prm_2", - "label": "organization-defined events or potential indications of events" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-6" - }, - { - "name": "sort-id", - "value": "PE-06" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - } - ], - "parts": [ - { - "id": "pe-6_smt", - "name": "statement", - "parts": [ - { - "id": "pe-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" - }, - { - "id": "pe-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review physical access logs {{ pe-6_prm_1 }} and upon occurrence of {{ pe-6_prm_2 }}; and" - }, - { - "id": "pe-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." - } - ] - }, - { - "id": "pe-6_gdn", - "name": "guidance", - "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses." - } - ] - }, - { - "id": "pe-8", - "class": "SP800-53", - "title": "Visitor Access Records", - "parameters": [ - { - "id": "pe-8_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "pe-8_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "pe-8_prm_3", - "label": "organization-defined personnel" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-8" - }, - { - "name": "sort-id", - "value": "PE-08" - } - ], - "links": [ - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - } - ], - "parts": [ - { - "id": "pe-8_smt", - "name": "statement", - "parts": [ - { - "id": "pe-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Maintain visitor access records to the facility where the system resides for {{ pe-8_prm_1 }};" - }, - { - "id": "pe-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review visitor access records {{ pe-8_prm_2 }}; and" - }, - { - "id": "pe-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Report anomalies in visitor access records to {{ pe-8_prm_3 }}." - } - ] - }, - { - "id": "pe-8_gdn", - "name": "guidance", - "prose": "Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas." - } - ] - }, - { - "id": "pe-12", - "class": "SP800-53", - "title": "Emergency Lighting", - "properties": [ - { - "name": "label", - "value": "PE-12" - }, - { - "name": "sort-id", - "value": "PE-12" - } - ], - "links": [ - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - } - ], - "parts": [ - { - "id": "pe-12_smt", - "name": "statement", - "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." - }, - { - "id": "pe-12_gdn", - "name": "guidance", - "prose": "The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites." - } - ] - }, - { - "id": "pe-13", - "class": "SP800-53", - "title": "Fire Protection", - "properties": [ - { - "name": "label", - "value": "PE-13" - }, - { - "name": "sort-id", - "value": "PE-13" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - } - ], - "parts": [ - { - "id": "pe-13_smt", - "name": "statement", - "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." - }, - { - "id": "pe-13_gdn", - "name": "guidance", - "prose": "The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors." - } - ] - }, - { - "id": "pe-14", - "class": "SP800-53", - "title": "Environmental Controls", - "parameters": [ - { - "id": "pe-14_prm_1" - }, - { - "id": "pe-14_prm_2", - "depends-on": "pe-14_prm_1", - "label": "organization-defined environmental control" - }, - { - "id": "pe-14_prm_3", - "label": "organization-defined acceptable levels" - }, - { - "id": "pe-14_prm_4", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-14" - }, - { - "name": "sort-id", - "value": "PE-14" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#pe-21", - "rel": "related", - "text": "PE-21" - } - ], - "parts": [ - { - "id": "pe-14_smt", - "name": "statement", - "parts": [ - { - "id": "pe-14_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Maintain {{ pe-14_prm_1 }} levels within the facility where the system resides at {{ pe-14_prm_3 }}; and" - }, - { - "id": "pe-14_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Monitor environmental control levels {{ pe-14_prm_4 }}." - } - ] - }, - { - "id": "pe-14_gdn", - "name": "guidance", - "prose": "The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure." - } - ] - }, - { - "id": "pe-15", - "class": "SP800-53", - "title": "Water Damage Protection", - "properties": [ - { - "name": "label", - "value": "PE-15" - }, - { - "name": "sort-id", - "value": "PE-15" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pe-10", - "rel": "related", - "text": "PE-10" - } - ], - "parts": [ - { - "id": "pe-15_smt", - "name": "statement", - "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." - }, - { - "id": "pe-15_gdn", - "name": "guidance", - "prose": "The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations." - } - ] - }, - { - "id": "pe-16", - "class": "SP800-53", - "title": "Delivery and Removal", - "parameters": [ - { - "id": "pe-16_prm_1", - "label": "organization-defined types of system components" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-16" - }, - { - "name": "sort-id", - "value": "PE-16" - } - ], - "links": [ - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - } - ], - "parts": [ - { - "id": "pe-16_smt", - "name": "statement", - "parts": [ - { - "id": "pe-16_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Authorize and control {{ pe-16_prm_1 }} entering and exiting the facility; and" - }, - { - "id": "pe-16_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Maintain records of the system components." - } - ] - }, - { - "id": "pe-16_gdn", - "name": "guidance", - "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." - } - ] - } - ] - }, - { - "id": "pl", - "class": "family", - "title": "Planning", - "controls": [ - { - "id": "pl-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "pl-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pl-1_prm_2" - }, - { - "id": "pl-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "pl-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "pl-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-1" - }, - { - "name": "sort-id", - "value": "PL-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pl-1_smt", - "name": "statement", - "parts": [ - { - "id": "pl-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ pl-1_prm_1 }}:", - "parts": [ - { - "id": "pl-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ pl-1_prm_2 }} planning policy that:", - "parts": [ - { - "id": "pl-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "pl-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "pl-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" - } - ] - }, - { - "id": "pl-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" - }, - { - "id": "pl-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current planning:", - "parts": [ - { - "id": "pl-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ pl-1_prm_4 }}; and" - }, - { - "id": "pl-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ pl-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "pl-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "pl-2", - "class": "SP800-53", - "title": "System Security and Privacy Plans", - "parameters": [ - { - "id": "pl-2_prm_1", - "label": "organization-defined individuals or groups" - }, - { - "id": "pl-2_prm_2", - "label": "organization-defined personnel or roles" - }, - { - "id": "pl-2_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-2" - }, - { - "name": "sort-id", - "value": "PL-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pl-7", - "rel": "related", - "text": "PL-7" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-22", - "rel": "related", - "text": "SA-22" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "pl-2_smt", - "name": "statement", - "parts": [ - { - "id": "pl-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop security and privacy plans for the system that:", - "parts": [ - { - "id": "pl-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are consistent with the organization’s enterprise architecture;" - }, - { - "id": "pl-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Explicitly define the constituent system components;" - }, - { - "id": "pl-2_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Describe the operational context of the system in terms of missions and business processes;" - }, - { - "id": "pl-2_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Provide the security categorization of the system, including supporting rationale;" - }, - { - "id": "pl-2_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Describe any specific threats to the system that are of concern to the organization;" - }, - { - "id": "pl-2_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" - }, - { - "id": "pl-2_smt.a.7", - "name": "item", - "properties": [ - { - "name": "label", - "value": "7." - } - ], - "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" - }, - { - "id": "pl-2_smt.a.8", - "name": "item", - "properties": [ - { - "name": "label", - "value": "8." - } - ], - "prose": "Provide an overview of the security and privacy requirements for the system;" - }, - { - "id": "pl-2_smt.a.9", - "name": "item", - "properties": [ - { - "name": "label", - "value": "9." - } - ], - "prose": "Identify any relevant control baselines or overlays, if applicable;" - }, - { - "id": "pl-2_smt.a.10", - "name": "item", - "properties": [ - { - "name": "label", - "value": "10." - } - ], - "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" - }, - { - "id": "pl-2_smt.a.11", - "name": "item", - "properties": [ - { - "name": "label", - "value": "11." - } - ], - "prose": "Include risk determinations for security and privacy architecture and design decisions;" - }, - { - "id": "pl-2_smt.a.12", - "name": "item", - "properties": [ - { - "name": "label", - "value": "12." - } - ], - "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and" - }, - { - "id": "pl-2_smt.a.13", - "name": "item", - "properties": [ - { - "name": "label", - "value": "13." - } - ], - "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." - } - ] - }, - { - "id": "pl-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }};" - }, - { - "id": "pl-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review the plans {{ pl-2_prm_3 }};" - }, - { - "id": "pl-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" - }, - { - "id": "pl-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Protect the plans from unauthorized disclosure and modification." - } - ] - }, - { - "id": "pl-2_gdn", - "name": "guidance", - "prose": "System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation.\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate." - } - ] - }, - { - "id": "pl-4", - "class": "SP800-53", - "title": "Rules of Behavior", - "parameters": [ - { - "id": "pl-4_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "pl-4_prm_2" - }, - { - "id": "pl-4_prm_3", - "depends-on": "pl-4_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-4" - }, - { - "name": "sort-id", - "value": "PL-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ac-9", - "rel": "related", - "text": "AC-9" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pl-4_smt", - "name": "statement", - "parts": [ - { - "id": "pl-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" - }, - { - "id": "pl-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" - }, - { - "id": "pl-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the rules of behavior {{ pl-4_prm_1 }}; and" - }, - { - "id": "pl-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}." - } - ] - }, - { - "id": "pl-4_gdn", - "name": "guidance", - "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons." - } - ], - "controls": [ - { - "id": "pl-4.1", - "class": "SP800-53-enhancement", - "title": "Social Media and External Site/application Usage Restrictions", - "properties": [ - { - "name": "label", - "value": "PL-4(1)" - }, - { - "name": "sort-id", - "value": "PL-04(01)" - } - ], - "links": [ - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - } - ], - "parts": [ - { - "id": "pl-4.1_smt", - "name": "statement", - "prose": "Include in the rules of behavior, restrictions on:", - "parts": [ - { - "id": "pl-4.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Use of social media, social networking sites, and external sites/applications;" - }, - { - "id": "pl-4.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Posting organizational information on public websites; and" - }, - { - "id": "pl-4.1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications." - } - ] - }, - { - "id": "pl-4.1_gdn", - "name": "guidance", - "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information." - } - ] - } - ] - }, - { - "id": "pl-10", - "class": "SP800-53", - "title": "Baseline Selection", - "properties": [ - { - "name": "label", - "value": "PL-10" - }, - { - "name": "sort-id", - "value": "PL-10" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#31f3c9de-c57c-4281-929b-f9951f9640f1", - "rel": "reference", - "text": "[SP 800-53B]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ee96f130-3f91-46ed-a4d8-57e5f220a623", - "rel": "reference", - "text": "[CNSSI 1253]" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "pl-10_smt", - "name": "statement", - "prose": "Select a control baseline for the system." - }, - { - "id": "pl-10_gdn", - "name": "guidance", - "prose": "Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments." - } - ] - }, - { - "id": "pl-11", - "class": "SP800-53", - "title": "Baseline Tailoring", - "properties": [ - { - "name": "label", - "value": "PL-11" - }, - { - "name": "sort-id", - "value": "PL-11" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#31f3c9de-c57c-4281-929b-f9951f9640f1", - "rel": "reference", - "text": "[SP 800-53B]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ee96f130-3f91-46ed-a4d8-57e5f220a623", - "rel": "reference", - "text": "[CNSSI 1253]" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "pl-11_smt", - "name": "statement", - "prose": "Tailor the selected control baseline by applying specified tailoring actions." - }, - { - "id": "pl-11_gdn", - "name": "guidance", - "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities." - } - ] - } - ] - }, - { - "id": "pm", - "class": "family", - "title": "Program Management", - "controls": [ - { - "id": "pm-1", - "class": "SP800-53", - "title": "Information Security Program Plan", - "parameters": [ - { - "id": "pm-1_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-1" - }, - { - "name": "sort-id", - "value": "PM-01" - } - ], - "links": [ - { - "href": "#14958422-54f6-471f-a345-802dca594dd8", - "rel": "reference", - "text": "[FISMA]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "pm-1_smt", - "name": "statement", - "parts": [ - { - "id": "pm-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and disseminate an organization-wide information security program plan that:", - "parts": [ - { - "id": "pm-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;" - }, - { - "id": "pm-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;" - }, - { - "id": "pm-1_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Reflects the coordination among organizational entities responsible for information security; and" - }, - { - "id": "pm-1_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;" - } - ] - }, - { - "id": "pm-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review the organization-wide information security program plan {{ pm-1_prm_1 }};" - }, - { - "id": "pm-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and" - }, - { - "id": "pm-1_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect the information security program plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "pm-1_gdn", - "name": "guidance", - "prose": "An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents.\nInformation security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls." - } - ] - }, - { - "id": "pm-2", - "class": "SP800-53", - "title": "Information Security Program Leadership Role", - "properties": [ - { - "name": "label", - "value": "PM-2" - }, - { - "name": "sort-id", - "value": "PM-02" - } - ], - "links": [ - { - "href": "#ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3", - "rel": "reference", - "text": "[OMB M-17-25]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - } - ], - "parts": [ - { - "id": "pm-2_smt", - "name": "statement", - "prose": "Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program." - }, - { - "id": "pm-2_gdn", - "name": "guidance", - "prose": "The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer." - } - ] - }, - { - "id": "pm-3", - "class": "SP800-53", - "title": "Information Security and Privacy Resources", - "properties": [ - { - "name": "label", - "value": "PM-3" - }, - { - "name": "sort-id", - "value": "PM-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - } - ], - "parts": [ - { - "id": "pm-3_smt", - "name": "statement", - "parts": [ - { - "id": "pm-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;" - }, - { - "id": "pm-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and" - }, - { - "id": "pm-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Make available for expenditure, the planned information security and privacy resources." - } - ] - }, - { - "id": "pm-3_gdn", - "name": "guidance", - "prose": "Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process." - } - ] - }, - { - "id": "pm-4", - "class": "SP800-53", - "title": "Plan of Action and Milestones Process", - "properties": [ - { - "name": "label", - "value": "PM-4" - }, - { - "name": "sort-id", - "value": "PM-04" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-3", - "rel": "related", - "text": "PM-3" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pm-4_smt", - "name": "statement", - "parts": [ - { - "id": "pm-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:", - "parts": [ - { - "id": "pm-4_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are developed and maintained;" - }, - { - "id": "pm-4_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and" - }, - { - "id": "pm-4_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Are reported in accordance with established reporting requirements." - } - ] - }, - { - "id": "pm-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." - } - ] - }, - { - "id": "pm-4_gdn", - "name": "guidance", - "prose": "The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5." - } - ] - }, - { - "id": "pm-5", - "class": "SP800-53", - "title": "System Inventory", - "parameters": [ - { - "id": "pm-5_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-5" - }, - { - "name": "sort-id", - "value": "PM-05" - } - ], - "links": [ - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - } - ], - "parts": [ - { - "id": "pm-5_smt", - "name": "statement", - "prose": "Develop and update {{ pm-5_prm_1 }} an inventory of organizational systems." - }, - { - "id": "pm-5_gdn", - "name": "guidance", - "prose": "[OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8." - } - ], - "controls": [ - { - "id": "pm-5.1", - "class": "SP800-53-enhancement", - "title": "Inventory of Personally Identifiable Information", - "parameters": [ - { - "id": "pm-5.1_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-5(1)" - }, - { - "name": "sort-id", - "value": "PM-05(01)" - } - ], - "links": [ - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-12", - "rel": "related", - "text": "CM-12" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pm-5.1_smt", - "name": "statement", - "prose": "Establish, maintain, and update {{ pm-5.1_prm_1 }} an inventory of all systems, applications, and projects that process personally identifiable information." - }, - { - "id": "pm-5.1_gdn", - "name": "guidance", - "prose": "An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein." - } - ] - } - ] - }, - { - "id": "pm-6", - "class": "SP800-53", - "title": "Measures of Performance", - "properties": [ - { - "name": "label", - "value": "PM-6" - }, - { - "name": "sort-id", - "value": "PM-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#8ba0d54e-fa16-4f5d-baa1-763ec3e33e26", - "rel": "reference", - "text": "[SP 800-55]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - } - ], - "parts": [ - { - "id": "pm-6_smt", - "name": "statement", - "prose": "Develop, monitor, and report on the results of information security and privacy measures of performance." - }, - { - "id": "pm-6_gdn", - "name": "guidance", - "prose": "Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program." - } - ] - }, - { - "id": "pm-7", - "class": "SP800-53", - "title": "Enterprise Architecture", - "properties": [ - { - "name": "label", - "value": "PM-7" - }, - { - "name": "sort-id", - "value": "PM-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - } - ], - "parts": [ - { - "id": "pm-7_smt", - "name": "statement", - "prose": "Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation." - }, - { - "id": "pm-7_gdn", - "name": "guidance", - "prose": "The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines." - } - ], - "controls": [ - { - "id": "pm-7.1", - "class": "SP800-53-enhancement", - "title": "Offloading", - "parameters": [ - { - "id": "pm-7.1_prm_1", - "label": "organization-defined non-essential functions or services" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-7(1)" - }, - { - "name": "sort-id", - "value": "PM-07(01)" - } - ], - "links": [ - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "pm-7.1_smt", - "name": "statement", - "prose": "Offload {{ pm-7.1_prm_1 }} to other systems, system components, or an external provider." - }, - { - "id": "pm-7.1_gdn", - "name": "guidance", - "prose": "Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services." - } - ] - } - ] - }, - { - "id": "pm-8", - "class": "SP800-53", - "title": "Critical Infrastructure Plan", - "properties": [ - { - "name": "label", - "value": "PM-8" - }, - { - "name": "sort-id", - "value": "PM-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#cde25174-38e0-4a00-8919-8ee3674b8088", - "rel": "reference", - "text": "[HSPD 7]" - }, - { - "href": "#24b7b1ec-6430-41de-9353-29fdb1b488fc", - "rel": "reference", - "text": "[DHS NIPP]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#pe-18", - "rel": "related", - "text": "PE-18" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pm-8_smt", - "name": "statement", - "prose": "Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan." - }, - { - "id": "pm-8_gdn", - "name": "guidance", - "prose": "Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." - } - ] - }, - { - "id": "pm-9", - "class": "SP800-53", - "title": "Risk Management Strategy", - "parameters": [ - { - "id": "pm-9_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-9" - }, - { - "name": "sort-id", - "value": "PM-09" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#at-1", - "rel": "related", - "text": "AT-1" - }, - { - "href": "#ca-1", - "rel": "related", - "text": "CA-1" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cp-1", - "rel": "related", - "text": "CP-1" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ma-1", - "rel": "related", - "text": "MA-1" - }, - { - "href": "#mp-1", - "rel": "related", - "text": "MP-1" - }, - { - "href": "#pe-1", - "rel": "related", - "text": "PE-1" - }, - { - "href": "#pl-1", - "rel": "related", - "text": "PL-1" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-2", - "rel": "related", - "text": "PM-2" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#ps-1", - "rel": "related", - "text": "PS-1" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-1", - "rel": "related", - "text": "SA-1" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sc-1", - "rel": "related", - "text": "SC-1" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-1", - "rel": "related", - "text": "SI-1" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "pm-9_smt", - "name": "statement", - "parts": [ - { - "id": "pm-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develops a comprehensive strategy to manage:", - "parts": [ - { - "id": "pm-9_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and" - }, - { - "id": "pm-9_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Privacy risk to individuals resulting from the authorized processing of personally identifiable information;" - } - ] - }, - { - "id": "pm-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the risk management strategy consistently across the organization; and" - }, - { - "id": "pm-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes." - } - ] - }, - { - "id": "pm-9_gdn", - "name": "guidance", - "prose": "An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive." - } - ] - }, - { - "id": "pm-10", - "class": "SP800-53", - "title": "Authorization Process", - "properties": [ - { - "name": "label", - "value": "PM-10" - }, - { - "name": "sort-id", - "value": "PM-10" - } - ], - "links": [ - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - } - ], - "parts": [ - { - "id": "pm-10_smt", - "name": "statement", - "parts": [ - { - "id": "pm-10_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;" - }, - { - "id": "pm-10_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and" - }, - { - "id": "pm-10_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Integrate the authorization processes into an organization-wide risk management program." - } - ] - }, - { - "id": "pm-10_gdn", - "name": "guidance", - "prose": "Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation." - } - ] - }, - { - "id": "pm-11", - "class": "SP800-53", - "title": "Mission and Business Process Definition", - "parameters": [ - { - "id": "pm-11_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-11" - }, - { - "name": "sort-id", - "value": "PM-11" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - } - ], - "parts": [ - { - "id": "pm-11_smt", - "name": "statement", - "parts": [ - { - "id": "pm-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and" - }, - { - "id": "pm-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and" - }, - { - "id": "pm-11_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and revise the mission and business processes {{ pm-11_prm_1 }}." - } - ] - }, - { - "id": "pm-11_gdn", - "name": "guidance", - "prose": "Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures." - } - ] - }, - { - "id": "pm-12", - "class": "SP800-53", - "title": "Insider Threat Program", - "properties": [ - { - "name": "label", - "value": "PM-12" - }, - { - "name": "sort-id", - "value": "PM-12" - } - ], - "links": [ - { - "href": "#2b5e12fb-633f-49e6-8aff-81d75bf53545", - "rel": "reference", - "text": "[EO 13587]" - }, - { - "href": "#286d42a1-efbe-49a2-9ce1-4c9bf68feb3b", - "rel": "reference", - "text": "[ODNI NITP]" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-16", - "rel": "related", - "text": "PM-16" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - } - ], - "parts": [ - { - "id": "pm-12_smt", - "name": "statement", - "prose": "Implement an insider threat program that includes a cross-discipline insider threat incident handling team." - }, - { - "id": "pm-12_gdn", - "name": "guidance", - "prose": "Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture.\nInsider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ] - }, - { - "id": "pm-13", - "class": "SP800-53", - "title": "Security and Privacy Workforce", - "properties": [ - { - "name": "label", - "value": "PM-13" - }, - { - "name": "sort-id", - "value": "PM-13" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#f4c3f657-de83-47ae-9aec-e144de8268d1", - "rel": "reference", - "text": "[SP 800-181]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - } - ], - "parts": [ - { - "id": "pm-13_smt", - "name": "statement", - "prose": "Establish a security and privacy workforce development and improvement program." - }, - { - "id": "pm-13_gdn", - "name": "guidance", - "prose": "Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals." - } - ] - }, - { - "id": "pm-14", - "class": "SP800-53", - "title": "Testing, Training, and Monitoring", - "properties": [ - { - "name": "label", - "value": "PM-14" - }, - { - "name": "sort-id", - "value": "PM-14" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "pm-14_smt", - "name": "statement", - "parts": [ - { - "id": "pm-14_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:", - "parts": [ - { - "id": "pm-14_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are developed and maintained; and" - }, - { - "id": "pm-14_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Continue to be executed; and" - } - ] - }, - { - "id": "pm-14_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." - } - ] - }, - { - "id": "pm-14_gdn", - "name": "guidance", - "prose": "This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments." - } - ] - }, - { - "id": "pm-15", - "class": "SP800-53", - "title": "Security and Privacy Groups and Associations", - "properties": [ - { - "name": "label", - "value": "PM-15" - }, - { - "name": "sort-id", - "value": "PM-15" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#si-5", - "rel": "related", - "text": "SI-5" - } - ], - "parts": [ - { - "id": "pm-15_smt", - "name": "statement", - "prose": "Establish and institutionalize contact with selected groups and associations within the security and privacy communities:", - "parts": [ - { - "id": "pm-15_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "To facilitate ongoing security and privacy education and training for organizational personnel;" - }, - { - "id": "pm-15_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "To maintain currency with recommended security and privacy practices, techniques, and technologies; and" - }, - { - "id": "pm-15_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "To share current security and privacy information, including threats, vulnerabilities, and incidents." - } - ] - }, - { - "id": "pm-15_gdn", - "name": "guidance", - "prose": "Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." - } - ] - }, - { - "id": "pm-16", - "class": "SP800-53", - "title": "Threat Awareness Program", - "properties": [ - { - "name": "label", - "value": "PM-16" - }, - { - "name": "sort-id", - "value": "PM-16" - } - ], - "links": [ - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - } - ], - "parts": [ - { - "id": "pm-16_smt", - "name": "statement", - "prose": "Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence." - }, - { - "id": "pm-16_gdn", - "name": "guidance", - "prose": "Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared." - } - ], - "controls": [ - { - "id": "pm-16.1", - "class": "SP800-53-enhancement", - "title": "Automated Means for Sharing Threat Intelligence", - "properties": [ - { - "name": "label", - "value": "PM-16(1)" - }, - { - "name": "sort-id", - "value": "PM-16(01)" - } - ], - "parts": [ - { - "id": "pm-16.1_smt", - "name": "statement", - "prose": "Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information." - }, - { - "id": "pm-16.1_gdn", - "name": "guidance", - "prose": "To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures." - } - ] - } - ] - }, - { - "id": "pm-17", - "class": "SP800-53", - "title": "Protecting Controlled Unclassified Information on External Systems", - "parameters": [ - { - "id": "pm-17_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-17" - }, - { - "name": "sort-id", - "value": "PM-17" - } - ], - "links": [ - { - "href": "#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc", - "rel": "reference", - "text": "[32 CFR 2002]" - }, - { - "href": "#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "rel": "reference", - "text": "[SP 800-171]" - }, - { - "href": "#dd87fdf0-840d-4392-9de4-220b2327e340", - "rel": "reference", - "text": "[NARA CUI]" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - } - ], - "parts": [ - { - "id": "pm-17_smt", - "name": "statement", - "parts": [ - { - "id": "pm-17_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards." - }, - { - "id": "pm-17_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update the policy and procedures {{ pm-17_prm_1 }}." - } - ] - }, - { - "id": "pm-17_gdn", - "name": "guidance", - "prose": "Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes." - } - ] - }, - { - "id": "pm-18", - "class": "SP800-53", - "title": "Privacy Program Plan", - "properties": [ - { - "name": "label", - "value": "PM-18" - }, - { - "name": "sort-id", - "value": "PM-18" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - } - ], - "parts": [ - { - "id": "pm-18_smt", - "name": "statement", - "parts": [ - { - "id": "pm-18_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:", - "parts": [ - { - "id": "pm-18_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;" - }, - { - "id": "pm-18_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;" - }, - { - "id": "pm-18_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;" - }, - { - "id": "pm-18_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;" - }, - { - "id": "pm-18_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Reflects coordination among organizational entities responsible for the different aspects of privacy; and" - }, - { - "id": "pm-18_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and" - } - ] - }, - { - "id": "pm-18_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments." - } - ] - }, - { - "id": "pm-18_gdn", - "name": "guidance", - "prose": "A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls." - } - ] - }, - { - "id": "pm-19", - "class": "SP800-53", - "title": "Privacy Program Leadership Role", - "properties": [ - { - "name": "label", - "value": "PM-19" - }, - { - "name": "sort-id", - "value": "PM-19" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#pm-20", - "rel": "related", - "text": "PM-20" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - } - ], - "parts": [ - { - "id": "pm-19_smt", - "name": "statement", - "prose": "Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program." - }, - { - "id": "pm-19_gdn", - "name": "guidance", - "prose": "The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24)." - } - ] - }, - { - "id": "pm-20", - "class": "SP800-53", - "title": "Dissemination of Privacy Program Information", - "properties": [ - { - "name": "label", - "value": "PM-20" - }, - { - "name": "sort-id", - "value": "PM-20" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#f7d3617a-9a4f-4f1a-a688-845081b70390", - "rel": "reference", - "text": "[OMB M-17-06]" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#pt-7", - "rel": "related", - "text": "PT-7" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - } - ], - "parts": [ - { - "id": "pm-20_smt", - "name": "statement", - "prose": "Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:", - "parts": [ - { - "id": "pm-20_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;" - }, - { - "id": "pm-20_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Ensures that organizational privacy practices and reports are publicly available; and" - }, - { - "id": "pm-20_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices." - } - ] - }, - { - "id": "pm-20_gdn", - "name": "guidance", - "prose": "Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications." - } - ] - }, - { - "id": "pm-21", - "class": "SP800-53", - "title": "Accounting of Disclosures", - "properties": [ - { - "name": "label", - "value": "PM-21" - }, - { - "name": "sort-id", - "value": "PM-21" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - } - ], - "parts": [ - { - "id": "pm-21_smt", - "name": "statement", - "parts": [ - { - "id": "pm-21_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:", - "parts": [ - { - "id": "pm-21_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Date, nature, and purpose of each disclosure; and" - }, - { - "id": "pm-21_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Name and address, or other contact information of the person or organization to which the disclosure was made;" - } - ] - }, - { - "id": "pm-21_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and" - }, - { - "id": "pm-21_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request." - } - ] - }, - { - "id": "pm-21_gdn", - "name": "guidance", - "prose": "The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions." - } - ] - }, - { - "id": "pm-22", - "class": "SP800-53", - "title": "Personally Identifiable Information Quality Management", - "properties": [ - { - "name": "label", - "value": "PM-22" - }, - { - "name": "sort-id", - "value": "PM-22" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#eadef75e-7e4d-4554-b818-44946c1dde0e", - "rel": "reference", - "text": "[SP 800-188]" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pm-22_smt", - "name": "statement", - "prose": "Develop and document policies and procedures for:", - "parts": [ - { - "id": "pm-22_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;" - }, - { - "id": "pm-22_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Correcting or deleting inaccurate or outdated personally identifiable information;" - }, - { - "id": "pm-22_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and" - }, - { - "id": "pm-22_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Appeals of adverse decisions on correction or deletion requests." - } - ] - }, - { - "id": "pm-22_gdn", - "name": "guidance", - "prose": "Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem." - } - ] - }, - { - "id": "pm-23", - "class": "SP800-53", - "title": "Data Governance Body", - "parameters": [ - { - "id": "pm-23_prm_1", - "label": "organization-defined roles" - }, - { - "id": "pm-23_prm_2", - "label": "organization-defined responsibilities" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-23" - }, - { - "name": "sort-id", - "value": "PM-23" - } - ], - "links": [ - { - "href": "#43facb7b-0afb-480f-8191-34790d5b444b", - "rel": "reference", - "text": "[EVIDACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#d843e915-eeb6-4bbe-8cab-ccc802088703", - "rel": "reference", - "text": "[OMB M-19-23]" - }, - { - "href": "#eadef75e-7e4d-4554-b818-44946c1dde0e", - "rel": "reference", - "text": "[SP 800-188]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-19", - "rel": "related", - "text": "SI-19" - } - ], - "parts": [ - { - "id": "pm-23_smt", - "name": "statement", - "prose": "Establish a Data Governance Body consisting of {{ pm-23_prm_1 }} with {{ pm-23_prm_2 }}." - }, - { - "id": "pm-23_gdn", - "name": "guidance", - "prose": "A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23]." - } - ] - }, - { - "id": "pm-24", - "class": "SP800-53", - "title": "Data Integrity Board", - "properties": [ - { - "name": "label", - "value": "PM-24" - }, - { - "name": "sort-id", - "value": "PM-24" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - } - ], - "parts": [ - { - "id": "pm-24_smt", - "name": "statement", - "prose": "Establish a Data Integrity Board to:", - "parts": [ - { - "id": "pm-24_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Review proposals to conduct or participate in a matching program; and" - }, - { - "id": "pm-24_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Conduct an annual review of all matching programs in which the agency has participated." - } - ] - }, - { - "id": "pm-24_gdn", - "name": "guidance", - "prose": "A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy." - } - ] - }, - { - "id": "pm-25", - "class": "SP800-53", - "title": "Minimization of Pii Used in Testing, Training, and Research", - "parameters": [ - { - "id": "pm-25_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-25" - }, - { - "name": "sort-id", - "value": "PM-25" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - } - ], - "parts": [ - { - "id": "pm-25_smt", - "name": "statement", - "parts": [ - { - "id": "pm-25_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;" - }, - { - "id": "pm-25_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;" - }, - { - "id": "pm-25_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and" - }, - { - "id": "pm-25_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review and update policies and procedures {{ pm-25_prm_1 }}." - } - ] - }, - { - "id": "pm-25_gdn", - "name": "guidance", - "prose": "The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2)." - } - ] - }, - { - "id": "pm-26", - "class": "SP800-53", - "title": "Complaint Management", - "parameters": [ - { - "id": "pm-26_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "pm-26_prm_2", - "label": "organization-defined time-period" - }, - { - "id": "pm-26_prm_3", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-26" - }, - { - "name": "sort-id", - "value": "PM-26" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pm-26_smt", - "name": "statement", - "prose": "Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:", - "parts": [ - { - "id": "pm-26_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Mechanisms that are easy to use and readily accessible by the public;" - }, - { - "id": "pm-26_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "All information necessary for successfully filing complaints;" - }, - { - "id": "pm-26_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }};" - }, - { - "id": "pm-26_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and" - }, - { - "id": "pm-26_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}." - } - ] - }, - { - "id": "pm-26_gdn", - "name": "guidance", - "prose": "Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information." - } - ] - }, - { - "id": "pm-27", - "class": "SP800-53", - "title": "Privacy Reporting", - "parameters": [ - { - "id": "pm-27_prm_1", - "label": "organization-defined privacy reports" - }, - { - "id": "pm-27_prm_2", - "label": "organization-defined officials" - }, - { - "id": "pm-27_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-27" - }, - { - "name": "sort-id", - "value": "PM-27" - } - ], - "links": [ - { - "href": "#14958422-54f6-471f-a345-802dca594dd8", - "rel": "reference", - "text": "[FISMA]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - } - ], - "parts": [ - { - "id": "pm-27_smt", - "name": "statement", - "parts": [ - { - "id": "pm-27_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop {{ pm-27_prm_1 }} and disseminate to:", - "parts": [ - { - "id": "pm-27_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and" - }, - { - "id": "pm-27_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "\n {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and" - } - ] - }, - { - "id": "pm-27_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update privacy reports {{ pm-27_prm_3 }}." - } - ] - }, - { - "id": "pm-27_gdn", - "name": "guidance", - "prose": "Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements." - } - ] - }, - { - "id": "pm-28", - "class": "SP800-53", - "title": "Risk Framing", - "parameters": [ - { - "id": "pm-28_prm_1", - "label": "organization-defined personnel" - }, - { - "id": "pm-28_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-28" - }, - { - "name": "sort-id", - "value": "PM-28" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - } - ], - "parts": [ - { - "id": "pm-28_smt", - "name": "statement", - "parts": [ - { - "id": "pm-28_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify and document:", - "parts": [ - { - "id": "pm-28_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Assumptions affecting risk assessments, risk responses, and risk monitoring;" - }, - { - "id": "pm-28_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Constraints affecting risk assessments, risk responses, and risk monitoring;" - }, - { - "id": "pm-28_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Priorities and trade-offs considered by the organization for managing risk; and" - }, - { - "id": "pm-28_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Organizational risk tolerance; and" - } - ] - }, - { - "id": "pm-28_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute the results of risk framing activities to {{ pm-28_prm_1 }};" - }, - { - "id": "pm-28_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update risk framing considerations {{ pm-28_prm_2 }}." - } - ] - }, - { - "id": "pm-28_gdn", - "name": "guidance", - "prose": "Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management." - } - ] - }, - { - "id": "pm-29", - "class": "SP800-53", - "title": "Risk Management Program Leadership Roles", - "properties": [ - { - "name": "label", - "value": "PM-29" - }, - { - "name": "sort-id", - "value": "PM-29" - } - ], - "links": [ - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#pm-2", - "rel": "related", - "text": "PM-2" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - } - ], - "parts": [ - { - "id": "pm-29_smt", - "name": "statement", - "parts": [ - { - "id": "pm-29_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and" - }, - { - "id": "pm-29_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization." - } - ] - }, - { - "id": "pm-29_gdn", - "name": "guidance", - "prose": "The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities." - } - ] - }, - { - "id": "pm-30", - "class": "SP800-53", - "title": "Supply Chain Risk Management Strategy", - "parameters": [ - { - "id": "pm-30_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-30" - }, - { - "name": "sort-id", - "value": "PM-30" - } - ], - "links": [ - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-7", - "rel": "related", - "text": "SR-7" - }, - { - "href": "#sr-8", - "rel": "related", - "text": "SR-8" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "pm-30_smt", - "name": "statement", - "parts": [ - { - "id": "pm-30_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;" - }, - { - "id": "pm-30_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the supply chain risk management strategy consistently across the organization; and" - }, - { - "id": "pm-30_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the supply chain risk management strategy on {{ pm-30_prm_1 }} or as required, to address organizational changes." - } - ] - }, - { - "id": "pm-30_gdn", - "name": "guidance", - "prose": "An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level." - } - ] - }, - { - "id": "pm-31", - "class": "SP800-53", - "title": "Continuous Monitoring Strategy", - "parameters": [ - { - "id": "pm-31_prm_1", - "label": "organization-defined metrics" - }, - { - "id": "pm-31_prm_2", - "label": "organization-defined frequencies" - }, - { - "id": "pm-31_prm_3", - "label": "organization-defined frequencies" - }, - { - "id": "pm-31_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "pm-31_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-31" - }, - { - "name": "sort-id", - "value": "PM-31" - } - ], - "links": [ - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pe-14", - "rel": "related", - "text": "PE-14" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-6", - "rel": "related", - "text": "PM-6" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "pm-31_smt", - "name": "statement", - "prose": "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:", - "parts": [ - { - "id": "pm-31_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }};" - }, - { - "id": "pm-31_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness;" - }, - { - "id": "pm-31_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;" - }, - { - "id": "pm-31_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Correlation and analysis of information generated by control assessments and monitoring;" - }, - { - "id": "pm-31_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" - }, - { - "id": "pm-31_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }}\n {{ pm-31_prm_5 }}." - } - ] - }, - { - "id": "pm-31_gdn", - "name": "guidance", - "prose": "Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4." - } - ] - }, - { - "id": "pm-32", - "class": "SP800-53", - "title": "Purposing", - "parameters": [ - { - "id": "pm-32_prm_1", - "label": "organization-defined systems or systems components" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-32" - }, - { - "name": "sort-id", - "value": "PM-32" - } - ], - "links": [ - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - } - ], - "parts": [ - { - "id": "pm-32_smt", - "name": "statement", - "prose": "Analyze {{ pm-32_prm_1 }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose." - }, - { - "id": "pm-32_gdn", - "name": "guidance", - "prose": "Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures." - } - ] - } - ] - }, - { - "id": "ps", - "class": "family", - "title": "Personnel Security", - "controls": [ - { - "id": "ps-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ps-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-1_prm_2" - }, - { - "id": "ps-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ps-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ps-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-1" - }, - { - "name": "sort-id", - "value": "PS-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ps-1_smt", - "name": "statement", - "parts": [ - { - "id": "ps-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ps-1_prm_1 }}:", - "parts": [ - { - "id": "ps-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ps-1_prm_2 }} personnel security policy that:", - "parts": [ - { - "id": "ps-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ps-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ps-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" - } - ] - }, - { - "id": "ps-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ps-1_prm_3 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" - }, - { - "id": "ps-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current personnel security:", - "parts": [ - { - "id": "ps-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ps-1_prm_4 }}; and" - }, - { - "id": "ps-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ps-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ps-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ps-2", - "class": "SP800-53", - "title": "Position Risk Designation", - "parameters": [ - { - "id": "ps-2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-2" - }, - { - "name": "sort-id", - "value": "PS-02" - } - ], - "links": [ - { - "href": "#2383ccfd-d8a0-4e3a-bf40-21288ae1e07a", - "rel": "reference", - "text": "[5 CFR 731]" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ps-2_smt", - "name": "statement", - "parts": [ - { - "id": "ps-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Assign a risk designation to all organizational positions;" - }, - { - "id": "ps-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establish screening criteria for individuals filling those positions; and" - }, - { - "id": "ps-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update position risk designations {{ ps-2_prm_1 }}." - } - ] - }, - { - "id": "ps-2_gdn", - "name": "guidance", - "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." - } - ] - }, - { - "id": "ps-3", - "class": "SP800-53", - "title": "Personnel Screening", - "parameters": [ - { - "id": "ps-3_prm_1", - "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-3" - }, - { - "name": "sort-id", - "value": "PS-03" - } - ], - "links": [ - { - "href": "#52a8b0c6-0c6b-424b-928d-41c50ba87838", - "rel": "reference", - "text": "[EO 13526]" - }, - { - "href": "#2b5e12fb-633f-49e6-8aff-81d75bf53545", - "rel": "reference", - "text": "[EO 13587]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - } - ], - "parts": [ - { - "id": "ps-3_smt", - "name": "statement", - "parts": [ - { - "id": "ps-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Screen individuals prior to authorizing access to the system; and" - }, - { - "id": "ps-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Rescreen individuals in accordance with {{ ps-3_prm_1 }}." - } - ] - }, - { - "id": "ps-3_gdn", - "name": "guidance", - "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." - } - ] - }, - { - "id": "ps-4", - "class": "SP800-53", - "title": "Personnel Termination", - "parameters": [ - { - "id": "ps-4_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ps-4_prm_2", - "label": "organization-defined information security topics" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-4" - }, - { - "name": "sort-id", - "value": "PS-04" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - } - ], - "parts": [ - { - "id": "ps-4_smt", - "name": "statement", - "prose": "Upon termination of individual employment:", - "parts": [ - { - "id": "ps-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Disable system access within {{ ps-4_prm_1 }};" - }, - { - "id": "ps-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" - }, - { - "id": "ps-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Conduct exit interviews that include a discussion of {{ ps-4_prm_2 }};" - }, - { - "id": "ps-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Retrieve all security-related organizational system-related property; and" - }, - { - "id": "ps-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." - } - ] - }, - { - "id": "ps-4_gdn", - "name": "guidance", - "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified." - } - ] - }, - { - "id": "ps-5", - "class": "SP800-53", - "title": "Personnel Transfer", - "parameters": [ - { - "id": "ps-5_prm_1", - "label": "organization-defined transfer or reassignment actions" - }, - { - "id": "ps-5_prm_2", - "label": "organization-defined time-period following the formal transfer action" - }, - { - "id": "ps-5_prm_3", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-5_prm_4", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-5" - }, - { - "name": "sort-id", - "value": "PS-05" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - } - ], - "parts": [ - { - "id": "ps-5_smt", - "name": "statement", - "parts": [ - { - "id": "ps-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" - }, - { - "id": "ps-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Initiate {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};" - }, - { - "id": "ps-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" - }, - { - "id": "ps-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Notify {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}." - } - ] - }, - { - "id": "ps-5_gdn", - "name": "guidance", - "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." - } - ] - }, - { - "id": "ps-6", - "class": "SP800-53", - "title": "Access Agreements", - "parameters": [ - { - "id": "ps-6_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ps-6_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-6" - }, - { - "name": "sort-id", - "value": "PS-06" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ps-6_smt", - "name": "statement", - "parts": [ - { - "id": "ps-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and document access agreements for organizational systems;" - }, - { - "id": "ps-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the access agreements {{ ps-6_prm_1 }}; and" - }, - { - "id": "ps-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Verify that individuals requiring access to organizational information and systems:", - "parts": [ - { - "id": "ps-6_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Sign appropriate access agreements prior to being granted access; and" - }, - { - "id": "ps-6_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ ps-6_prm_2 }}." - } - ] - } - ] - }, - { - "id": "ps-6_gdn", - "name": "guidance", - "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." - } - ] - }, - { - "id": "ps-7", - "class": "SP800-53", - "title": "External Personnel Security", - "parameters": [ - { - "id": "ps-7_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-7_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-7" - }, - { - "name": "sort-id", - "value": "PS-07" - } - ], - "links": [ - { - "href": "#ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "rel": "reference", - "text": "[SP 800-35]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - } - ], - "parts": [ - { - "id": "ps-7_smt", - "name": "statement", - "parts": [ - { - "id": "ps-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" - }, - { - "id": "ps-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" - }, - { - "id": "ps-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document personnel security requirements;" - }, - { - "id": "ps-7_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Require external providers to notify {{ ps-7_prm_1 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ ps-7_prm_2 }}; and" - }, - { - "id": "ps-7_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Monitor provider compliance with personnel security requirements." - } - ] - }, - { - "id": "ps-7_gdn", - "name": "guidance", - "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated." - } - ] - }, - { - "id": "ps-8", - "class": "SP800-53", - "title": "Personnel Sanctions", - "parameters": [ - { - "id": "ps-8_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-8_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-8" - }, - { - "name": "sort-id", - "value": "PS-08" - } - ], - "links": [ - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#at-1", - "rel": "related", - "text": "AT-1" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#ca-1", - "rel": "related", - "text": "CA-1" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cp-1", - "rel": "related", - "text": "CP-1" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ma-1", - "rel": "related", - "text": "MA-1" - }, - { - "href": "#mp-1", - "rel": "related", - "text": "MP-1" - }, - { - "href": "#pe-1", - "rel": "related", - "text": "PE-1" - }, - { - "href": "#pl-1", - "rel": "related", - "text": "PL-1" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#ps-1", - "rel": "related", - "text": "PS-1" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#sa-1", - "rel": "related", - "text": "SA-1" - }, - { - "href": "#sc-1", - "rel": "related", - "text": "SC-1" - }, - { - "href": "#si-1", - "rel": "related", - "text": "SI-1" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - } - ], - "parts": [ - { - "id": "ps-8_smt", - "name": "statement", - "parts": [ - { - "id": "ps-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" - }, - { - "id": "ps-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Notify {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." - } - ] - }, - { - "id": "ps-8_gdn", - "name": "guidance", - "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." - } - ] - } - ] - }, - { - "id": "ra", - "class": "family", - "title": "Risk Assessment", - "controls": [ - { - "id": "ra-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ra-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ra-1_prm_2" - }, - { - "id": "ra-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ra-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ra-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-1" - }, - { - "name": "sort-id", - "value": "RA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ra-1_smt", - "name": "statement", - "parts": [ - { - "id": "ra-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ra-1_prm_1 }}:", - "parts": [ - { - "id": "ra-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ra-1_prm_2 }} risk assessment policy that:", - "parts": [ - { - "id": "ra-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ra-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ra-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" - } - ] - }, - { - "id": "ra-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" - }, - { - "id": "ra-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current risk assessment:", - "parts": [ - { - "id": "ra-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ra-1_prm_4 }}; and" - }, - { - "id": "ra-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ra-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ra-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ra-2", - "class": "SP800-53", - "title": "Security Categorization", - "properties": [ - { - "name": "label", - "value": "RA-2" - }, - { - "name": "sort-id", - "value": "RA-02" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ra-2_smt", - "name": "statement", - "parts": [ - { - "id": "ra-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Categorize the system and information it processes, stores, and transmits;" - }, - { - "id": "ra-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" - }, - { - "id": "ra-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." - } - ] - }, - { - "id": "ra-2_gdn", - "name": "guidance", - "prose": "Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals.\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts.\nSecurity categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant." - } - ] - }, - { - "id": "ra-3", - "class": "SP800-53", - "title": "Risk Assessment", - "parameters": [ - { - "id": "ra-3_prm_1" - }, - { - "id": "ra-3_prm_2", - "depends-on": "ra-3_prm_1", - "label": "organization-defined document" - }, - { - "id": "ra-3_prm_3", - "label": "organization-defined frequency" - }, - { - "id": "ra-3_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "ra-3_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-3" - }, - { - "name": "sort-id", - "value": "RA-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-18", - "rel": "related", - "text": "PE-18" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ra-3_smt", - "name": "statement", - "parts": [ - { - "id": "ra-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Conduct a risk assessment, including:", - "parts": [ - { - "id": "ra-3_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" - }, - { - "id": "ra-3_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" - } - ] - }, - { - "id": "ra-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" - }, - { - "id": "ra-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document risk assessment results in {{ ra-3_prm_1 }};" - }, - { - "id": "ra-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review risk assessment results {{ ra-3_prm_3 }};" - }, - { - "id": "ra-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Disseminate risk assessment results to {{ ra-3_prm_4 }}; and" - }, - { - "id": "ra-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." - } - ] - }, - { - "id": "ra-3_gdn", - "name": "guidance", - "prose": "Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities.\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\nIn addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." - } - ], - "controls": [ - { - "id": "ra-3.1", - "class": "SP800-53-enhancement", - "title": "Supply Chain Risk Assessment", - "parameters": [ - { - "id": "ra-3.1_prm_1", - "label": "organization-defined systems, system components, and system services" - }, - { - "id": "ra-3.1_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-3(1)" - }, - { - "name": "sort-id", - "value": "RA-03(01)" - } - ], - "links": [ - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#pm-17", - "rel": "related", - "text": "PM-17" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "ra-3.1_smt", - "name": "statement", - "parts": [ - { - "id": "ra-3.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Assess supply chain risks associated with {{ ra-3.1_prm_1 }}; and" - }, - { - "id": "ra-3.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Update the supply chain risk assessment {{ ra-3.1_prm_2 }}, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." - } - ] - }, - { - "id": "ra-3.1_gdn", - "name": "guidance", - "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." - } - ] - } - ] - }, - { - "id": "ra-5", - "class": "SP800-53", - "title": "Vulnerability Monitoring and Scanning", - "parameters": [ - { - "id": "ra-5_prm_1", - "label": "organization-defined frequency and/or randomly in accordance with organization-defined process" - }, - { - "id": "ra-5_prm_2", - "label": "organization-defined response times" - }, - { - "id": "ra-5_prm_3", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-5" - }, - { - "name": "sort-id", - "value": "RA-05" - } - ], - "links": [ - { - "href": "#1126ec09-2b27-4a21-80b2-fef70b31c49d", - "rel": "reference", - "text": "[SP 800-40]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f", - "rel": "reference", - "text": "[SP 800-126]" - }, - { - "href": "#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c", - "rel": "reference", - "text": "[IR 7788]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "ra-5_smt", - "name": "statement", - "parts": [ - { - "id": "ra-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" - }, - { - "id": "ra-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", - "parts": [ - { - "id": "ra-5_smt.b.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Enumerating platforms, software flaws, and improper configurations;" - }, - { - "id": "ra-5_smt.b.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Formatting checklists and test procedures; and" - }, - { - "id": "ra-5_smt.b.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Measuring vulnerability impact;" - } - ] - }, - { - "id": "ra-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" - }, - { - "id": "ra-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Remediate legitimate vulnerabilities {{ ra-5_prm_2 }} in accordance with an organizational assessment of risk;" - }, - { - "id": "ra-5_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ ra-5_prm_3 }} to help eliminate similar vulnerabilities in other systems; and" - }, - { - "id": "ra-5_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." - } - ] - }, - { - "id": "ra-5_gdn", - "name": "guidance", - "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\nVulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\nOrganizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." - } - ], - "controls": [ - { - "id": "ra-5.2", - "class": "SP800-53-enhancement", - "title": "Update System Vulnerabilities", - "parameters": [ - { - "id": "ra-5.2_prm_1" - }, - { - "id": "ra-5.2_prm_2", - "depends-on": "ra-5.2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-5(2)" - }, - { - "name": "sort-id", - "value": "RA-05(02)" - } - ], - "links": [ - { - "href": "#si-5", - "rel": "related", - "text": "SI-5" - } - ], - "parts": [ - { - "id": "ra-5.2_smt", - "name": "statement", - "prose": "Update the system vulnerabilities to be scanned {{ ra-5.2_prm_1 }}." - }, - { - "id": "ra-5.2_gdn", - "name": "guidance", - "prose": "Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." - } - ] - } - ] - }, - { - "id": "ra-7", - "class": "SP800-53", - "title": "Risk Response", - "properties": [ - { - "name": "label", - "value": "RA-7" - }, - { - "name": "sort-id", - "value": "RA-07" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "ra-7_smt", - "name": "statement", - "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." - }, - { - "id": "ra-7_gdn", - "name": "guidance", - "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." - } - ] - } - ] - }, - { - "id": "sa", - "class": "family", - "title": "System and Services Acquisition", - "controls": [ - { - "id": "sa-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "sa-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "sa-1_prm_2" - }, - { - "id": "sa-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "sa-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "sa-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-1" - }, - { - "name": "sort-id", - "value": "SA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "sa-1_smt", - "name": "statement", - "parts": [ - { - "id": "sa-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ sa-1_prm_1 }}:", - "parts": [ - { - "id": "sa-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ sa-1_prm_2 }} system and services acquisition policy that:", - "parts": [ - { - "id": "sa-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "sa-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "sa-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" - } - ] - }, - { - "id": "sa-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" - }, - { - "id": "sa-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current system and services acquisition:", - "parts": [ - { - "id": "sa-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ sa-1_prm_4 }}; and" - }, - { - "id": "sa-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ sa-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "sa-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "sa-2", - "class": "SP800-53", - "title": "Allocation of Resources", - "properties": [ - { - "name": "label", - "value": "SA-2" - }, - { - "name": "sort-id", - "value": "SA-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#pl-7", - "rel": "related", - "text": "PL-7" - }, - { - "href": "#pm-3", - "rel": "related", - "text": "PM-3" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-2_smt", - "name": "statement", - "parts": [ - { - "id": "sa-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" - }, - { - "id": "sa-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" - }, - { - "id": "sa-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." - } - ] - }, - { - "id": "sa-2_gdn", - "name": "guidance", - "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle." - } - ] - }, - { - "id": "sa-3", - "class": "SP800-53", - "title": "System Development Life Cycle", - "parameters": [ - { - "id": "sa-3_prm_1", - "label": "organization-defined system development life cycle" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-3" - }, - { - "name": "sort-id", - "value": "SA-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "rel": "reference", - "text": "[SP 800-171]" - }, - { - "href": "#aad55f03-8ece-4b21-b09c-9ef65b5a9f55", - "rel": "reference", - "text": "[SP 800-171B]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-22", - "rel": "related", - "text": "SA-22" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - } - ], - "parts": [ - { - "id": "sa-3_smt", - "name": "statement", - "parts": [ - { - "id": "sa-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Acquire, develop, and manage the system using {{ sa-3_prm_1 }} that incorporates information security and privacy considerations;" - }, - { - "id": "sa-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" - }, - { - "id": "sa-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Identify individuals having information security and privacy roles and responsibilities; and" - }, - { - "id": "sa-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." - } - ] - }, - { - "id": "sa-3_gdn", - "name": "guidance", - "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle." - } - ] - }, - { - "id": "sa-4", - "class": "SP800-53", - "title": "Acquisition Process", - "parameters": [ - { - "id": "sa-4_prm_1" - }, - { - "id": "sa-4_prm_2", - "depends-on": "sa-4_prm_1", - "label": "organization-defined contract language" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-4" - }, - { - "name": "sort-id", - "value": "SA-04" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#6ddb507b-6ddb-4e15-a8d4-0854e704446e", - "rel": "reference", - "text": "[ISO 15408-1]" - }, - { - "href": "#18abb755-c10f-407d-b0ef-4f99e5ec4a49", - "rel": "reference", - "text": "[ISO 15408-2]" - }, - { - "href": "#2ce3a8bf-7f8b-4249-bd16-808231415b14", - "rel": "reference", - "text": "[ISO 15408-3]" - }, - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "rel": "reference", - "text": "[SP 800-35]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "rel": "reference", - "text": "[IR 7539]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#daf69edb-a0ef-4447-9880-8c4bf553181f", - "rel": "reference", - "text": "[IR 7676]" - }, - { - "href": "#197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "rel": "reference", - "text": "[IR 7870]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#5dac2312-1d0d-416f-aebb-400fa9775b74", - "rel": "reference", - "text": "[NIAP CCEVS]" - }, - { - "href": "#634dec27-df88-4c30-b1a4-b57cdfd24f20", - "rel": "reference", - "text": "[NSA CSFC]" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-4_smt", - "name": "statement", - "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service:", - "parts": [ - { - "id": "sa-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Security and privacy functional requirements;" - }, - { - "id": "sa-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Strength of mechanism requirements;" - }, - { - "id": "sa-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Security and privacy assurance requirements;" - }, - { - "id": "sa-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Controls needed to satisfy the security and privacy requirements." - }, - { - "id": "sa-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Security and privacy documentation requirements;" - }, - { - "id": "sa-4_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Requirements for protecting security and privacy documentation;" - }, - { - "id": "sa-4_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Description of the system development environment and environment in which the system is intended to operate;" - }, - { - "id": "sa-4_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "h." - } - ], - "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" - }, - { - "id": "sa-4_smt.i", - "name": "item", - "properties": [ - { - "name": "label", - "value": "i." - } - ], - "prose": "Acceptance criteria." - } - ] - }, - { - "id": "sa-4_gdn", - "name": "guidance", - "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle.\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement." - } - ], - "controls": [ - { - "id": "sa-4.10", - "class": "SP800-53-enhancement", - "title": "Use of Approved PIV Products", - "properties": [ - { - "name": "label", - "value": "SA-4(10)" - }, - { - "name": "sort-id", - "value": "SA-04(10)" - } - ], - "links": [ - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - } - ], - "parts": [ - { - "id": "sa-4.10_smt", - "name": "statement", - "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." - }, - { - "id": "sa-4.10_gdn", - "name": "guidance", - "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations." - } - ] - } - ] - }, - { - "id": "sa-5", - "class": "SP800-53", - "title": "System Documentation", - "parameters": [ - { - "id": "sa-5_prm_1", - "label": "organization-defined actions" - }, - { - "id": "sa-5_prm_2", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-5" - }, - { - "name": "sort-id", - "value": "SA-05" - } - ], - "links": [ - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - } - ], - "parts": [ - { - "id": "sa-5_smt", - "name": "statement", - "parts": [ - { - "id": "sa-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Obtain administrator documentation for the system, system component, or system service that describes:", - "parts": [ - { - "id": "sa-5_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Secure configuration, installation, and operation of the system, component, or service;" - }, - { - "id": "sa-5_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" - }, - { - "id": "sa-5_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" - } - ] - }, - { - "id": "sa-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Obtain user documentation for the system, system component, or system service that describes:", - "parts": [ - { - "id": "sa-5_smt.b.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" - }, - { - "id": "sa-5_smt.b.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" - }, - { - "id": "sa-5_smt.b.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" - } - ] - }, - { - "id": "sa-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes {{ sa-5_prm_1 }} in response;" - }, - { - "id": "sa-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect documentation as required, in accordance with the organizational risk management strategy; and" - }, - { - "id": "sa-5_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Distribute documentation to {{ sa-5_prm_2 }}." - } - ] - }, - { - "id": "sa-5_gdn", - "name": "guidance", - "prose": "System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." - } - ] - }, - { - "id": "sa-8", - "class": "SP800-53", - "title": "Security and Privacy Engineering Principles", - "parameters": [ - { - "id": "sa-8_prm_1", - "label": "organization-defined systems security and privacy engineering principles" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-8" - }, - { - "name": "sort-id", - "value": "SA-08" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-20", - "rel": "related", - "text": "SA-20" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-32", - "rel": "related", - "text": "SC-32" - }, - { - "href": "#sc-39", - "rel": "related", - "text": "SC-39" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-8_smt", - "name": "statement", - "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ sa-8_prm_1 }}." - }, - { - "id": "sa-8_gdn", - "name": "guidance", - "prose": "Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\nThe application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design." - } - ] - }, - { - "id": "sa-9", - "class": "SP800-53", - "title": "External System Services", - "parameters": [ - { - "id": "sa-9_prm_1", - "label": "organization-defined controls" - }, - { - "id": "sa-9_prm_2", - "label": "organization-defined processes, methods, and techniques" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-9" - }, - { - "name": "sort-id", - "value": "SA-09" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "rel": "reference", - "text": "[SP 800-35]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-9_smt", - "name": "statement", - "parts": [ - { - "id": "sa-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }};" - }, - { - "id": "sa-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" - }, - { - "id": "sa-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}." - } - ] - }, - { - "id": "sa-9_gdn", - "name": "guidance", - "prose": "External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." - } - ] - }, - { - "id": "sa-22", - "class": "SP800-53", - "title": "Unsupported System Components", - "parameters": [ - { - "id": "sa-22_prm_1" - }, - { - "id": "sa-22_prm_2", - "depends-on": "sa-22_prm_1", - "label": "organization-defined support from external providers" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-22" - }, - { - "name": "sort-id", - "value": "SA-22" - } - ], - "links": [ - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - } - ], - "parts": [ - { - "id": "sa-22_smt", - "name": "statement", - "parts": [ - { - "id": "sa-22_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" - }, - { - "id": "sa-22_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ sa-22_prm_1 }}." - } - ] - }, - { - "id": "sa-22_gdn", - "name": "guidance", - "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors." - } - ] - } - ] - }, - { - "id": "sc", - "class": "family", - "title": "System and Communications Protection", - "controls": [ - { - "id": "sc-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "sc-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "sc-1_prm_2" - }, - { - "id": "sc-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "sc-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "sc-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-1" - }, - { - "name": "sort-id", - "value": "SC-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "sc-1_smt", - "name": "statement", - "parts": [ - { - "id": "sc-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ sc-1_prm_1 }}:", - "parts": [ - { - "id": "sc-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ sc-1_prm_2 }} system and communications protection policy that:", - "parts": [ - { - "id": "sc-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "sc-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "sc-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" - } - ] - }, - { - "id": "sc-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ sc-1_prm_3 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" - }, - { - "id": "sc-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current system and communications protection:", - "parts": [ - { - "id": "sc-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ sc-1_prm_4 }}; and" - }, - { - "id": "sc-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ sc-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "sc-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "sc-5", - "class": "SP800-53", - "title": "Denial of Service Protection", - "parameters": [ - { - "id": "sc-5_prm_1" - }, - { - "id": "sc-5_prm_2", - "label": "organization-defined types of denial of service events" - }, - { - "id": "sc-5_prm_3", - "label": "organization-defined controls by type of denial of service event" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-5" - }, - { - "name": "sort-id", - "value": "SC-05" - } - ], - "links": [ - { - "href": "#3862cd94-ff25-4631-9a9a-b92c21a0a923", - "rel": "reference", - "text": "[SP 800-189]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#sc-6", - "rel": "related", - "text": "SC-6" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - } - ], - "parts": [ - { - "id": "sc-5_smt", - "name": "statement", - "parts": [ - { - "id": "sc-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "\n {{ sc-5_prm_1 }} the effects of the following types of denial of service events: {{ sc-5_prm_2 }}; and" - }, - { - "id": "sc-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ the following controls to achieve the denial of service objective: {{ sc-5_prm_3 }}." - } - ] - }, - { - "id": "sc-5_gdn", - "name": "guidance", - "prose": "Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events." - } - ] - }, - { - "id": "sc-7", - "class": "SP800-53", - "title": "Boundary Protection", - "parameters": [ - { - "id": "sc-7_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-7" - }, - { - "name": "sort-id", - "value": "SC-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#db7877cf-1013-4fb1-b943-ca9361d16370", - "rel": "reference", - "text": "[SP 800-41]" - }, - { - "href": "#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "rel": "reference", - "text": "[SP 800-77]" - }, - { - "href": "#3862cd94-ff25-4631-9a9a-b92c21a0a923", - "rel": "reference", - "text": "[SP 800-189]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-32", - "rel": "related", - "text": "SC-32" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - } - ], - "parts": [ - { - "id": "sc-7_smt", - "name": "statement", - "parts": [ - { - "id": "sc-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system;" - }, - { - "id": "sc-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks; and" - }, - { - "id": "sc-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." - } - ] - }, - { - "id": "sc-7_gdn", - "name": "guidance", - "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions." - } - ] - }, - { - "id": "sc-12", - "class": "SP800-53", - "title": "Cryptographic Key Establishment and Management", - "parameters": [ - { - "id": "sc-12_prm_1", - "label": "organization-defined requirements for key generation, distribution, storage, access, and destruction" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-12" - }, - { - "name": "sort-id", - "value": "SC-12" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#77dc1838-3664-4faa-bc6e-4e2a16e52f35", - "rel": "reference", - "text": "[SP 800-56A]" - }, - { - "href": "#f417e4ec-cadb-47a8-a363-6006b32c28ad", - "rel": "reference", - "text": "[SP 800-56B]" - }, - { - "href": "#7c3ba335-62bd-4f03-888f-960790409b11", - "rel": "reference", - "text": "[SP 800-56C]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#f437b52f-7f26-42aa-8e8f-999e7d67b2fe", - "rel": "reference", - "text": "[IR 7956]" - }, - { - "href": "#30213e10-2aca-47b3-8cdb-61303e0959f5", - "rel": "reference", - "text": "[IR 7966]" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-11", - "rel": "related", - "text": "SC-11" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-17", - "rel": "related", - "text": "SC-17" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "sc-12_smt", - "name": "statement", - "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ sc-12_prm_1 }}." - }, - { - "id": "sc-12_gdn", - "name": "guidance", - "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." - } - ] - }, - { - "id": "sc-13", - "class": "SP800-53", - "title": "Cryptographic Protection", - "parameters": [ - { - "id": "sc-13_prm_1", - "label": "organization-defined cryptographic uses" - }, - { - "id": "sc-13_prm_2", - "label": "organization-defined types of cryptography for each specified cryptographic use" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-13" - }, - { - "name": "sort-id", - "value": "SC-13" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "sc-13_smt", - "name": "statement", - "parts": [ - { - "id": "sc-13_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Determine the {{ sc-13_prm_1 }}; and" - }, - { - "id": "sc-13_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ sc-13_prm_2 }}." - } - ] - }, - { - "id": "sc-13_gdn", - "name": "guidance", - "prose": "Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ] - }, - { - "id": "sc-15", - "class": "SP800-53", - "title": "Collaborative Computing Devices and Applications", - "parameters": [ - { - "id": "sc-15_prm_1", - "label": "organization-defined exceptions where remote activation is to be allowed" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-15" - }, - { - "name": "sort-id", - "value": "SC-15" - } - ], - "links": [ - { - "href": "#ac-21", - "rel": "related", - "text": "AC-21" - }, - { - "href": "#sc-42", - "rel": "related", - "text": "SC-42" - } - ], - "parts": [ - { - "id": "sc-15_smt", - "name": "statement", - "parts": [ - { - "id": "sc-15_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ sc-15_prm_1 }}; and" - }, - { - "id": "sc-15_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Provide an explicit indication of use to users physically present at the devices." - } - ] - }, - { - "id": "sc-15_gdn", - "name": "guidance", - "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated." - } - ] - }, - { - "id": "sc-20", - "class": "SP800-53", - "title": "Secure Name/address Resolution Service (authoritative Source)", - "properties": [ - { - "name": "label", - "value": "SC-20" - }, - { - "name": "sort-id", - "value": "SC-20" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#93d44344-59f9-4669-845d-6cc2a5852621", - "rel": "reference", - "text": "[SP 800-81-2]" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-21", - "rel": "related", - "text": "SC-21" - }, - { - "href": "#sc-22", - "rel": "related", - "text": "SC-22" - } - ], - "parts": [ - { - "id": "sc-20_smt", - "name": "statement", - "parts": [ - { - "id": "sc-20_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" - }, - { - "id": "sc-20_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." - } - ] - }, - { - "id": "sc-20_gdn", - "name": "guidance", - "prose": "This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." - } - ] - }, - { - "id": "sc-21", - "class": "SP800-53", - "title": "Secure Name/address Resolution Service (recursive or Caching Resolver)", - "properties": [ - { - "name": "label", - "value": "SC-21" - }, - { - "name": "sort-id", - "value": "SC-21" - } - ], - "links": [ - { - "href": "#93d44344-59f9-4669-845d-6cc2a5852621", - "rel": "reference", - "text": "[SP 800-81-2]" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-22", - "rel": "related", - "text": "SC-22" - } - ], - "parts": [ - { - "id": "sc-21_smt", - "name": "statement", - "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources." - }, - { - "id": "sc-21_gdn", - "name": "guidance", - "prose": "Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." - } - ] - }, - { - "id": "sc-22", - "class": "SP800-53", - "title": "Architecture and Provisioning for Name/address Resolution Service", - "properties": [ - { - "name": "label", - "value": "SC-22" - }, - { - "name": "sort-id", - "value": "SC-22" - } - ], - "links": [ - { - "href": "#93d44344-59f9-4669-845d-6cc2a5852621", - "rel": "reference", - "text": "[SP 800-81-2]" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-21", - "rel": "related", - "text": "SC-21" - }, - { - "href": "#sc-24", - "rel": "related", - "text": "SC-24" - } - ], - "parts": [ - { - "id": "sc-22_smt", - "name": "statement", - "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." - }, - { - "id": "sc-22_gdn", - "name": "guidance", - "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists." - } - ] - }, - { - "id": "sc-39", - "class": "SP800-53", - "title": "Process Isolation", - "properties": [ - { - "name": "label", - "value": "SC-39" - }, - { - "name": "sort-id", - "value": "SC-39" - } - ], - "links": [ - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-25", - "rel": "related", - "text": "AC-25" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#si-16", - "rel": "related", - "text": "SI-16" - } - ], - "parts": [ - { - "id": "sc-39_smt", - "name": "statement", - "prose": "Maintain a separate execution domain for each executing system process." - }, - { - "id": "sc-39_gdn", - "name": "guidance", - "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." - } - ] - } - ] - }, - { - "id": "si", - "class": "family", - "title": "System and Information Integrity", - "controls": [ - { - "id": "si-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "si-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-1_prm_2" - }, - { - "id": "si-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "si-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "si-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-1" - }, - { - "name": "sort-id", - "value": "SI-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "si-1_smt", - "name": "statement", - "parts": [ - { - "id": "si-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ si-1_prm_1 }}:", - "parts": [ - { - "id": "si-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ si-1_prm_2 }} system and information integrity policy that:", - "parts": [ - { - "id": "si-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "si-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "si-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" - } - ] - }, - { - "id": "si-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" - }, - { - "id": "si-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current system and information integrity:", - "parts": [ - { - "id": "si-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ si-1_prm_4 }}; and" - }, - { - "id": "si-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ si-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "si-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "si-2", - "class": "SP800-53", - "title": "Flaw Remediation", - "parameters": [ - { - "id": "si-2_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-2" - }, - { - "name": "sort-id", - "value": "SI-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#1126ec09-2b27-4a21-80b2-fef70b31c49d", - "rel": "reference", - "text": "[SP 800-40]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c", - "rel": "reference", - "text": "[IR 7788]" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-5", - "rel": "related", - "text": "SI-5" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-11", - "rel": "related", - "text": "SI-11" - } - ], - "parts": [ - { - "id": "si-2_smt", - "name": "statement", - "parts": [ - { - "id": "si-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify, report, and correct system flaws;" - }, - { - "id": "si-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" - }, - { - "id": "si-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Install security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and" - }, - { - "id": "si-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Incorporate flaw remediation into the organizational configuration management process." - } - ] - }, - { - "id": "si-2_gdn", - "name": "guidance", - "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\nOrganization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." - } - ] - }, - { - "id": "si-3", - "class": "SP800-53", - "title": "Malicious Code Protection", - "parameters": [ - { - "id": "si-3_prm_1" - }, - { - "id": "si-3_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "si-3_prm_3" - }, - { - "id": "si-3_prm_4" - }, - { - "id": "si-3_prm_5", - "depends-on": "si-3_prm_4", - "label": "organization-defined action" - }, - { - "id": "si-3_prm_6", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-3" - }, - { - "name": "sort-id", - "value": "SI-03" - } - ], - "links": [ - { - "href": "#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "rel": "reference", - "text": "[SP 800-83]" - }, - { - "href": "#c972a85c-fa75-4596-be25-a338dc7e4e46", - "rel": "reference", - "text": "[SP 800-125B]" - }, - { - "href": "#64e044e4-b2a9-490f-a079-1106407c812f", - "rel": "reference", - "text": "[SP 800-177]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - }, - { - "href": "#sc-26", - "rel": "related", - "text": "SC-26" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-44", - "rel": "related", - "text": "SC-44" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-8", - "rel": "related", - "text": "SI-8" - }, - { - "href": "#si-15", - "rel": "related", - "text": "SI-15" - } - ], - "parts": [ - { - "id": "si-3_smt", - "name": "statement", - "parts": [ - { - "id": "si-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement {{ si-3_prm_1 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" - }, - { - "id": "si-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" - }, - { - "id": "si-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Configure malicious code protection mechanisms to:", - "parts": [ - { - "id": "si-3_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Perform periodic scans of the system {{ si-3_prm_2 }} and real-time scans of files from external sources at {{ si-3_prm_3 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" - }, - { - "id": "si-3_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "\n {{ si-3_prm_4 }}; and send alert to {{ si-3_prm_6 }} in response to malicious code detection." - } - ] - }, - { - "id": "si-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." - } - ] - }, - { - "id": "si-3_gdn", - "name": "guidance", - "prose": "System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions.\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files." - } - ] - }, - { - "id": "si-4", - "class": "SP800-53", - "title": "System Monitoring", - "parameters": [ - { - "id": "si-4_prm_1", - "label": "organization-defined monitoring objectives" - }, - { - "id": "si-4_prm_2", - "label": "organization-defined techniques and methods" - }, - { - "id": "si-4_prm_3", - "label": "organization-defined system monitoring information" - }, - { - "id": "si-4_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-4_prm_5" - }, - { - "id": "si-4_prm_6", - "depends-on": "si-4_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-4" - }, - { - "name": "sort-id", - "value": "SI-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "rel": "reference", - "text": "[SP 800-83]" - }, - { - "href": "#02d8ec60-6197-43f8-9f47-18732127963e", - "rel": "reference", - "text": "[SP 800-92]" - }, - { - "href": "#41e2e2c6-2260-4258-85c8-09db17c43103", - "rel": "reference", - "text": "[SP 800-94]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-10", - "rel": "related", - "text": "IA-10" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-26", - "rel": "related", - "text": "SC-26" - }, - { - "href": "#sc-31", - "rel": "related", - "text": "SC-31" - }, - { - "href": "#sc-35", - "rel": "related", - "text": "SC-35" - }, - { - "href": "#sc-36", - "rel": "related", - "text": "SC-36" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-6", - "rel": "related", - "text": "SI-6" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - } - ], - "parts": [ - { - "id": "si-4_smt", - "name": "statement", - "parts": [ - { - "id": "si-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor the system to detect:", - "parts": [ - { - "id": "si-4_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ si-4_prm_1 }}; and" - }, - { - "id": "si-4_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Unauthorized local, network, and remote connections;" - } - ] - }, - { - "id": "si-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ si-4_prm_2 }};" - }, - { - "id": "si-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", - "parts": [ - { - "id": "si-4_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Strategically within the system to collect organization-determined essential information; and" - }, - { - "id": "si-4_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" - } - ] - }, - { - "id": "si-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;" - }, - { - "id": "si-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" - }, - { - "id": "si-4_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Obtain legal opinion regarding system monitoring activities; and" - }, - { - "id": "si-4_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Provide {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n {{ si-4_prm_5 }}." - } - ] - }, - { - "id": "si-4_gdn", - "name": "guidance", - "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\nDepending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ] - }, - { - "id": "si-5", - "class": "SP800-53", - "title": "Security Alerts, Advisories, and Directives", - "parameters": [ - { - "id": "si-5_prm_1", - "label": "organization-defined external organizations" - }, - { - "id": "si-5_prm_2" - }, - { - "id": "si-5_prm_3", - "depends-on": "si-5_prm_2", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-5_prm_4", - "depends-on": "si-5_prm_2", - "label": "organization-defined elements within the organization" - }, - { - "id": "si-5_prm_5", - "depends-on": "si-5_prm_2", - "label": "organization-defined external organizations" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-5" - }, - { - "name": "sort-id", - "value": "SI-05" - } - ], - "links": [ - { - "href": "#1126ec09-2b27-4a21-80b2-fef70b31c49d", - "rel": "reference", - "text": "[SP 800-40]" - }, - { - "href": "#pm-15", - "rel": "related", - "text": "PM-15" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - } - ], - "parts": [ - { - "id": "si-5_smt", - "name": "statement", - "parts": [ - { - "id": "si-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Receive system security alerts, advisories, and directives from {{ si-5_prm_1 }} on an ongoing basis;" - }, - { - "id": "si-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" - }, - { - "id": "si-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Disseminate security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and" - }, - { - "id": "si-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." - } - ] - }, - { - "id": "si-5_gdn", - "name": "guidance", - "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." - } - ] - }, - { - "id": "si-12", - "class": "SP800-53", - "title": "Information Management and Retention", - "properties": [ - { - "name": "label", - "value": "SI-12" - }, - { - "name": "sort-id", - "value": "SI-12" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#at-1", - "rel": "related", - "text": "AT-1" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#ca-1", - "rel": "related", - "text": "CA-1" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cp-1", - "rel": "related", - "text": "CP-1" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ma-1", - "rel": "related", - "text": "MA-1" - }, - { - "href": "#mp-1", - "rel": "related", - "text": "MP-1" - }, - { - "href": "#pe-1", - "rel": "related", - "text": "PE-1" - }, - { - "href": "#pl-1", - "rel": "related", - "text": "PL-1" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#ps-1", - "rel": "related", - "text": "PS-1" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#sa-1", - "rel": "related", - "text": "SA-1" - }, - { - "href": "#sc-1", - "rel": "related", - "text": "SC-1" - }, - { - "href": "#si-1", - "rel": "related", - "text": "SI-1" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-3", - "rel": "related", - "text": "MP-3" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - } - ], - "parts": [ - { - "id": "si-12_smt", - "name": "statement", - "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." - }, - { - "id": "si-12_gdn", - "name": "guidance", - "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel." - } - ] - } - ] - }, - { - "id": "sr", - "class": "family", - "title": "Supply Chain Risk Management", - "controls": [ - { - "id": "sr-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "sr-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "sr-1_prm_2" - }, - { - "id": "sr-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "sr-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "sr-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-1" - }, - { - "name": "sort-id", - "value": "SR-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "sr-1_smt", - "name": "statement", - "parts": [ - { - "id": "sr-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ sr-1_prm_1 }}:", - "parts": [ - { - "id": "sr-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ sr-1_prm_2 }} supply chain risk management policy that:", - "parts": [ - { - "id": "sr-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "sr-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "sr-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" - } - ] - }, - { - "id": "sr-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ sr-1_prm_3 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" - }, - { - "id": "sr-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current supply chain risk management:", - "parts": [ - { - "id": "sr-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ sr-1_prm_4 }}; and" - }, - { - "id": "sr-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ sr-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "sr-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "sr-2", - "class": "SP800-53", - "title": "Supply Chain Risk Management Plan", - "parameters": [ - { - "id": "sr-2_prm_1", - "label": "organization-defined systems, system components, or system services" - }, - { - "id": "sr-2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-2" - }, - { - "name": "sort-id", - "value": "SR-02" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "sr-2_smt", - "name": "statement", - "parts": [ - { - "id": "sr-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: {{ sr-2_prm_1 }};" - }, - { - "id": "sr-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the supply chain risk management plan consistently across the organization; and" - }, - { - "id": "sr-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the supply chain risk management plan {{ sr-2_prm_2 }} or as required, to address threat, organizational or environmental changes." - } - ] - }, - { - "id": "sr-2_gdn", - "name": "guidance", - "prose": "The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans.\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8)." - } - ], - "controls": [ - { - "id": "sr-2.1", - "class": "SP800-53-enhancement", - "title": "Establish Scrm Team", - "parameters": [ - { - "id": "sr-2.1_prm_1", - "label": "organization-defined personnel, roles, and responsibilities" - }, - { - "id": "sr-2.1_prm_2", - "label": "organization-defined supply chain risk management activities" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-2(1)" - }, - { - "name": "sort-id", - "value": "SR-02(01)" - } - ], - "parts": [ - { - "id": "sr-2.1_smt", - "name": "statement", - "prose": "Establish a supply chain risk management team consisting of {{ sr-2.1_prm_1 }} to lead and support the following SCRM activities: {{ sr-2.1_prm_2 }}." - }, - { - "id": "sr-2.1_gdn", - "name": "guidance", - "prose": "To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team." - } - ] - } - ] - }, - { - "id": "sr-3", - "class": "SP800-53", - "title": "Supply Chain Controls and Processes", - "parameters": [ - { - "id": "sr-3_prm_1", - "label": "organization-defined system or system component" - }, - { - "id": "sr-3_prm_2", - "label": "organization-defined supply chain personnel" - }, - { - "id": "sr-3_prm_3", - "label": "organization-defined supply chain controls" - }, - { - "id": "sr-3_prm_4" - }, - { - "id": "sr-3_prm_5", - "depends-on": "sr-3_prm_4", - "label": "organization-defined document" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-3" - }, - { - "name": "sort-id", - "value": "SR-03" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-29", - "rel": "related", - "text": "SC-29" - }, - { - "href": "#sc-30", - "rel": "related", - "text": "SC-30" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "sr-3_smt", - "name": "statement", - "parts": [ - { - "id": "sr-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ sr-3_prm_1 }} in coordination with {{ sr-3_prm_2 }};" - }, - { - "id": "sr-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ sr-3_prm_3 }}; and" - }, - { - "id": "sr-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document the selected and implemented supply chain processes and controls in {{ sr-3_prm_4 }}." - } - ] - }, - { - "id": "sr-3_gdn", - "name": "guidance", - "prose": "Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." - } - ] - }, - { - "id": "sr-5", - "class": "SP800-53", - "title": "Acquisition Strategies, Tools, and Methods", - "parameters": [ - { - "id": "sr-5_prm_1", - "label": "organization-defined acquisition strategies, contract tools, and procurement methods" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-5" - }, - { - "name": "sort-id", - "value": "SR-05" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "sr-5_smt", - "name": "statement", - "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ sr-5_prm_1 }}." - }, - { - "id": "sr-5_gdn", - "name": "guidance", - "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." - } - ] - }, - { - "id": "sr-8", - "class": "SP800-53", - "title": "Notification Agreements", - "parameters": [ - { - "id": "sr-8_prm_1" - }, - { - "id": "sr-8_prm_2", - "depends-on": "sr-8_prm_1", - "label": "organization-defined information" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-8" - }, - { - "name": "sort-id", - "value": "SR-08" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - } - ], - "parts": [ - { - "id": "sr-8_smt", - "name": "statement", - "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ sr-8_prm_1 }}." - }, - { - "id": "sr-8_gdn", - "name": "guidance", - "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." - } - ] - }, - { - "id": "sr-10", - "class": "SP800-53", - "title": "Inspection of Systems or Components", - "parameters": [ - { - "id": "sr-10_prm_1" - }, - { - "id": "sr-10_prm_2", - "depends-on": "sr-10_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "sr-10_prm_3", - "depends-on": "sr-10_prm_1", - "label": "organization-defined indications of need for inspection" - }, - { - "id": "sr-10_prm_4", - "label": "organization-defined systems or system components" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-10" - }, - { - "name": "sort-id", - "value": "SR-10" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "sr-10_smt", - "name": "statement", - "prose": "Inspect the following systems or system components {{ sr-10_prm_1 }} to detect tampering: {{ sr-10_prm_4 }}." - }, - { - "id": "sr-10_gdn", - "name": "guidance", - "prose": "Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations." - } - ] - }, - { - "id": "sr-11", - "class": "SP800-53", - "title": "Component Authenticity", - "parameters": [ - { - "id": "sr-11_prm_1" - }, - { - "id": "sr-11_prm_2", - "depends-on": "sr-11_prm_1", - "label": "organization-defined external reporting organizations" - }, - { - "id": "sr-11_prm_3", - "depends-on": "sr-11_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11" - }, - { - "name": "sort-id", - "value": "SR-11" - } - ], - "links": [ - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - } - ], - "parts": [ - { - "id": "sr-11_smt", - "name": "statement", - "parts": [ - { - "id": "sr-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" - }, - { - "id": "sr-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Report counterfeit system components to {{ sr-11_prm_1 }}." - } - ] - }, - { - "id": "sr-11_gdn", - "name": "guidance", - "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." - } - ], - "controls": [ - { - "id": "sr-11.1", - "class": "SP800-53-enhancement", - "title": "Anti-counterfeit Training", - "parameters": [ - { - "id": "sr-11.1_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11(1)" - }, - { - "name": "sort-id", - "value": "SR-11(01)" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - } - ], - "parts": [ - { - "id": "sr-11.1_smt", - "name": "statement", - "prose": "Train {{ sr-11.1_prm_1 }} to detect counterfeit system components (including hardware, software, and firmware)." - }, - { - "id": "sr-11.1_gdn", - "name": "guidance", - "prose": "None." - } - ] - }, - { - "id": "sr-11.2", - "class": "SP800-53-enhancement", - "title": "Configuration Control for Component Service and Repair", - "parameters": [ - { - "id": "sr-11.2_prm_1", - "label": "organization-defined system components" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11(2)" - }, - { - "name": "sort-id", - "value": "SR-11(02)" - } - ], - "links": [ - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - } - ], - "parts": [ - { - "id": "sr-11.2_smt", - "name": "statement", - "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ sr-11.2_prm_1 }}." - }, - { - "id": "sr-11.2_gdn", - "name": "guidance", - "prose": "None." - } - ] - }, - { - "id": "sr-11.3", - "class": "SP800-53-enhancement", - "title": "Component Disposal", - "parameters": [ - { - "id": "sr-11.3_prm_1", - "label": "organization-defined techniques and methods" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11(3)" - }, - { - "name": "sort-id", - "value": "SR-11(03)" - } - ], - "links": [ - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - } - ], - "parts": [ - { - "id": "sr-11.3_smt", - "name": "statement", - "prose": "Dispose of system components using the following techniques and methods: {{ sr-11.3_prm_1 }}." - }, - { - "id": "sr-11.3_gdn", - "name": "guidance", - "prose": "Proper disposal of system components helps to prevent such components from entering the gray market." - } - ] - } - ] - } - ] - } - ], - "back-matter": { - "resources": [ - { - "uuid": "a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "title": "[PRIVACT]", - "citation": { - "text": "Privacy Act (P.L. 93-579), December 1974." - }, - "rlinks": [ - { - "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" - } - ] - }, - { - "uuid": "43facb7b-0afb-480f-8191-34790d5b444b", - "title": "[EVIDACT]", - "citation": { - "text": "Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019." - }, - "rlinks": [ - { - "href": "https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf" - } - ] - }, - { - "uuid": "52a8b0c6-0c6b-424b-928d-41c50ba87838", - "title": "[EO 13526]", - "citation": { - "text": "Executive Order 13526, *Classified National Security Information*, December 2009." - }, - "rlinks": [ - { - "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" - } - ] - }, - { - "uuid": "14958422-54f6-471f-a345-802dca594dd8", - "title": "[FISMA]", - "citation": { - "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." - }, - "rlinks": [ - { - "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" - } - ] - }, - { - "uuid": "2b5e12fb-633f-49e6-8aff-81d75bf53545", - "title": "[EO 13587]", - "citation": { - "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information*, October 2011." - }, - "rlinks": [ - { - "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" - } - ] - }, - { - "uuid": "cde25174-38e0-4a00-8919-8ee3674b8088", - "title": "[HSPD 7]", - "citation": { - "text": "Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003." - }, - "rlinks": [ - { - "href": "https://www.dhs.gov/homeland-security-presidential-directive-7" - } - ] - }, - { - "uuid": "2383ccfd-d8a0-4e3a-bf40-21288ae1e07a", - "title": "[5 CFR 731]", - "citation": { - "text": "Code of Federal Regulations, Title 5, *Administrative Personnel*, Section 731.106, *Designation of Public Trust Positions and Investigative Requirements*(5 C.F.R. 731.106)." - }, - "rlinks": [ - { - "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" - } - ] - }, - { - "uuid": "742b7c0e-218e-4fca-9c3d-5f264bbaf2bc", - "title": "[32 CFR 2002]", - "citation": { - "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information*(32 C.F.R 2002)." - }, - "rlinks": [ - { - "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" - } - ] - }, - { - "uuid": "286d42a1-efbe-49a2-9ce1-4c9bf68feb3b", - "title": "[ODNI NITP]", - "citation": { - "text": "Office of the Director National Intelligence, *National Insider Threat Policy*\n " - }, - "rlinks": [ - { - "href": "https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf" - } - ] - }, - { - "uuid": "395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "title": "[OMB A-108]", - "citation": { - "text": "Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf" - } - ] - }, - { - "uuid": "a646d45d-775f-4887-86d3-5a00ffbc4090", - "title": "[OMB A-130]", - "citation": { - "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016." - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" - } - ] - }, - { - "uuid": "f7d3617a-9a4f-4f1a-a688-845081b70390", - "title": "[OMB M-17-06]", - "citation": { - "text": "Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf" - } - ] - }, - { - "uuid": "389fe193-866e-46b1-bf1d-38904b56aa7b", - "title": "[OMB M-17-12]", - "citation": { - "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. **\n " - }, - "rlinks": [ - { - "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" - } - ] - }, - { - "uuid": "ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3", - "title": "[OMB M-17-25]", - "citation": { - "text": "Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure*, May 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf" - } - ] - }, - { - "uuid": "d843e915-eeb6-4bbe-8cab-ccc802088703", - "title": "[OMB M-19-23]", - "citation": { - "text": "Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance*, July 2019. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf" - } - ] - }, - { - "uuid": "ee96f130-3f91-46ed-a4d8-57e5f220a623", - "title": "[CNSSI 1253]", - "citation": { - "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems*, March 2014." - }, - "rlinks": [ - { - "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" - } - ] - }, - { - "uuid": "24b7b1ec-6430-41de-9353-29fdb1b488fc", - "title": "[DHS NIPP]", - "citation": { - "text": "Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009." - }, - "rlinks": [ - { - "href": "https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf" - } - ] - }, - { - "uuid": "6ddb507b-6ddb-4e15-a8d4-0854e704446e", - "title": "[ISO 15408-1]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" - } - ] - }, - { - "uuid": "18abb755-c10f-407d-b0ef-4f99e5ec4a49", - "title": "[ISO 15408-2]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" - } - ] - }, - { - "uuid": "2ce3a8bf-7f8b-4249-bd16-808231415b14", - "title": "[ISO 15408-3]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" - } - ] - }, - { - "uuid": "aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "title": "[FIPS 140-3]", - "citation": { - "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.140-3" - } - ] - }, - { - "uuid": "d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "title": "[FIPS 180-4]", - "citation": { - "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.180-4" - } - ] - }, - { - "uuid": "0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "title": "[FIPS 186-4]", - "citation": { - "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.186-4" - } - ] - }, - { - "uuid": "bbc7085f-b383-444e-af74-722a55cccc0f", - "title": "[FIPS 197]", - "citation": { - "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.197" - } - ] - }, - { - "uuid": "b3e26423-0687-47c7-ba9a-a96870d58a27", - "title": "[FIPS 199]", - "citation": { - "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.199" - } - ] - }, - { - "uuid": "f2163084-3287-45e2-9ee7-95f020415495", - "title": "[FIPS 200]", - "citation": { - "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.200" - } - ] - }, - { - "uuid": "ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "title": "[FIPS 201-2]", - "citation": { - "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.201-2" - } - ] - }, - { - "uuid": "11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "title": "[FIPS 202]", - "citation": { - "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.202" - } - ] - }, - { - "uuid": "12702585-0c72-43c9-9185-a76a59f74233", - "title": "[SP 800-12]", - "citation": { - "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-12r1" - } - ] - }, - { - "uuid": "ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "title": "[SP 800-18]", - "citation": { - "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-18r1" - } - ] - }, - { - "uuid": "1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "title": "[SP 800-30]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-30r1" - } - ] - }, - { - "uuid": "65774382-fcc6-4bbc-89fc-9d35aab19952", - "title": "[SP 800-34]", - "citation": { - "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-34r1" - } - ] - }, - { - "uuid": "ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "title": "[SP 800-35]", - "citation": { - "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-35" - } - ] - }, - { - "uuid": "e07d73ea-96b9-4330-aff2-e0215f455343", - "title": "[SP 800-37]", - "citation": { - "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-37r2" - } - ] - }, - { - "uuid": "451e9636-402e-4c27-b3f5-e0e50f957f27", - "title": "[SP 800-39]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-39" - } - ] - }, - { - "uuid": "1126ec09-2b27-4a21-80b2-fef70b31c49d", - "title": "[SP 800-40]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-40r3" - } - ] - }, - { - "uuid": "db7877cf-1013-4fb1-b943-ca9361d16370", - "title": "[SP 800-41]", - "citation": { - "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-41r1" - } - ] - }, - { - "uuid": "7768c184-088d-4ee8-a316-f9286b52df7f", - "title": "[SP 800-46]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-46r2" - } - ] - }, - { - "uuid": "2e66c31a-190e-49ad-8e00-f306f8a0df17", - "title": "[SP 800-47]", - "citation": { - "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-47" - } - ] - }, - { - "uuid": "2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "title": "[SP 800-50]", - "citation": { - "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-50" - } - ] - }, - { - "uuid": "5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "title": "[SP 800-53A]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" - } - ] - }, - { - "uuid": "31f3c9de-c57c-4281-929b-f9951f9640f1", - "title": "[SP 800-53B]", - "citation": { - "text": "National Institute of Standards and Technology Special Publication 800-53B, *Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations*. Projected for publication in 2020." - } - }, - { - "uuid": "8ba0d54e-fa16-4f5d-baa1-763ec3e33e26", - "title": "[SP 800-55]", - "citation": { - "text": "Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-55r1" - } - ] - }, - { - "uuid": "77dc1838-3664-4faa-bc6e-4e2a16e52f35", - "title": "[SP 800-56A]", - "citation": { - "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" - } - ] - }, - { - "uuid": "f417e4ec-cadb-47a8-a363-6006b32c28ad", - "title": "[SP 800-56B]", - "citation": { - "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" - } - ] - }, - { - "uuid": "7c3ba335-62bd-4f03-888f-960790409b11", - "title": "[SP 800-56C]", - "citation": { - "text": "Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-56Cr1" - } - ] - }, - { - "uuid": "770f9bdc-4023-48ef-8206-c65397f061ea", - "title": "[SP 800-57-1]", - "citation": { - "text": "Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r4" - } - ] - }, - { - "uuid": "69644a9e-438a-47c3-bac9-cf28b5baf848", - "title": "[SP 800-57-2]", - "citation": { - "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" - } - ] - }, - { - "uuid": "9933c883-e8f3-4a83-9a9a-d1e058038080", - "title": "[SP 800-57-3]", - "citation": { - "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" - } - ] - }, - { - "uuid": "68949f14-9cf5-4116-91d8-e820b9df3ffd", - "title": "[SP 800-60 v1]", - "citation": { - "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" - } - ] - }, - { - "uuid": "e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "title": "[SP 800-60 v2]", - "citation": { - "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" - } - ] - }, - { - "uuid": "7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "title": "[SP 800-61]", - "citation": { - "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-61r2" - } - ] - }, - { - "uuid": "549993c0-9bdd-4d49-875c-f56950cc5f30", - "title": "[SP 800-63-3]", - "citation": { - "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-63-3" - } - ] - }, - { - "uuid": "14a7d982-9747-48e0-a877-3e8fbf6ae381", - "title": "[SP 800-70]", - "citation": { - "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-70r4" - } - ] - }, - { - "uuid": "3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "title": "[SP 800-73-4]", - "citation": { - "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-73-4" - } - ] - }, - { - "uuid": "d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "title": "[SP 800-76-2]", - "citation": { - "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-76-2" - } - ] - }, - { - "uuid": "8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "title": "[SP 800-77]", - "citation": { - "text": "Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-77" - } - ] - }, - { - "uuid": "013e098f-0680-4856-a130-b768c69dab9c", - "title": "[SP 800-78-4]", - "citation": { - "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-78-4" - } - ] - }, - { - "uuid": "bb55e71a-e059-4263-8dd8-bc96fd3f063d", - "title": "[SP 800-79-2]", - "citation": { - "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-79-2" - } - ] - }, - { - "uuid": "93d44344-59f9-4669-845d-6cc2a5852621", - "title": "[SP 800-81-2]", - "citation": { - "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-81-2" - } - ] - }, - { - "uuid": "8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "title": "[SP 800-83]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-83r1" - } - ] - }, - { - "uuid": "20bf433b-074c-47a0-8fca-cd591772ccd6", - "title": "[SP 800-84]", - "citation": { - "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-84" - } - ] - }, - { - "uuid": "35dfd59f-eef2-4f71-bdb5-6d878267456a", - "title": "[SP 800-86]", - "citation": { - "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-86" - } - ] - }, - { - "uuid": "fed6a3b5-2b74-499f-9172-46671f7c24c8", - "title": "[SP 800-88]", - "citation": { - "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-88r1" - } - ] - }, - { - "uuid": "02d8ec60-6197-43f8-9f47-18732127963e", - "title": "[SP 800-92]", - "citation": { - "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-92" - } - ] - }, - { - "uuid": "41e2e2c6-2260-4258-85c8-09db17c43103", - "title": "[SP 800-94]", - "citation": { - "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-94" - } - ] - }, - { - "uuid": "6bed1550-cd5d-4e80-8d83-4e597c1514fe", - "title": "[SP 800-97]", - "citation": { - "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-97" - } - ] - }, - { - "uuid": "9183bd83-170e-4701-b32c-97e08ef8bedb", - "title": "[SP 800-100]", - "citation": { - "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-100" - } - ] - }, - { - "uuid": "1e2c475a-84ae-4c60-b420-8fb2ea552b71", - "title": "[SP 800-101]", - "citation": { - "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-101r1" - } - ] - }, - { - "uuid": "1b14b50f-7154-4226-958c-7dfff8276755", - "title": "[SP 800-111]", - "citation": { - "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-111" - } - ] - }, - { - "uuid": "36132a58-56fd-4980-9f6c-c010d3faf52b", - "title": "[SP 800-113]", - "citation": { - "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-113" - } - ] - }, - { - "uuid": "49fa1ee1-aaf7-4270-bb5a-a86497f717dc", - "title": "[SP 800-114]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-114r1" - } - ] - }, - { - "uuid": "a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "title": "[SP 800-115]", - "citation": { - "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-115" - } - ] - }, - { - "uuid": "ad7d575f-b5fe-489b-8d48-36a93d964a5f", - "title": "[SP 800-116]", - "citation": { - "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-116r1" - } - ] - }, - { - "uuid": "60b24979-65b8-4ca5-a442-11b74339fab5", - "title": "[SP 800-121]", - "citation": { - "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-121r2" - } - ] - }, - { - "uuid": "18c6942b-95f8-414c-b548-c8e6b8d8a172", - "title": "[SP 800-124]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-124r1" - } - ] - }, - { - "uuid": "c972a85c-fa75-4596-be25-a338dc7e4e46", - "title": "[SP 800-125B]", - "citation": { - "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-125B" - } - ] - }, - { - "uuid": "0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f", - "title": "[SP 800-126]", - "citation": { - "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-126r3" - } - ] - }, - { - "uuid": "a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "title": "[SP 800-128]", - "citation": { - "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-128" - } - ] - }, - { - "uuid": "ae412317-c2b4-47bb-b47b-c329ce0d7a0b", - "title": "[SP 800-130]", - "citation": { - "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-130" - } - ] - }, - { - "uuid": "c3b34083-77b2-4dab-a980-73068f8933bd", - "title": "[SP 800-137]", - "citation": { - "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-137" - } - ] - }, - { - "uuid": "ad3e8f21-07c6-4968-b002-00b64dfa70ae", - "title": "[SP 800-150]", - "citation": { - "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-150" - } - ] - }, - { - "uuid": "38dbdf55-9a14-446f-b563-c48e4e3d37fb", - "title": "[SP 800-152]", - "citation": { - "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-152" - } - ] - }, - { - "uuid": "f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa", - "title": "[SP 800-156]", - "citation": { - "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-156" - } - ] - }, - { - "uuid": "8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "title": "[SP 800-160 v1]", - "citation": { - "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-160v1" - } - ] - }, - { - "uuid": "8411e6e8-09bd-431d-bbcb-3423d36ad880", - "title": "[SP 800-160 v2]", - "citation": { - "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-160v2" - } - ] - }, - { - "uuid": "66476e76-46b4-47fb-be19-d13e6f3840df", - "title": "[SP 800-161]", - "citation": { - "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-161" - } - ] - }, - { - "uuid": "359f960c-2598-454c-ba3b-a30c553e498f", - "title": "[SP 800-162]", - "citation": { - "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-162" - } - ] - }, - { - "uuid": "a8f55663-86c5-415b-aabe-d2a126981d65", - "title": "[SP 800-166]", - "citation": { - "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-166" - } - ] - }, - { - "uuid": "893d1736-324c-41d6-a5f4-d526b5ca981a", - "title": "[SP 800-167]", - "citation": { - "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-167" - } - ] - }, - { - "uuid": "0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "title": "[SP 800-171]", - "citation": { - "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-171r2" - } - ] - }, - { - "uuid": "aad55f03-8ece-4b21-b09c-9ef65b5a9f55", - "title": "[SP 800-171B]", - "citation": { - "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B." - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf" - } - ] - }, - { - "uuid": "64e044e4-b2a9-490f-a079-1106407c812f", - "title": "[SP 800-177]", - "citation": { - "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-177r1" - } - ] - }, - { - "uuid": "223b23a9-baea-4a50-8058-63cf7967b61f", - "title": "[SP 800-178]", - "citation": { - "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-178" - } - ] - }, - { - "uuid": "f4c3f657-de83-47ae-9aec-e144de8268d1", - "title": "[SP 800-181]", - "citation": { - "text": "Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-181" - } - ] - }, - { - "uuid": "08f518f7-f9b9-4bee-8986-860214f46b16", - "title": "[SP 800-184]", - "citation": { - "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-184" - } - ] - }, - { - "uuid": "eadef75e-7e4d-4554-b818-44946c1dde0e", - "title": "[SP 800-188]", - "citation": { - "text": "Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188." - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/publications/detail/sp/800-188/draft" - } - ] - }, - { - "uuid": "3862cd94-ff25-4631-9a9a-b92c21a0a923", - "title": "[SP 800-189]", - "citation": { - "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-189" - } - ] - }, - { - "uuid": "06d3c11a-4a00-42d9-ad75-e6a777ffae5e", - "title": "[SP 800-192]", - "citation": { - "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-192" - } - ] - }, - { - "uuid": "d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "title": "[IR 7539]", - "citation": { - "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7539" - } - ] - }, - { - "uuid": "09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "title": "[IR 7559]", - "citation": { - "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7559" - } - ] - }, - { - "uuid": "7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "title": "[IR 7622]", - "citation": { - "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7622" - } - ] - }, - { - "uuid": "daf69edb-a0ef-4447-9880-8c4bf553181f", - "title": "[IR 7676]", - "citation": { - "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7676" - } - ] - }, - { - "uuid": "bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c", - "title": "[IR 7788]", - "citation": { - "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7788" - } - ] - }, - { - "uuid": "a49f67fc-827c-40e6-9a37-2b1cbe8142fd", - "title": "[IR 7817]", - "citation": { - "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7817" - } - ] - }, - { - "uuid": "972c10bd-aedf-485f-b0db-f46a402127e2", - "title": "[IR 7849]", - "citation": { - "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7849" - } - ] - }, - { - "uuid": "197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "title": "[IR 7870]", - "citation": { - "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7870" - } - ] - }, - { - "uuid": "bb22d510-54a9-4588-b725-00d37576562b", - "title": "[IR 7874]", - "citation": { - "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7874" - } - ] - }, - { - "uuid": "f437b52f-7f26-42aa-8e8f-999e7d67b2fe", - "title": "[IR 7956]", - "citation": { - "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7956" - } - ] - }, - { - "uuid": "30213e10-2aca-47b3-8cdb-61303e0959f5", - "title": "[IR 7966]", - "citation": { - "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7966" - } - ] - }, - { - "uuid": "851b5ba4-6aa0-4583-857c-4c360cbdf2a0", - "title": "[IR 8011 v1]", - "citation": { - "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8011-1" - } - ] - }, - { - "uuid": "7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "title": "[IR 8023]", - "citation": { - "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8023" - } - ] - }, - { - "uuid": "24738ee6-b3f3-4e37-825b-58775846bdbc", - "title": "[IR 8040]", - "citation": { - "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8040" - } - ] - }, - { - "uuid": "817b4227-5857-494d-9032-915980b32f15", - "title": "[IR 8062]", - "citation": { - "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8062" - } - ] - }, - { - "uuid": "7a93e915-fd58-4147-be12-e48044c367e6", - "title": "[IR 8179]", - "citation": { - "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8179" - } - ] - }, - { - "uuid": "294eed19-7471-4517-9480-2ec73e7c6a78", - "title": "[DOD STIG]", - "citation": { - "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." - }, - "rlinks": [ - { - "href": "https://iase.disa.mil/stigs/Pages/index.aspx" - } - ] - }, - { - "uuid": "17ca9481-ea11-4ef2-81c1-885fd37d4be5", - "title": "[IETF 5905]", - "citation": { - "text": "" - } - }, - { - "uuid": "dd87fdf0-840d-4392-9de4-220b2327e340", - "title": "[NARA CUI]", - "citation": { - "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." - }, - "rlinks": [ - { - "href": "https://www.archives.gov/cui" - } - ] - }, - { - "uuid": "5dac2312-1d0d-416f-aebb-400fa9775b74", - "title": "[NIAP CCEVS]", - "citation": { - "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." - }, - "rlinks": [ - { - "href": "https://www.niap-ccevs.org/" - } - ] - }, - { - "uuid": "5cc04a1c-5489-4751-a493-746a9639067b", - "title": "[NCPR]", - "citation": { - "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository*. Available at" - }, - "rlinks": [ - { - "href": "https://nvd.nist.gov/ncp/repository" - } - ] - }, - { - "uuid": "634dec27-df88-4c30-b1a4-b57cdfd24f20", - "title": "[NSA CSFC]", - "citation": { - "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." - }, - "rlinks": [ - { - "href": "https://www.nsa.gov/resources/everyone/csfc" - } - ] - }, - { - "uuid": "a52271dc-11b5-423a-8b6f-14867bd94259", - "title": "[NSA MEDIA]", - "citation": { - "text": "National Security Agency, *Media Destruction Guidance*." - }, - "rlinks": [ - { - "href": "https://www.nsa.gov/resources/everyone/media-destruction" - } - ] - }, - { - "uuid": "06842bea-64c9-4e20-807a-b8fc003fa737", - "title": "[USGCB]", - "citation": { - "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline*. Available at" - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" - } - ] - } - ] - } - } -} diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile-min.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile-min.json deleted file mode 100644 index 84b5155398..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile-min.json +++ /dev/null @@ -1 +0,0 @@ -{"profile":{"uuid":"7ef5286d-c162-439d-8c32-6eecd08f93d5","metadata":{"title":"SP800-53 LOW IMPACT BASELINE","last-modified":"2020-08-26T16:28:37.432-04:00","version":"FPD","oscal-version":"1.0.0-milestone3","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"fcba95f8-df3b-47cd-ae6f-57089a2b7174","type":"organization","party-name":"Joint Task Force, Transformation Initiative","addresses":[{"postal-address":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}],"email-addresses":["sec-cert@nist.gov"]}],"responsible-parties":{"creator":{"party-uuids":["fcba95f8-df3b-47cd-ae6f-57089a2b7174"]},"contact":{"party-uuids":["fcba95f8-df3b-47cd-ae6f-57089a2b7174"]}}},"imports":[{"href":"NIST_SP-800-53_rev5-FPD_catalog.xml","include":{"id-selectors":[{"control-id":"ac-1"},{"control-id":"ac-2"},{"control-id":"ac-3"},{"control-id":"ac-6.7"},{"control-id":"ac-6.9"},{"control-id":"ac-7"},{"control-id":"ac-8"},{"control-id":"ac-14"},{"control-id":"ac-17"},{"control-id":"ac-18"},{"control-id":"ac-19"},{"control-id":"ac-20"},{"control-id":"ac-22"},{"control-id":"at-1"},{"control-id":"at-2"},{"control-id":"at-2.2"},{"control-id":"at-3"},{"control-id":"at-4"},{"control-id":"au-1"},{"control-id":"au-2"},{"control-id":"au-3"},{"control-id":"au-4"},{"control-id":"au-5"},{"control-id":"au-6"},{"control-id":"au-8"},{"control-id":"au-9"},{"control-id":"au-11"},{"control-id":"au-12"},{"control-id":"ca-1"},{"control-id":"ca-2"},{"control-id":"ca-3"},{"control-id":"ca-5"},{"control-id":"ca-6"},{"control-id":"ca-7"},{"control-id":"ca-7.4"},{"control-id":"ca-9"},{"control-id":"cm-1"},{"control-id":"cm-2"},{"control-id":"cm-4"},{"control-id":"cm-5"},{"control-id":"cm-6"},{"control-id":"cm-7"},{"control-id":"cm-8"},{"control-id":"cm-10"},{"control-id":"cm-11"},{"control-id":"cp-1"},{"control-id":"cp-2"},{"control-id":"cp-3"},{"control-id":"cp-4"},{"control-id":"cp-9"},{"control-id":"cp-10"},{"control-id":"ia-1"},{"control-id":"ia-2"},{"control-id":"ia-2.1"},{"control-id":"ia-2.2"},{"control-id":"ia-2.8"},{"control-id":"ia-2.12"},{"control-id":"ia-4"},{"control-id":"ia-5"},{"control-id":"ia-5.1"},{"control-id":"ia-6"},{"control-id":"ia-7"},{"control-id":"ia-8"},{"control-id":"ia-8.1"},{"control-id":"ia-8.2"},{"control-id":"ia-8.4"},{"control-id":"ia-11"},{"control-id":"ir-1"},{"control-id":"ir-2"},{"control-id":"ir-4"},{"control-id":"ir-5"},{"control-id":"ir-6"},{"control-id":"ir-7"},{"control-id":"ir-8"},{"control-id":"ma-1"},{"control-id":"ma-2"},{"control-id":"ma-4"},{"control-id":"ma-5"},{"control-id":"mp-1"},{"control-id":"mp-2"},{"control-id":"mp-6"},{"control-id":"mp-7"},{"control-id":"pe-1"},{"control-id":"pe-2"},{"control-id":"pe-3"},{"control-id":"pe-6"},{"control-id":"pe-8"},{"control-id":"pe-12"},{"control-id":"pe-13"},{"control-id":"pe-14"},{"control-id":"pe-15"},{"control-id":"pe-16"},{"control-id":"pl-1"},{"control-id":"pl-2"},{"control-id":"pl-4"},{"control-id":"pl-4.1"},{"control-id":"pl-10"},{"control-id":"pl-11"},{"control-id":"pm-1"},{"control-id":"pm-2"},{"control-id":"pm-3"},{"control-id":"pm-4"},{"control-id":"pm-5"},{"control-id":"pm-5.1"},{"control-id":"pm-6"},{"control-id":"pm-7"},{"control-id":"pm-7.1"},{"control-id":"pm-8"},{"control-id":"pm-9"},{"control-id":"pm-10"},{"control-id":"pm-11"},{"control-id":"pm-12"},{"control-id":"pm-13"},{"control-id":"pm-14"},{"control-id":"pm-15"},{"control-id":"pm-16"},{"control-id":"pm-16.1"},{"control-id":"pm-17"},{"control-id":"pm-18"},{"control-id":"pm-19"},{"control-id":"pm-20"},{"control-id":"pm-21"},{"control-id":"pm-22"},{"control-id":"pm-23"},{"control-id":"pm-24"},{"control-id":"pm-25"},{"control-id":"pm-26"},{"control-id":"pm-27"},{"control-id":"pm-28"},{"control-id":"pm-29"},{"control-id":"pm-30"},{"control-id":"pm-31"},{"control-id":"pm-32"},{"control-id":"ps-1"},{"control-id":"ps-2"},{"control-id":"ps-3"},{"control-id":"ps-4"},{"control-id":"ps-5"},{"control-id":"ps-6"},{"control-id":"ps-7"},{"control-id":"ps-8"},{"control-id":"ra-1"},{"control-id":"ra-2"},{"control-id":"ra-3"},{"control-id":"ra-3.1"},{"control-id":"ra-5"},{"control-id":"ra-5.2"},{"control-id":"ra-7"},{"control-id":"sa-1"},{"control-id":"sa-2"},{"control-id":"sa-3"},{"control-id":"sa-4"},{"control-id":"sa-4.10"},{"control-id":"sa-5"},{"control-id":"sa-8"},{"control-id":"sa-9"},{"control-id":"sa-22"},{"control-id":"sc-1"},{"control-id":"sc-5"},{"control-id":"sc-7"},{"control-id":"sc-12"},{"control-id":"sc-13"},{"control-id":"sc-15"},{"control-id":"sc-20"},{"control-id":"sc-21"},{"control-id":"sc-22"},{"control-id":"sc-39"},{"control-id":"si-1"},{"control-id":"si-2"},{"control-id":"si-3"},{"control-id":"si-4"},{"control-id":"si-5"},{"control-id":"si-12"},{"control-id":"sr-1"},{"control-id":"sr-2"},{"control-id":"sr-2.1"},{"control-id":"sr-3"},{"control-id":"sr-5"},{"control-id":"sr-8"},{"control-id":"sr-10"},{"control-id":"sr-11"},{"control-id":"sr-11.1"},{"control-id":"sr-11.2"},{"control-id":"sr-11.3"}]}}],"merge":{"as-is":true}}} \ No newline at end of file diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.json deleted file mode 100644 index a3006e231b..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.json +++ /dev/null @@ -1,620 +0,0 @@ -{ - "profile": { - "uuid": "7ef5286d-c162-439d-8c32-6eecd08f93d5", - "metadata": { - "title": "SP800-53 LOW IMPACT BASELINE", - "last-modified": "2020-08-26T16:28:37.432-04:00", - "version": "FPD", - "oscal-version": "1.0.0-milestone3", - "roles": [ - { - "id": "creator", - "title": "Document Creator" - }, - { - "id": "contact", - "title": "Contact" - } - ], - "parties": [ - { - "uuid": "fcba95f8-df3b-47cd-ae6f-57089a2b7174", - "type": "organization", - "party-name": "Joint Task Force, Transformation Initiative", - "addresses": [ - { - "postal-address": [ - "National Institute of Standards and Technology", - "Attn: Computer Security Division", - "Information Technology Laboratory", - "100 Bureau Drive (Mail Stop 8930)" - ], - "city": "Gaithersburg", - "state": "MD", - "postal-code": "20899-8930" - } - ], - "email-addresses": [ - "sec-cert@nist.gov" - ] - } - ], - "responsible-parties": { - "creator": { - "party-uuids": [ - "fcba95f8-df3b-47cd-ae6f-57089a2b7174" - ] - }, - "contact": { - "party-uuids": [ - "fcba95f8-df3b-47cd-ae6f-57089a2b7174" - ] - } - } - }, - "imports": [ - { - "href": "NIST_SP-800-53_rev5-FPD_catalog.xml", - "include": { - "id-selectors": [ - { - "control-id": "ac-1" - }, - { - "control-id": "ac-2" - }, - { - "control-id": "ac-3" - }, - { - "control-id": "ac-6.7" - }, - { - "control-id": "ac-6.9" - }, - { - "control-id": "ac-7" - }, - { - "control-id": "ac-8" - }, - { - "control-id": "ac-14" - }, - { - "control-id": "ac-17" - }, - { - "control-id": "ac-18" - }, - { - "control-id": "ac-19" - }, - { - "control-id": "ac-20" - }, - { - "control-id": "ac-22" - }, - { - "control-id": "at-1" - }, - { - "control-id": "at-2" - }, - { - "control-id": "at-2.2" - }, - { - "control-id": "at-3" - }, - { - "control-id": "at-4" - }, - { - "control-id": "au-1" - }, - { - "control-id": "au-2" - }, - { - "control-id": "au-3" - }, - { - "control-id": "au-4" - }, - { - "control-id": "au-5" - }, - { - "control-id": "au-6" - }, - { - "control-id": "au-8" - }, - { - "control-id": "au-9" - }, - { - "control-id": "au-11" - }, - { - "control-id": "au-12" - }, - { - "control-id": "ca-1" - }, - { - "control-id": "ca-2" - }, - { - "control-id": "ca-3" - }, - { - "control-id": "ca-5" - }, - { - "control-id": "ca-6" - }, - { - "control-id": "ca-7" - }, - { - "control-id": "ca-7.4" - }, - { - "control-id": "ca-9" - }, - { - "control-id": "cm-1" - }, - { - "control-id": "cm-2" - }, - { - "control-id": "cm-4" - }, - { - "control-id": "cm-5" - }, - { - "control-id": "cm-6" - }, - { - "control-id": "cm-7" - }, - { - "control-id": "cm-8" - }, - { - "control-id": "cm-10" - }, - { - "control-id": "cm-11" - }, - { - "control-id": "cp-1" - }, - { - "control-id": "cp-2" - }, - { - "control-id": "cp-3" - }, - { - "control-id": "cp-4" - }, - { - "control-id": "cp-9" - }, - { - "control-id": "cp-10" - }, - { - "control-id": "ia-1" - }, - { - "control-id": "ia-2" - }, - { - "control-id": "ia-2.1" - }, - { - "control-id": "ia-2.2" - }, - { - "control-id": "ia-2.8" - }, - { - "control-id": "ia-2.12" - }, - { - "control-id": "ia-4" - }, - { - "control-id": "ia-5" - }, - { - "control-id": "ia-5.1" - }, - { - "control-id": "ia-6" - }, - { - "control-id": "ia-7" - }, - { - "control-id": "ia-8" - }, - { - "control-id": "ia-8.1" - }, - { - "control-id": "ia-8.2" - }, - { - "control-id": "ia-8.4" - }, - { - "control-id": "ia-11" - }, - { - "control-id": "ir-1" - }, - { - "control-id": "ir-2" - }, - { - "control-id": "ir-4" - }, - { - "control-id": "ir-5" - }, - { - "control-id": "ir-6" - }, - { - "control-id": "ir-7" - }, - { - "control-id": "ir-8" - }, - { - "control-id": "ma-1" - }, - { - "control-id": "ma-2" - }, - { - "control-id": "ma-4" - }, - { - "control-id": "ma-5" - }, - { - "control-id": "mp-1" - }, - { - "control-id": "mp-2" - }, - { - "control-id": "mp-6" - }, - { - "control-id": "mp-7" - }, - { - "control-id": "pe-1" - }, - { - "control-id": "pe-2" - }, - { - "control-id": "pe-3" - }, - { - "control-id": "pe-6" - }, - { - "control-id": "pe-8" - }, - { - "control-id": "pe-12" - }, - { - "control-id": "pe-13" - }, - { - "control-id": "pe-14" - }, - { - "control-id": "pe-15" - }, - { - "control-id": "pe-16" - }, - { - "control-id": "pl-1" - }, - { - "control-id": "pl-2" - }, - { - "control-id": "pl-4" - }, - { - "control-id": "pl-4.1" - }, - { - "control-id": "pl-10" - }, - { - "control-id": "pl-11" - }, - { - "control-id": "pm-1" - }, - { - "control-id": "pm-2" - }, - { - "control-id": "pm-3" - }, - { - "control-id": "pm-4" - }, - { - "control-id": "pm-5" - }, - { - "control-id": "pm-5.1" - }, - { - "control-id": "pm-6" - }, - { - "control-id": "pm-7" - }, - { - "control-id": "pm-7.1" - }, - { - "control-id": "pm-8" - }, - { - "control-id": "pm-9" - }, - { - "control-id": "pm-10" - }, - { - "control-id": "pm-11" - }, - { - "control-id": "pm-12" - }, - { - "control-id": "pm-13" - }, - { - "control-id": "pm-14" - }, - { - "control-id": "pm-15" - }, - { - "control-id": "pm-16" - }, - { - "control-id": "pm-16.1" - }, - { - "control-id": "pm-17" - }, - { - "control-id": "pm-18" - }, - { - "control-id": "pm-19" - }, - { - "control-id": "pm-20" - }, - { - "control-id": "pm-21" - }, - { - "control-id": "pm-22" - }, - { - "control-id": "pm-23" - }, - { - "control-id": "pm-24" - }, - { - "control-id": "pm-25" - }, - { - "control-id": "pm-26" - }, - { - "control-id": "pm-27" - }, - { - "control-id": "pm-28" - }, - { - "control-id": "pm-29" - }, - { - "control-id": "pm-30" - }, - { - "control-id": "pm-31" - }, - { - "control-id": "pm-32" - }, - { - "control-id": "ps-1" - }, - { - "control-id": "ps-2" - }, - { - "control-id": "ps-3" - }, - { - "control-id": "ps-4" - }, - { - "control-id": "ps-5" - }, - { - "control-id": "ps-6" - }, - { - "control-id": "ps-7" - }, - { - "control-id": "ps-8" - }, - { - "control-id": "ra-1" - }, - { - "control-id": "ra-2" - }, - { - "control-id": "ra-3" - }, - { - "control-id": "ra-3.1" - }, - { - "control-id": "ra-5" - }, - { - "control-id": "ra-5.2" - }, - { - "control-id": "ra-7" - }, - { - "control-id": "sa-1" - }, - { - "control-id": "sa-2" - }, - { - "control-id": "sa-3" - }, - { - "control-id": "sa-4" - }, - { - "control-id": "sa-4.10" - }, - { - "control-id": "sa-5" - }, - { - "control-id": "sa-8" - }, - { - "control-id": "sa-9" - }, - { - "control-id": "sa-22" - }, - { - "control-id": "sc-1" - }, - { - "control-id": "sc-5" - }, - { - "control-id": "sc-7" - }, - { - "control-id": "sc-12" - }, - { - "control-id": "sc-13" - }, - { - "control-id": "sc-15" - }, - { - "control-id": "sc-20" - }, - { - "control-id": "sc-21" - }, - { - "control-id": "sc-22" - }, - { - "control-id": "sc-39" - }, - { - "control-id": "si-1" - }, - { - "control-id": "si-2" - }, - { - "control-id": "si-3" - }, - { - "control-id": "si-4" - }, - { - "control-id": "si-5" - }, - { - "control-id": "si-12" - }, - { - "control-id": "sr-1" - }, - { - "control-id": "sr-2" - }, - { - "control-id": "sr-2.1" - }, - { - "control-id": "sr-3" - }, - { - "control-id": "sr-5" - }, - { - "control-id": "sr-8" - }, - { - "control-id": "sr-10" - }, - { - "control-id": "sr-11" - }, - { - "control-id": "sr-11.1" - }, - { - "control-id": "sr-11.2" - }, - { - "control-id": "sr-11.3" - } - ] - } - } - ], - "merge": { - "as-is": true - } - } -} diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog-min.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog-min.json deleted file mode 100644 index f38e2cd4b2..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog-min.json +++ /dev/null @@ -1 +0,0 @@ -{"catalog":{"uuid":"b50ea9d9-e0b8-4e91-a6b8-1ad84fb0488e","metadata":{"title":"SP800-53 MODERATE IMPACT BASELINE","last-modified":"2020-08-26T16:28:37.775-04:00","version":"FPD","oscal-version":"1.0.0-milestone3","properties":[{"name":"resolution-timestamp","value":"2020-08-31T17:39:50.308351Z"}],"links":[{"href":"NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml","rel":"resolution-source","text":"SP800-53 MODERATE IMPACT BASELINE"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"2ef7cfec-cb8e-4571-a7a2-a5c609b4767a","type":"organization","party-name":"Joint Task Force, Transformation Initiative","addresses":[{"postal-address":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}],"email-addresses":["sec-cert@nist.gov"]}],"responsible-parties":{"creator":{"party-uuids":["2ef7cfec-cb8e-4571-a7a2-a5c609b4767a"]},"contact":{"party-uuids":["2ef7cfec-cb8e-4571-a7a2-a5c609b4767a"]}}},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2"},{"id":"ac-1_prm_3","label":"organization-defined official"},{"id":"ac-1_prm_4","label":"organization-defined frequency"},{"id":"ac-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-1"},{"name":"sort-id","value":"AC-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ac-1_prm_2 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ac-1_prm_4 }}; and"},{"id":"ac-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ac-1_prm_5 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","parameters":[{"id":"ac-2_prm_1","label":"organization-defined attributes (as required)"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined policy, procedures, and conditions"},{"id":"ac-2_prm_4","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_5","label":"organization-defined time-period"},{"id":"ac-2_prm_6","label":"organization-defined time-period"},{"id":"ac-2_prm_7","label":"organization-defined time-period"},{"id":"ac-2_prm_8","label":"organization-defined attributes (as required)"},{"id":"ac-2_prm_9","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-2"},{"name":"sort-id","value":"AC-02"}],"links":[{"href":"#359f960c-2598-454c-ba3b-a30c553e498f","rel":"reference","text":"[SP 800-162]"},{"href":"#223b23a9-baea-4a50-8058-63cf7967b61f","rel":"reference","text":"[SP 800-178]"},{"href":"#06d3c11a-4a00-42d9-ad75-e6a777ffae5e","rel":"reference","text":"[SP 800-192]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ac-24","rel":"related","text":"AC-24"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-37","rel":"related","text":"SC-37"}],"parts":[{"id":"ac-2_smt","name":"statement","parts":[{"id":"ac-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Define and document the types of accounts allowed for use within the system;"},{"id":"ac-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assign account managers;"},{"id":"ac-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establish conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Specify:","parts":[{"id":"ac-2_smt.d.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Authorized users of the system;"},{"id":"ac-2_smt.d.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Group and role membership; and"},{"id":"ac-2_smt.d.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Access authorizations (i.e., privileges) and {{ ac-2_prm_1 }} for each account;"}]},{"id":"ac-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Require approvals by {{ ac-2_prm_2 }} for requests to create accounts;"},{"id":"ac-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Create, enable, modify, disable, and remove accounts in accordance with {{ ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Monitor the use of accounts;"},{"id":"ac-2_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Notify account managers and {{ ac-2_prm_4 }} within:","parts":[{"id":"ac-2_smt.h.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ac-2_prm_5 }} when accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n {{ ac-2_prm_6 }} when users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"\n {{ ac-2_prm_7 }} when system usage or need-to-know changes for an individual;"}]},{"id":"ac-2_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Authorize access to the system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"\n {{ ac-2_prm_8 }};"}]},{"id":"ac-2_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Review accounts for compliance with account management requirements {{ ac-2_prm_9 }};"},{"id":"ac-2_smt.k","name":"item","properties":[{"name":"label","value":"k."}],"prose":"Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and"},{"id":"ac-2_smt.l","name":"item","properties":[{"name":"label","value":"l."}],"prose":"Align account management processes with personnel termination and transfer processes."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy.\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training."}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","parameters":[{"id":"ac-2.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"AC-2(1)"},{"name":"sort-id","value":"AC-02(01)"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"Support the management of system accounts using {{ ac-2.1_prm_1 }}."},{"id":"ac-2.1_gdn","name":"guidance","prose":"Automated mechanisms include using email or text messaging to automatically notify account managers when users are terminated or transferred; using the system to monitor account usage; and using telephonic notification to report atypical system account usage."}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Automated Temporary and Emergency Account Management","parameters":[{"id":"ac-2.2_prm_1"},{"id":"ac-2.2_prm_2","label":"organization-defined time-period for each type of account"}],"properties":[{"name":"label","value":"AC-2(2)"},{"name":"sort-id","value":"AC-02(02)"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"Automatically {{ ac-2.2_prm_1 }} temporary and emergency accounts after {{ ac-2.2_prm_2 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time-period, rather than at the convenience of the systems administrator. Automatic removal or disabling of accounts provides a more consistent implementation."}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Accounts","parameters":[{"id":"ac-2.3_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"AC-2(3)"},{"name":"sort-id","value":"AC-02(03)"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"Disable accounts when the accounts:","parts":[{"id":"ac-2.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Have expired;"},{"id":"ac-2.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Are no longer associated with a user or individual;"},{"id":"ac-2.3_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Are in violation of organizational policy; or"},{"id":"ac-2.3_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Have been inactive for {{ ac-2.3_prm_1 }}."}]},{"id":"ac-2.3_gdn","name":"guidance","prose":"Disabling expired, inactive, or otherwise anomalous accounts supports the concept of least privilege and least functionality which reduces the attack surface of the system."}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","properties":[{"name":"label","value":"AC-2(4)"},{"name":"sort-id","value":"AC-02(04)"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"Automatically audit account creation, modification, enabling, disabling, and removal actions."},{"id":"ac-2.4_gdn","name":"guidance","prose":"Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6."}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","parameters":[{"id":"ac-2.5_prm_1","label":"organization-defined time-period of expected inactivity or description of when to log out"}],"properties":[{"name":"label","value":"AC-2(5)"},{"name":"sort-id","value":"AC-02(05)"}],"links":[{"href":"#ac-11","rel":"related","text":"AC-11"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"Require that users log out when {{ ac-2.5_prm_1 }}."},{"id":"ac-2.5_gdn","name":"guidance","prose":"Inactivity logout is behavior or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of this control enhancement is addressed by AC-11."}]},{"id":"ac-2.13","class":"SP800-53-enhancement","title":"Disable Accounts for High-risk Individuals","parameters":[{"id":"ac-2.13_prm_1","label":"organization-defined time-period"},{"id":"ac-2.13_prm_2","label":"organization-defined significant risks"}],"properties":[{"name":"label","value":"AC-2(13)"},{"name":"sort-id","value":"AC-02(13)"}],"links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-2.13_smt","name":"statement","prose":"Disable accounts of users within {{ ac-2.13_prm_1 }} of discovery of {{ ac-2.13_prm_2 }}."},{"id":"ac-2.13_gdn","name":"guidance","prose":"Users posing a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes the adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential for execution of this control enhancement."}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","properties":[{"name":"label","value":"AC-3"},{"name":"sort-id","value":"AC-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#359f960c-2598-454c-ba3b-a30c553e498f","rel":"reference","text":"[SP 800-162]"},{"href":"#223b23a9-baea-4a50-8058-63cf7967b61f","rel":"reference","text":"[SP 800-178]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#ac-24","rel":"related","text":"AC-24"},{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-6","rel":"related","text":"IA-6"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ia-11","rel":"related","text":"IA-11"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pm-2","rel":"related","text":"PM-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-4","rel":"related","text":"SC-4"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-31","rel":"related","text":"SC-31"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family."}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","parameters":[{"id":"ac-4_prm_1","label":"organization-defined information flow control policies"}],"properties":[{"name":"label","value":"AC-4"},{"name":"sort-id","value":"AC-04"}],"links":[{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#359f960c-2598-454c-ba3b-a30c553e498f","rel":"reference","text":"[SP 800-162]"},{"href":"#223b23a9-baea-4a50-8058-63cf7967b61f","rel":"reference","text":"[SP 800-178]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-4","rel":"related","text":"SC-4"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-16","rel":"related","text":"SC-16"},{"href":"#sc-31","rel":"related","text":"SC-31"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ ac-4_prm_1 }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization; keeping export-controlled information from being transmitted in the clear to the Internet; restricting web requests that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only); verifying write permissions before accepting information from another security or privacy domain or connected system; employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and security or privacy labels.\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. This control also applies to control plane traffic (e.g., routing and DNS)."}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","parameters":[{"id":"ac-5_prm_1","label":"organization-defined duties of individuals requiring separation"}],"properties":[{"name":"label","value":"AC-5"},{"name":"sort-id","value":"AC-05"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-17","rel":"related","text":"SA-17"}],"parts":[{"id":"ac-5_smt","name":"statement","parts":[{"id":"ac-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify and document {{ ac-5_prm_1 }}; and"},{"id":"ac-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Define system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles; conducting system support functions with different individuals; and ensuring security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. This control is enforced through the account management activities in AC-2 and access control mechanisms in AC-3."}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","properties":[{"name":"label","value":"AC-6"},{"name":"sort-id","value":"AC-06"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-38","rel":"related","text":"SC-38"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary, to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems."}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","parameters":[{"id":"ac-6.1_prm_1","label":"organization-defined individuals or roles"},{"id":"ac-6.1_prm_2","label":"organization-defined security functions (deployed in hardware, software, and firmware)"},{"id":"ac-6.1_prm_3","label":"organization-defined security-relevant information"}],"properties":[{"name":"label","value":"AC-6(1)"},{"name":"sort-id","value":"AC-06(01)"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#pe-2","rel":"related","text":"PE-2"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"Explicitly authorize access for {{ ac-6.1_prm_1 }} to:","parts":[{"id":"ac-6.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"\n {{ ac-6.1_prm_2 }}; and"},{"id":"ac-6.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"\n {{ ac-6.1_prm_3 }}."}]},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include establishing system accounts; configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Explicitly authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users."}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","parameters":[{"id":"ac-6.2_prm_1","label":"organization-defined security functions or security-relevant information"}],"properties":[{"name":"label","value":"AC-6(2)"},{"name":"sort-id","value":"AC-06(02)"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#pl-4","rel":"related","text":"PL-4"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"Require that users of system accounts (or roles) with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"Requiring use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account."}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","parameters":[{"id":"ac-6.5_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AC-6(5)"},{"name":"sort-id","value":"AC-06(05)"}],"links":[{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"Restrict privileged accounts on the system to {{ ac-6.5_prm_1 }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided they retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk."}]},{"id":"ac-6.7","class":"SP800-53-enhancement","title":"Review of User Privileges","parameters":[{"id":"ac-6.7_prm_1","label":"organization-defined frequency"},{"id":"ac-6.7_prm_2","label":"organization-defined roles or classes of users"}],"properties":[{"name":"label","value":"AC-6(7)"},{"name":"sort-id","value":"AC-06(07)"}],"links":[{"href":"#ca-7","rel":"related","text":"CA-7"}],"parts":[{"id":"ac-6.7_smt","name":"statement","parts":[{"id":"ac-6.7_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Review {{ ac-6.7_prm_1 }} the privileges assigned to {{ ac-6.7_prm_2 }} to validate the need for such privileges; and"},{"id":"ac-6.7_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs."}]},{"id":"ac-6.7_gdn","name":"guidance","prose":"The need for certain assigned user privileges may change over time reflecting changes in organizational missions and business functions, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions."}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Log Use of Privileged Functions","properties":[{"name":"label","value":"AC-6(9)"},{"name":"sort-id","value":"AC-06(09)"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"Audit the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"The misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Capturing the use of privileged functions in audit logs is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat."}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","properties":[{"name":"label","value":"AC-6(10)"},{"name":"sort-id","value":"AC-06(10)"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"Prevent non-privileged users from executing privileged functions."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include disabling, circumventing, or altering implemented security or privacy controls; establishing system accounts; performing system integrity checks; and administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. This control enhancement is enforced by AC-3."}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","parameters":[{"id":"ac-7_prm_1","label":"organization-defined number"},{"id":"ac-7_prm_2","label":"organization-defined time-period"},{"id":"ac-7_prm_3"},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time-period"},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"},{"id":"ac-7_prm_6","depends-on":"ac-7_prm_3","label":"organization-defined action"}],"properties":[{"name":"label","value":"AC-7"},{"name":"sort-id","value":"AC-07"}],"links":[{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ia-5","rel":"related","text":"IA-5"}],"parts":[{"id":"ac-7_smt","name":"statement","parts":[{"id":"ac-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforce a limit of {{ ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Automatically {{ ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address.\nTechniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need."}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","parameters":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner"},{"id":"ac-8_prm_2","label":"organization-defined conditions"}],"properties":[{"name":"label","value":"AC-8"},{"name":"sort-id","value":"AC-08"}],"links":[{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-8_smt","name":"statement","parts":[{"id":"ac-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Display {{ ac-8_prm_1 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:","parts":[{"id":"ac-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government system;"},{"id":"ac-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and"},{"id":"ac-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Display system use information {{ ac-8_prm_2 }}, before granting further access to the publicly accessible system;"},{"id":"ac-8_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Include a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content."}]},{"id":"ac-11","class":"SP800-53","title":"Device Lock","parameters":[{"id":"ac-11_prm_1"},{"id":"ac-11_prm_2","depends-on":"ac-11_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"AC-11"},{"name":"sort-id","value":"AC-11"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ia-11","rel":"related","text":"IA-11"},{"href":"#pl-4","rel":"related","text":"PL-4"}],"parts":[{"id":"ac-11_smt","name":"statement","parts":[{"id":"ac-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Prevent further access to the system by {{ ac-11_prm_1 }}; and"},{"id":"ac-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain the device lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User initiated device locking is behavior or policy-based and as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, for example, if organizations require users to log out at the end of workdays."}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","properties":[{"name":"label","value":"AC-11(1)"},{"name":"sort-id","value":"AC-11(01)"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"Conceal, via the device lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"The pattern-hiding display can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the caveat that controlled unclassified information is not displayed."}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","parameters":[{"id":"ac-12_prm_1","label":"organization-defined conditions or trigger events requiring session disconnect"}],"properties":[{"name":"label","value":"AC-12"},{"name":"sort-id","value":"AC-12"}],"links":[{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-23","rel":"related","text":"SC-23"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"Automatically terminate a user session after {{ ac-12_prm_1 }}."},{"id":"ac-12_gdn","name":"guidance","prose":"Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","parameters":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"properties":[{"name":"label","value":"AC-14"},{"name":"sort-id","value":"AC-14"}],"links":[{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#pl-2","rel":"related","text":"PL-2"}],"parts":[{"id":"ac-14_smt","name":"statement","parts":[{"id":"ac-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify {{ ac-14_prm_1 }} that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and"},{"id":"ac-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none."}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","properties":[{"name":"label","value":"AC-17"},{"name":"sort-id","value":"AC-17"}],"links":[{"href":"#7768c184-088d-4ee8-a316-f9286b52df7f","rel":"reference","text":"[SP 800-46]"},{"href":"#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","rel":"reference","text":"[SP 800-77]"},{"href":"#36132a58-56fd-4980-9f6c-c010d3faf52b","rel":"reference","text":"[SP 800-113]"},{"href":"#49fa1ee1-aaf7-4270-bb5a-a86497f717dc","rel":"reference","text":"[SP 800-114]"},{"href":"#60b24979-65b8-4ca5-a442-11b74339fab5","rel":"reference","text":"[SP 800-121]"},{"href":"#30213e10-2aca-47b3-8cdb-61303e0959f5","rel":"reference","text":"[IR 7966]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-17","rel":"related","text":"PE-17"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-17_smt","name":"statement","parts":[{"id":"ac-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorize each type of remote access to the system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3."}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Monitoring and Control","properties":[{"name":"label","value":"AC-17(1)"},{"name":"sort-id","value":"AC-17(01)"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"Employ automated mechanisms to monitor and control remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Monitoring and control of remote access methods allows organizations to detect attacks and ensure compliance with remote access policies by auditing connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a."}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality and Integrity Using Encryption","properties":[{"name":"label","value":"AC-17(2)"},{"name":"sort-id","value":"AC-17(02)"}],"links":[{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions."}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","properties":[{"name":"label","value":"AC-17(3)"},{"name":"sort-id","value":"AC-17(03)"}],"links":[{"href":"#sc-7","rel":"related","text":"SC-7"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"Route remote accesses through authorized and managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Organizations consider the Trusted Internet Connections initiative [DHS TIC] requirements for external network connections since limiting the number of access control points for remote accesses reduces attack surface."}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands and Access","parameters":[{"id":"ac-17.4_prm_1","label":"organization-defined needs"}],"properties":[{"name":"label","value":"AC-17(4)"},{"name":"sort-id","value":"AC-17(04)"}],"links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"ac-17.4_smt","name":"statement","parts":[{"id":"ac-17.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ ac-17.4_prm_1 }}; and"},{"id":"ac-17.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Document the rationale for remote access in the security plan for the system."}]},{"id":"ac-17.4_gdn","name":"guidance","prose":"Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability."}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","properties":[{"name":"label","value":"AC-18"},{"name":"sort-id","value":"AC-18"}],"links":[{"href":"#41e2e2c6-2260-4258-85c8-09db17c43103","rel":"reference","text":"[SP 800-94]"},{"href":"#6bed1550-cd5d-4e80-8d83-4e597c1514fe","rel":"reference","text":"[SP 800-97]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-40","rel":"related","text":"SC-40"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-18_smt","name":"statement","parts":[{"id":"ac-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and"},{"id":"ac-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorize each type of wireless access to the system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication."}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","parameters":[{"id":"ac-18.1_prm_1"}],"properties":[{"name":"label","value":"AC-18(1)"},{"name":"sort-id","value":"AC-18(01)"}],"links":[{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"Protect wireless access to the system using authentication of {{ ac-18.1_prm_1 }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","prose":"Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices with encryption can reduce susceptibility to threats by adversaries involving wireless technologies."}]},{"id":"ac-18.3","class":"SP800-53-enhancement","title":"Disable Wireless Networking","properties":[{"name":"label","value":"AC-18(3)"},{"name":"sort-id","value":"AC-18(03)"}],"parts":[{"id":"ac-18.3_smt","name":"statement","prose":"Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment."},{"id":"ac-18.3_gdn","name":"guidance","prose":"Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies."}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","properties":[{"name":"label","value":"AC-19"},{"name":"sort-id","value":"AC-19"}],"links":[{"href":"#49fa1ee1-aaf7-4270-bb5a-a86497f717dc","rel":"reference","text":"[SP 800-114]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-11","rel":"related","text":"AC-11"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ac-19_smt","name":"statement","parts":[{"id":"ac-19_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and"},{"id":"ac-19_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorize the connection of mobile devices to organizational systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled."}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device and Container-based Encryption","parameters":[{"id":"ac-19.5_prm_1"},{"id":"ac-19.5_prm_2","label":"organization-defined mobile devices"}],"properties":[{"name":"label","value":"AC-19(5)"},{"name":"sort-id","value":"AC-19(05)"}],"links":[{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"Employ {{ ac-19.5_prm_1 }} to protect the confidentiality and integrity of information on {{ ac-19.5_prm_2 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields."}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Systems","parameters":[{"id":"ac-20_prm_1"},{"id":"ac-20_prm_2","depends-on":"ac-20_prm_1","label":"organization-defined terms and conditions"},{"id":"ac-20_prm_3","depends-on":"ac-20_prm_1","label":"organization-defined controls asserted to be implemented on external systems"}],"properties":[{"name":"label","value":"AC-20"},{"name":"sort-id","value":"AC-20"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","rel":"reference","text":"[SP 800-171]"},{"href":"#aad55f03-8ece-4b21-b09c-9ef65b5a9f55","rel":"reference","text":"[SP 800-171B]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-7","rel":"related","text":"SC-7"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"Establish {{ ac-20_prm_1 }}, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Access the system from external systems; and"},{"id":"ac-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries.\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\nThis control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems."}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits on Authorized Use","properties":[{"name":"label","value":"AC-20(1)"},{"name":"sort-id","value":"AC-20(01)"}],"links":[{"href":"#ca-2","rel":"related","text":"CA-2"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:","parts":[{"id":"ac-20.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or"},{"id":"ac-20.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Retention of approved system connection or processing agreements with the organizational entity hosting the external system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"Limits on authorized use recognizes the circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations."}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices — Restricted Use","parameters":[{"id":"ac-20.2_prm_1","label":"organization-defined restrictions"}],"properties":[{"name":"label","value":"AC-20(2)"},{"name":"sort-id","value":"AC-20(02)"}],"links":[{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#sc-41","rel":"related","text":"SC-41"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ ac-20.2_prm_1 }}."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used."}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","parameters":[{"id":"ac-21_prm_1","label":"organization-defined information sharing circumstances where user discretion is required"},{"id":"ac-21_prm_2","label":"organization-defined automated mechanisms or manual processes"}],"properties":[{"name":"label","value":"AC-21"},{"name":"sort-id","value":"AC-21"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ad3e8f21-07c6-4968-b002-00b64dfa70ae","rel":"reference","text":"[SP 800-150]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-15","rel":"related","text":"SC-15"}],"parts":[{"id":"ac-21_smt","name":"statement","parts":[{"id":"ac-21_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ ac-21_prm_1 }}; and"},{"id":"ac-21_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ {{ ac-21_prm_2 }} to assist users in making information sharing and collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA)."}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","parameters":[{"id":"ac-22_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-22"},{"name":"sort-id","value":"AC-22"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-13","rel":"related","text":"AU-13"}],"parts":[{"id":"ac-22_smt","name":"statement","parts":[{"id":"ac-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Designate individuals authorized to make information publicly accessible;"},{"id":"ac-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review the content on the publicly accessible system for nonpublic information {{ ac-22_prm_1 }} and remove such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible."}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2"},{"id":"at-1_prm_3","label":"organization-defined official"},{"id":"at-1_prm_4","label":"organization-defined frequency"},{"id":"at-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-1"},{"name":"sort-id","value":"AT-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ at-1_prm_2 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ at-1_prm_4 }}; and"},{"id":"at-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ at-1_prm_5 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"at-2","class":"SP800-53","title":"Awareness Training","parameters":[{"id":"at-2_prm_1","label":"organization-defined frequency"},{"id":"at-2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-2"},{"name":"sort-id","value":"AT-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-13","rel":"related","text":"PM-13"},{"href":"#pm-21","rel":"related","text":"PM-21"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-16","rel":"related","text":"SA-16"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"}]},{"id":"at-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update awareness training {{ at-2_prm_2 }}."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective."}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","properties":[{"name":"label","value":"AT-2(2)"},{"name":"sort-id","value":"AT-02(02)"}],"links":[{"href":"#pm-12","rel":"related","text":"PM-12"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"Provide awareness training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations."}]},{"id":"at-2.3","class":"SP800-53-enhancement","title":"Social Engineering and Mining","properties":[{"name":"label","value":"AT-2(3)"},{"name":"sort-id","value":"AT-02(03)"}],"parts":[{"id":"at-2.3_smt","name":"statement","prose":"Provide awareness training on recognizing and reporting potential and actual instances of social engineering and social mining."},{"id":"at-2.3_gdn","name":"guidance","prose":"Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Awareness training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures."}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","parameters":[{"id":"at-3_prm_1","label":"organization-defined roles and responsibilities"},{"id":"at-3_prm_2","label":"organization-defined frequency"},{"id":"at-3_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-3"},{"name":"sort-id","value":"AT-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#ir-10","rel":"related","text":"IR-10"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-13","rel":"related","text":"PM-13"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-16","rel":"related","text":"SA-16"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"}]},{"id":"at-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update role-based training {{ at-3_prm_3 }}."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information.\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective."}]},{"id":"at-4","class":"SP800-53","title":"Training Records","parameters":[{"id":"at-4_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"AT-4"},{"name":"sort-id","value":"AT-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2"},{"id":"au-1_prm_3","label":"organization-defined official"},{"id":"au-1_prm_4","label":"organization-defined frequency"},{"id":"au-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AU-1"},{"name":"sort-id","value":"AU-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ au-1_prm_2 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ au-1_prm_4 }}; and"},{"id":"au-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ au-1_prm_5 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","parameters":[{"id":"au-2_prm_1","label":"organization-defined event types that the system is capable of logging"},{"id":"au-2_prm_2","label":"organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-2_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AU-2"},{"name":"sort-id","value":"AU-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#02d8ec60-6197-43f8-9f47-18732127963e","rel":"reference","text":"[SP 800-92]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pm-21","rel":"related","text":"PM-21"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-10","rel":"related","text":"SI-10"},{"href":"#si-11","rel":"related","text":"SI-11"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ au-2_prm_3 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\nTo balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage.\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","properties":[{"name":"label","value":"AU-3"},{"name":"sort-id","value":"AU-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-8","rel":"related","text":"AU-8"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-11","rel":"related","text":"SI-11"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage."}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","parameters":[{"id":"au-3.1_prm_1","label":"organization-defined additional information"}],"properties":[{"name":"label","value":"AU-3(1)"},{"name":"sort-id","value":"AU-03(01)"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"Generate audit records containing the following additional information: {{ au-3.1_prm_1 }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading or that could make it more difficult to locate information of interest."}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Log Storage Capacity","parameters":[{"id":"au-4_prm_1","label":"organization-defined audit log retention requirements"}],"properties":[{"name":"label","value":"AU-4"},{"name":"sort-id","value":"AU-04"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"Allocate audit log storage capacity to accommodate {{ au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability."}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Logging Process Failures","parameters":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined time-period"},{"id":"au-5_prm_3","label":"organization-defined additional actions"}],"properties":[{"name":"label","value":"AU-5"},{"name":"sort-id","value":"AU-05"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"au-5_smt","name":"statement","parts":[{"id":"au-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Alert {{ au-5_prm_1 }} within {{ au-5_prm_2 }} in the event of an audit logging process failure; and"},{"id":"au-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Take the following additional actions: {{ au-5_prm_3 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel."}]},{"id":"au-6","class":"SP800-53","title":"Audit Record Review, Analysis, and Reporting","parameters":[{"id":"au-6_prm_1","label":"organization-defined frequency"},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AU-6"},{"name":"sort-id","value":"AU-06"}],"links":[{"href":"#35dfd59f-eef2-4f71-bdb5-6d878267456a","rel":"reference","text":"[SP 800-86]"},{"href":"#1e2c475a-84ae-4c60-b420-8fb2ea552b71","rel":"reference","text":"[SP 800-101]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"au-6_smt","name":"statement","parts":[{"id":"au-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Review and analyze system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};"},{"id":"au-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Report findings to {{ au-6_prm_3 }}; and"},{"id":"au-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received."}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Automated Process Integration","parameters":[{"id":"au-6.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"AU-6(1)"},{"name":"sort-id","value":"AU-06(01)"}],"links":[{"href":"#pm-7","rel":"related","text":"PM-7"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"Integrate audit record review, analysis, and reporting processes using {{ au-6.1_prm_1 }}."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes benefiting from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits."}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Record Repositories","properties":[{"name":"label","value":"AU-6(3)"},{"name":"sort-id","value":"AU-06(03)"}],"links":[{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ir-4","rel":"related","text":"IR-4"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"Analyze and correlate audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness."}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Record Reduction and Report Generation","properties":[{"name":"label","value":"AU-7"},{"name":"sort-id","value":"AU-07"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"Provide and implement an audit record reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and"},{"id":"au-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit record reduction is a process that manipulates collected audit log information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities conducting audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient."}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","parameters":[{"id":"au-7.1_prm_1","label":"organization-defined fields within audit records"}],"properties":[{"name":"label","value":"AU-7(1)"},{"name":"sort-id","value":"AU-07(01)"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ au-7.1_prm_1 }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of audit records including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, for example, locations selectable by a general networking location or by specific system component."}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","parameters":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"properties":[{"name":"label","value":"AU-8"},{"name":"sort-id","value":"AU-08"}],"links":[{"href":"#17ca9481-ea11-4ef2-81c1-885fd37d4be5","rel":"reference","text":"[IETF 5905]"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#sc-45","rel":"related","text":"SC-45"}],"parts":[{"id":"au-8_smt","name":"statement","parts":[{"id":"au-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Use internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Record time stamps for audit records that meet {{ au-8_prm_1 }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities."}],"controls":[{"id":"au-8.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","parameters":[{"id":"au-8.1_prm_1","label":"organization-defined frequency"},{"id":"au-8.1_prm_2","label":"organization-defined authoritative time source"},{"id":"au-8.1_prm_3","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"AU-8(1)"},{"name":"sort-id","value":"AU-08(01)"}],"parts":[{"id":"au-8.1_smt","name":"statement","parts":[{"id":"au-8.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Compare the internal system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and"},{"id":"au-8.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ au-8.1_prm_3 }}."}]},{"id":"au-8.1_gdn","name":"guidance","prose":"Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network."}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","properties":[{"name":"label","value":"AU-9"},{"name":"sort-id","value":"AU-09"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#au-15","rel":"related","text":"AU-15"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"Protect audit information and audit logging tools from unauthorized access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls."}],"controls":[{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","parameters":[{"id":"au-9.4_prm_1","label":"organization-defined subset of privileged users or roles"}],"properties":[{"name":"label","value":"AU-9(4)"},{"name":"sort-id","value":"AU-09(04)"}],"links":[{"href":"#ac-5","rel":"related","text":"AC-5"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"Authorize access to management of audit logging functionality to only {{ au-9.4_prm_1 }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals or roles with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges, limits the number of users or roles with audit-related privileges."}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","parameters":[{"id":"au-11_prm_1","label":"organization-defined time-period consistent with records retention policy"}],"properties":[{"name":"label","value":"AU-11"},{"name":"sort-id","value":"AU-11"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention."}]},{"id":"au-12","class":"SP800-53","title":"Audit Record Generation","parameters":[{"id":"au-12_prm_1","label":"organization-defined system components"},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AU-12"},{"name":"sort-id","value":"AU-12"}],"links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-10","rel":"related","text":"SI-10"}],"parts":[{"id":"au-12_smt","name":"statement","parts":[{"id":"au-12_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on {{ au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allow {{ au-12_prm_2 }} to select the event types that are to be logged by specific components of the system; and"},{"id":"au-12_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records."}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2"},{"id":"ca-1_prm_3","label":"organization-defined official"},{"id":"ca-1_prm_4","label":"organization-defined frequency"},{"id":"ca-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-1"},{"name":"sort-id","value":"CA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ca-1_prm_4 }}; and"},{"id":"ca-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ca-1_prm_5 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","parameters":[{"id":"ca-2_prm_1","label":"organization-defined frequency"},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles"}],"properties":[{"name":"label","value":"CA-2"},{"name":"sort-id","value":"CA-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Provide the results of the control assessment to {{ ca-2_prm_2 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\nOrganizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control."}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","properties":[{"name":"label","value":"CA-2(1)"},{"name":"sort-id","value":"CA-02(01)"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to conduct control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups conducting impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in positions of advocacy for the organizations acquiring their services.\nIndependent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination also includes whether contracted assessment services have sufficient independence, for example, when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, the analogy to independent assessors is having independent SMEs involved in design reviews.\nWhen organizations that own the systems are small or the structures of the organizations require that assessments are conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions, are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments."}]}]},{"id":"ca-3","class":"SP800-53","title":"Information Exchange","parameters":[{"id":"ca-3_prm_1"},{"id":"ca-3_prm_2","depends-on":"ca-3_prm_1","label":"organization-defined type of agreement"},{"id":"ca-3_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-3"},{"name":"sort-id","value":"CA-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#2e66c31a-190e-49ad-8e00-f306f8a0df17","rel":"reference","text":"[SP 800-47]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-3_smt","name":"statement","parts":[{"id":"ca-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approve and manage the exchange of information between the system and other systems using {{ ca-3_prm_1 }};"},{"id":"ca-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the agreements {{ ca-3_prm_3 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk.\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks."}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","parameters":[{"id":"ca-5_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-5"},{"name":"sort-id","value":"CA-05"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB."}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","parameters":[{"id":"ca-6_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-6"},{"name":"sort-id","value":"CA-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ ca-6_prm_1 }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","parameters":[{"id":"ca-7_prm_1","label":"organization-defined system-level metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-7"},{"name":"sort-id","value":"CA-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#851b5ba4-6aa0-4583-857c-4c360cbdf2a0","rel":"reference","text":"[IR 8011 v1]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#pm-31","rel":"related","text":"PM-31"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-6","rel":"related","text":"SR-6"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }};"},{"id":"ca-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ ca-7_prm_4 }}\n {{ ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4."}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","properties":[{"name":"label","value":"CA-7(1)"},{"name":"sort-id","value":"CA-07(01)"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in advocacy positions for the organizations acquiring their services."}]},{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","properties":[{"name":"label","value":"CA-7(4)"},{"name":"sort-id","value":"CA-07(04)"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","parameters":[{"id":"ca-9_prm_1","label":"organization-defined system components or classes of components"},{"id":"ca-9_prm_2","label":"organization-defined conditions"},{"id":"ca-9_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-9"},{"name":"sort-id","value":"CA-09"}],"links":[{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-9_smt","name":"statement","parts":[{"id":"ca-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorize internal connections of {{ ca-9_prm_1 }} to the system;"},{"id":"ca-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;"},{"id":"ca-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Terminate internal system connections after {{ ca-9_prm_2 }}; and"},{"id":"ca-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review {{ ca-9_prm_3 }} the continued need for each internal connection."}]},{"id":"ca-9_gdn","name":"guidance","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions."}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2"},{"id":"cm-1_prm_3","label":"organization-defined official"},{"id":"cm-1_prm_4","label":"organization-defined frequency"},{"id":"cm-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-1"},{"name":"sort-id","value":"CM-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ cm-1_prm_2 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ cm-1_prm_4 }}; and"},{"id":"cm-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ cm-1_prm_5 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","parameters":[{"id":"cm-2_prm_1","label":"organization-defined frequency"},{"id":"cm-2_prm_2","label":"Assignment organization-defined circumstances"}],"properties":[{"name":"label","value":"CM-2"},{"name":"sort-id","value":"CM-02"}],"links":[{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#cp-12","rel":"related","text":"CP-12"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-18","rel":"related","text":"SC-18"}],"parts":[{"id":"cm-2_smt","name":"statement","parts":[{"id":"cm-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and maintain under configuration control, a current baseline configuration of the system; and"},{"id":"cm-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the baseline configuration of the system:","parts":[{"id":"cm-2_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ cm-2_prm_1 }};"},{"id":"cm-2_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When required due to {{ cm-2_prm_2 }}; and"},{"id":"cm-2_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"When system components are installed or upgraded."}]}]},{"id":"cm-2_gdn","name":"guidance","prose":"Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture."}],"controls":[{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy and Currency","parameters":[{"id":"cm-2.2_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"CM-2(2)"},{"name":"sort-id","value":"CM-02(02)"}],"links":[{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ cm-2.2_prm_1 }}."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, and firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission/business process level or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities."}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","parameters":[{"id":"cm-2.3_prm_1","label":"organization-defined number"}],"properties":[{"name":"label","value":"CM-2(3)"},{"name":"sort-id","value":"CM-02(03)"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"Retain {{ cm-2.3_prm_1 }} of previous versions of baseline configurations of the system to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, and configuration records."}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems and Components for High-risk Areas","parameters":[{"id":"cm-2.7_prm_1","label":"organization-defined systems or system components"},{"id":"cm-2.7_prm_2","label":"organization-defined configurations"},{"id":"cm-2.7_prm_3","label":"organization-defined controls"}],"properties":[{"name":"label","value":"CM-2(7)"},{"name":"sort-id","value":"CM-02(07)"}],"links":[{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"}],"parts":[{"id":"cm-2.7_smt","name":"statement","parts":[{"id":"cm-2.7_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Issue {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Apply the following controls to the systems or components when the individuals return from travel: {{ cm-2.7_prm_3 }}."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family."}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","parameters":[{"id":"cm-3_prm_1","label":"organization-defined time-period"},{"id":"cm-3_prm_2","label":"organization-defined configuration change control element"},{"id":"cm-3_prm_3"},{"id":"cm-3_prm_4","depends-on":"cm-3_prm_3","label":"organization-defined frequency"},{"id":"cm-3_prm_5","depends-on":"cm-3_prm_3","label":"organization-defined configuration change conditions"}],"properties":[{"name":"label","value":"CM-3"},{"name":"sort-id","value":"CM-03"}],"links":[{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pt-7","rel":"related","text":"PT-7"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-10","rel":"related","text":"SI-10"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"cm-3_smt","name":"statement","parts":[{"id":"cm-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determine and document the types of changes to the system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;"},{"id":"cm-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document configuration change decisions associated with the system;"},{"id":"cm-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implement approved configuration-controlled changes to the system;"},{"id":"cm-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Retain records of configuration-controlled changes to the system for {{ cm-3_prm_1 }};"},{"id":"cm-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Monitor and review activities associated with configuration-controlled changes to the system; and"},{"id":"cm-3_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Coordinate and provide oversight for configuration change control activities through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations and configuration items of systems; changes to operational procedures; changes to configuration settings for system components; unscheduled or unauthorized changes; and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes impacting privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10."}],"controls":[{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Testing, Validation, and Documentation of Changes","properties":[{"name":"label","value":"CM-3(2)"},{"name":"sort-id","value":"CM-03(02)"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"Test, validate, and document changes to the system before finalizing the implementation of the changes."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with system operations supporting organizational missions and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls."}]},{"id":"cm-3.4","class":"SP800-53-enhancement","title":"Security and Privacy Representatives","parameters":[{"id":"cm-3.4_prm_1","label":"organization-defined security and privacy representatives"},{"id":"cm-3.4_prm_2","label":"organization-defined configuration change control element"}],"properties":[{"name":"label","value":"CM-3(4)"},{"name":"sort-id","value":"CM-03(04)"}],"parts":[{"id":"cm-3.4_smt","name":"statement","prose":"Require {{ cm-3.4_prm_1 }} to be members of the {{ cm-3.4_prm_2 }}."},{"id":"cm-3.4_gdn","name":"guidance","prose":"Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3."}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","properties":[{"name":"label","value":"CM-4"},{"name":"sort-id","value":"CM-04"}],"links":[{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-2","rel":"related","text":"SI-2"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required."}],"controls":[{"id":"cm-4.2","class":"SP800-53-enhancement","title":"Verification of Controls","properties":[{"name":"label","value":"CM-4(2)"},{"name":"sort-id","value":"CM-04(02)"}],"links":[{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#si-6","rel":"related","text":"SI-6"}],"parts":[{"id":"cm-4.2_smt","name":"statement","prose":"After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system."},{"id":"cm-4.2_gdn","name":"guidance","prose":"Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls."}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","properties":[{"name":"label","value":"CM-5"},{"name":"sort-id","value":"CM-05"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-10","rel":"related","text":"SI-10"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."},{"id":"cm-5_gdn","name":"guidance","prose":"Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)."}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","parameters":[{"id":"cm-6_prm_1","label":"organization-defined common secure configurations"},{"id":"cm-6_prm_2","label":"organization-defined system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"properties":[{"name":"label","value":"CM-6"},{"name":"sort-id","value":"CM-06"}],"links":[{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f","rel":"reference","text":"[SP 800-126]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#06842bea-64c9-4e20-807a-b8fc003fa737","rel":"reference","text":"[USGCB]"},{"href":"#5cc04a1c-5489-4751-a493-746a9639067b","rel":"reference","text":"[NCPR]"},{"href":"#294eed19-7471-4517-9480-2ec73e7c6a78","rel":"reference","text":"[DOD STIG]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-6","rel":"related","text":"SI-6"}],"parts":[{"id":"cm-6_smt","name":"statement","parts":[{"id":"cm-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish and document configuration settings for components employed within the system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the configuration settings;"},{"id":"cm-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identify, document, and approve any deviations from established configuration settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Monitor and control changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\nImplementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings."}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","parameters":[{"id":"cm-7_prm_1","label":"organization-defined mission essential capabilities"},{"id":"cm-7_prm_2","label":"organization-defined prohibited or restricted functions, ports, protocols, software, and/or services"}],"properties":[{"name":"label","value":"CM-7"},{"name":"sort-id","value":"CM-07"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#893d1736-324c-41d6-a5f4-d526b5ca981a","rel":"reference","text":"[SP 800-167]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"cm-7_smt","name":"statement","parts":[{"id":"cm-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Configure the system to provide only {{ cm-7_prm_1 }}; and"},{"id":"cm-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ cm-7_prm_2 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3)."}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","parameters":[{"id":"cm-7.1_prm_1","label":"organization-defined frequency"},{"id":"cm-7.1_prm_2","label":"organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure"}],"properties":[{"name":"label","value":"CM-7(1)"},{"name":"sort-id","value":"CM-07(01)"}],"links":[{"href":"#ac-18","rel":"related","text":"AC-18"}],"parts":[{"id":"cm-7.1_smt","name":"statement","parts":[{"id":"cm-7.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Review the system {{ cm-7.1_prm_1 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and"},{"id":"cm-7.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Disable or remove {{ cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking."}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","parameters":[{"id":"cm-7.2_prm_1"},{"id":"cm-7.2_prm_2","depends-on":"cm-7.2_prm_1","label":"organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions"}],"properties":[{"name":"label","value":"CM-7(2)"},{"name":"sort-id","value":"CM-07(02)"}],"links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#ps-6","rel":"related","text":"PS-6"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"Prevent program execution in accordance with {{ cm-7.2_prm_1 }}."},{"id":"cm-7.2_gdn","name":"guidance","prose":"Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements restricting software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features; restricting roles allowed to approve program execution; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time."}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software — Whitelisting","parameters":[{"id":"cm-7.5_prm_1","label":"organization-defined software programs authorized to execute on the system"},{"id":"cm-7.5_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-7(5)"},{"name":"sort-id","value":"CM-07(05)"}],"links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"cm-7.5_smt","name":"statement","parts":[{"id":"cm-7.5_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Identify {{ cm-7.5_prm_1 }};"},{"id":"cm-7.5_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and"},{"id":"cm-7.5_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of authorized software programs {{ cm-7.5_prm_2 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"The process used to identify specific software programs or entire categories of software programs that are authorized to execute on organizational systems is commonly referred to as whitelisting. Software programs identified can be limited to specific versions or from a specific source. To facilitate comprehensive whitelisting and increase the strength of protection for attacks that bypass application level whitelisting, software programs may be decomposed into and monitored at different levels of detail. Software program levels of detail include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of whitelisting may also be applied to user actions, ports, IP addresses, and media access control (MAC) addresses. Organizations consider verifying the integrity of white-listed software programs using, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Whitelisting of URLs for websites is addressed in CA-3(5) and SC-7."}]}]},{"id":"cm-8","class":"SP800-53","title":"System Component Inventory","parameters":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-8"},{"name":"sort-id","value":"CM-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"cm-8_smt","name":"statement","parts":[{"id":"cm-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and document an inventory of system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Accurately reflects the system;"},{"id":"cm-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Includes all components within the system;"},{"id":"cm-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Includes the following information to achieve system component accountability: {{ cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the system component inventory {{ cm-8_prm_2 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location."}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installation and Removal","properties":[{"name":"label","value":"CM-8(1)"},{"name":"sort-id","value":"CM-08(01)"}],"links":[{"href":"#pm-16","rel":"related","text":"PM-16"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"Update the inventory of system components as part of component installations, removals, and system updates."},{"id":"cm-8.1_gdn","name":"guidance","prose":"Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated routinely as part of component installations or removals, or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components."}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","parameters":[{"id":"cm-8.3_prm_1","label":"organization-defined automated mechanisms"},{"id":"cm-8.3_prm_2","label":"organization-defined frequency"},{"id":"cm-8.3_prm_3"},{"id":"cm-8.3_prm_4","depends-on":"cm-8.3_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"CM-8(3)"},{"name":"sort-id","value":"CM-08(03)"}],"links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-39","rel":"related","text":"SC-39"},{"href":"#sc-44","rel":"related","text":"SC-44"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"cm-8.3_smt","name":"statement","parts":[{"id":"cm-8.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ cm-8.3_prm_1 }}\n {{ cm-8.3_prm_2 }}; and"},{"id":"cm-8.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Take the following actions when unauthorized components are detected: {{ cm-8.3_prm_3 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices). Isolation can be achieved, for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing."}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","parameters":[{"id":"cm-9_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"CM-9"},{"name":"sort-id","value":"CM-09"}],"links":[{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"Develop, document, and implement a configuration management plan for the system that:","parts":[{"id":"cm-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the system and places the configuration items under configuration management;"},{"id":"cm-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Is reviewed and approved by {{ cm-9_prm_1 }}; and"},{"id":"cm-9_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes, how to update configuration settings and baselines, how to maintain component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents.\nOrganizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Templates can represent a master configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, for example, the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control."}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","properties":[{"name":"label","value":"CM-10"},{"name":"sort-id","value":"CM-10"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#sc-7","rel":"related","text":"SC-7"}],"parts":[{"id":"cm-10_smt","name":"statement","parts":[{"id":"cm-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Use software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement."}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","parameters":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-11"},{"name":"sort-id","value":"CM-11"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"cm-11_smt","name":"statement","parts":[{"id":"cm-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish {{ cm-11_prm_1 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Enforce software installation policies through the following methods: {{ cm-11_prm_2 }}; and"},{"id":"cm-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Monitor policy compliance {{ cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods."}]},{"id":"cm-12","class":"SP800-53","title":"Information Location","parameters":[{"id":"cm-12_prm_1","label":"organization-defined information"}],"properties":[{"name":"label","value":"CM-12"},{"name":"sort-id","value":"CM-12"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-23","rel":"related","text":"AC-23"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-4","rel":"related","text":"SC-4"},{"href":"#sc-16","rel":"related","text":"SC-16"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"cm-12_smt","name":"statement","parts":[{"id":"cm-12_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify and document the location of {{ cm-12_prm_1 }} and the specific system components on which the information is processed and stored;"},{"id":"cm-12_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Identify and document the users who have access to the system and system components where the information is processed and stored; and"},{"id":"cm-12_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document changes to the location (i.e., system or system components) where the information is processed and stored."}]},{"id":"cm-12_gdn","name":"guidance","prose":"Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and associated information reside in the system components; and how information is being processed so that information flow can be understood, and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17)."}],"controls":[{"id":"cm-12.1","class":"SP800-53-enhancement","title":"Automated Tools to Support Information Location","parameters":[{"id":"cm-12.1_prm_1","label":"organization-defined information by information type"},{"id":"cm-12.1_prm_2","label":"organization-defined system components"}],"properties":[{"name":"label","value":"CM-12(1)"},{"name":"sort-id","value":"CM-12(01)"}],"parts":[{"id":"cm-12.1_smt","name":"statement","prose":"Use automated tools to identify {{ cm-12.1_prm_1 }} on {{ cm-12.1_prm_2 }} to ensure controls are in place to protect organizational information and individual privacy."},{"id":"cm-12.1_gdn","name":"guidance","prose":"The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information organization-wide. The output of automated information location tools can be used to guide and inform system architecture and design decisions."}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2"},{"id":"cp-1_prm_3","label":"organization-defined official"},{"id":"cp-1_prm_4","label":"organization-defined frequency"},{"id":"cp-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CP-1"},{"name":"sort-id","value":"CP-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cp-1_smt","name":"statement","parts":[{"id":"cp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ cp-1_prm_2 }} contingency planning policy that:","parts":[{"id":"cp-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;"}]},{"id":"cp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ cp-1_prm_3 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and"},{"id":"cp-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current contingency planning:","parts":[{"id":"cp-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ cp-1_prm_4 }}; and"},{"id":"cp-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ cp-1_prm_5 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","parameters":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and/or by role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency"},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and/or by role) and organizational elements"}],"properties":[{"name":"label","value":"CP-2"},{"name":"sort-id","value":"CP-02"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#7a93e915-fd58-4147-be12-e48044c367e6","rel":"reference","text":"[IR 8179]"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#cp-11","rel":"related","text":"CP-11"},{"href":"#cp-13","rel":"related","text":"CP-13"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-20","rel":"related","text":"SA-20"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-23","rel":"related","text":"SC-23"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cp-2_smt","name":"statement","parts":[{"id":"cp-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a contingency plan for the system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute copies of the contingency plan to {{ cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinate contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review the contingency plan for the system {{ cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Communicate contingency plan changes to {{ cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Protect the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.\nIn addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family."}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","properties":[{"name":"label","value":"CP-2(1)"},{"name":"sort-id","value":"CP-02(01)"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"Coordinate contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Cyber Incident Response Plans, and Occupant Emergency Plans."}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Missions and Business Functions","parameters":[{"id":"cp-2.3_prm_1"},{"id":"cp-2.3_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"CP-2(3)"},{"name":"sort-id","value":"CP-02(03)"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"Plan for the resumption of {{ cp-2.3_prm_1 }} missions and business functions within {{ cp-2.3_prm_2 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to conduct contingency planning activities to resume missions and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of missions and business functions. The time-period for the resumption of missions and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure."}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","parameters":[{"id":"cp-2.8_prm_1"}],"properties":[{"name":"label","value":"CP-2(8)"},{"name":"sort-id","value":"CP-02(08)"}],"links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ra-9","rel":"related","text":"RA-9"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"Identify critical system assets supporting {{ cp-2.8_prm_1 }} missions and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational missions and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (manually executed operations) and personnel (individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement."}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","parameters":[{"id":"cp-3_prm_1","label":"organization-defined time-period"},{"id":"cp-3_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CP-3"},{"name":"sort-id","value":"CP-03"}],"links":[{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-9","rel":"related","text":"IR-9"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"Provide contingency training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ cp-3_prm_1 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by system changes; and"},{"id":"cp-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n {{ cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan."}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","parameters":[{"id":"cp-4_prm_1","label":"organization-defined frequency"},{"id":"cp-4_prm_2","label":"organization-defined tests"}],"properties":[{"name":"label","value":"CP-4"},{"name":"sort-id","value":"CP-04"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#20bf433b-074c-47a0-8fca-cd591772ccd6","rel":"reference","text":"[SP 800-84]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"cp-4_smt","name":"statement","parts":[{"id":"cp-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Test the contingency plan for the system {{ cp-4_prm_1 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ cp-4_prm_2 }}."},{"id":"cp-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Initiate corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions."}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","properties":[{"name":"label","value":"CP-4(1)"},{"name":"sort-id","value":"CP-04(01)"}],"links":[{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pm-8","rel":"related","text":"PM-8"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"Coordinate contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations coordinate with those elements."}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","properties":[{"name":"label","value":"CP-6"},{"name":"sort-id","value":"CP-06"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-36","rel":"related","text":"SC-36"},{"href":"#si-13","rel":"related","text":"SI-13"}],"parts":[{"id":"cp-6_smt","name":"statement","parts":[{"id":"cp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and"},{"id":"cp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensure that the alternate storage site provides controls equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are sites that are geographically distinct from primary storage sites and that maintain duplicate copies of information and data if the primary storage site is not available. In contrast to alternate storage sites, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may also be considered as alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems."}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","properties":[{"name":"label","value":"CP-6(1)"},{"name":"sort-id","value":"CP-06(01)"}],"links":[{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","properties":[{"name":"label","value":"CP-6(3)"},{"name":"sort-id","value":"CP-06(03)"}],"links":[{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted."}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","parameters":[{"id":"cp-7_prm_1","label":"organization-defined system operations"},{"id":"cp-7_prm_2","label":"organization-defined time-period consistent with recovery time and recovery point objectives"}],"properties":[{"name":"label","value":"CP-7"},{"name":"sort-id","value":"CP-07"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-11","rel":"related","text":"PE-11"},{"href":"#pe-12","rel":"related","text":"PE-12"},{"href":"#pe-17","rel":"related","text":"PE-17"},{"href":"#sc-36","rel":"related","text":"SC-36"},{"href":"#si-13","rel":"related","text":"SI-13"}],"parts":[{"id":"cp-7_smt","name":"statement","parts":[{"id":"cp-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ cp-7_prm_1 }} for essential missions and business functions within {{ cp-7_prm_2 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time-period for transfer and resumption; and"},{"id":"cp-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provide controls at the alternate processing site that are equivalent to those at the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are sites that are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives such as failover to a cloud-based service provider or other internally- or externally-provided processing service. Geographically distributed architectures that support contingency requirements may also be considered as alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites; access rules; physical and environmental protection requirements; and the coordination for the transfer and assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems."}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","properties":[{"name":"label","value":"CP-7(1)"},{"name":"sort-id","value":"CP-07(01)"}],"links":[{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","properties":[{"name":"label","value":"CP-7(2)"},{"name":"sort-id","value":"CP-07(02)"}],"links":[{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk."}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","properties":[{"name":"label","value":"CP-7(3)"},{"name":"sort-id","value":"CP-07(03)"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning."}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","parameters":[{"id":"cp-8_prm_1","label":"organization-defined system operations"},{"id":"cp-8_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"CP-8"},{"name":"sort-id","value":"CP-08"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-11","rel":"related","text":"CP-11"},{"href":"#sc-7","rel":"related","text":"SC-7"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for essential missions and business functions within {{ cp-8_prm_2 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"This control applies to telecommunications services (for data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions and business functions despite the loss of primary telecommunications services. Organizations may specify different time-periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines or the use of satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements."}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","properties":[{"name":"label","value":"CP-8(1)"},{"name":"sort-id","value":"CP-08(01)"}],"parts":[{"id":"cp-8.1_smt","name":"statement","parts":[{"id":"cp-8.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program and the Department of Homeland Security, manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program."}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","properties":[{"name":"label","value":"CP-8(2)"},{"name":"sort-id","value":"CP-08(02)"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_gdn","name":"guidance","prose":"In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services."}]}]},{"id":"cp-9","class":"SP800-53","title":"System Backup","parameters":[{"id":"cp-9_prm_1","label":"organization-defined system components"},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_4","label":"organization-defined frequency consistent with recovery time and recovery point objectives"}],"properties":[{"name":"label","value":"CP-9"},{"name":"sort-id","value":"CP-09"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#ae412317-c2b4-47bb-b47b-c329ce0d7a0b","rel":"reference","text":"[SP 800-130]"},{"href":"#38dbdf55-9a14-446f-b563-c48e4e3d37fb","rel":"reference","text":"[SP 800-152]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-13","rel":"related","text":"SI-13"}],"parts":[{"id":"cp-9_smt","name":"statement","parts":[{"id":"cp-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conduct backups of user-level information contained in {{ cp-9_prm_1 }}\n {{ cp-9_prm_2 }};"},{"id":"cp-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Conduct backups of system-level information contained in the system {{ cp-9_prm_3 }};"},{"id":"cp-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conduct backups of system documentation, including security and privacy-related documentation {{ cp-9_prm_4 }}; and"},{"id":"cp-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect the confidentiality, integrity, and availability of backup information."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability and Integrity","parameters":[{"id":"cp-9.1_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CP-9(1)"},{"name":"sort-id","value":"CP-09(01)"}],"links":[{"href":"#cp-4","rel":"related","text":"CP-4"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"Test backup information {{ cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","prose":"Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance."}]},{"id":"cp-9.8","class":"SP800-53-enhancement","title":"Cryptographic Protection","parameters":[{"id":"cp-9.8_prm_1","label":"organization-defined backup information"}],"properties":[{"name":"label","value":"CP-9(8)"},{"name":"sort-id","value":"CP-09(08)"}],"links":[{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"}],"parts":[{"id":"cp-9.8_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ cp-9.8_prm_1 }}."},{"id":"cp-9.8_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. This control enhancement applies to system backup information in storage at primary and alternate locations. Organizations implementing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions."}]}]},{"id":"cp-10","class":"SP800-53","title":"System Recovery and Reconstitution","parameters":[{"id":"cp-10_prm_1","label":"organization-defined time-period consistent with recovery time and recovery point objectives"}],"properties":[{"name":"label","value":"CP-10"},{"name":"sort-id","value":"CP-10"}],"links":[{"href":"#65774382-fcc6-4bbc-89fc-9d35aab19952","rel":"reference","text":"[SP 800-34]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-24","rel":"related","text":"SC-24"},{"href":"#si-13","rel":"related","text":"SI-13"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ cp-10_prm_1 }} after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning."}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","properties":[{"name":"label","value":"CP-10(2)"},{"name":"sort-id","value":"CP-10(02)"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"Implement transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling."}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2"},{"id":"ia-1_prm_3","label":"organization-defined official"},{"id":"ia-1_prm_4","label":"organization-defined frequency"},{"id":"ia-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IA-1"},{"name":"sort-id","value":"IA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ia-1_smt","name":"statement","parts":[{"id":"ia-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ia-1_prm_2 }} identification and authentication policy that:","parts":[{"id":"ia-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ia-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;"}]},{"id":"ia-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ia-1_prm_3 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and"},{"id":"ia-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current identification and authentication:","parts":[{"id":"ia-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ia-1_prm_4 }}; and"},{"id":"ia-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ia-1_prm_5 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","properties":[{"name":"label","value":"IA-2"},{"name":"sort-id","value":"IA-02"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#bb55e71a-e059-4263-8dd8-bc96fd3f063d","rel":"reference","text":"[SP 800-79-2]"},{"href":"#f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa","rel":"reference","text":"[SP 800-156]"},{"href":"#a8f55663-86c5-415b-aabe-d2a126981d65","rel":"reference","text":"[SP 800-166]"},{"href":"#d4779b49-8acc-45ef-b4f0-30f945e81d1b","rel":"reference","text":"[IR 7539]"},{"href":"#daf69edb-a0ef-4447-9880-8c4bf553181f","rel":"reference","text":"[IR 7676]"},{"href":"#a49f67fc-827c-40e6-9a37-2b1cbe8142fd","rel":"reference","text":"[IR 7817]"},{"href":"#972c10bd-aedf-485f-b0db-f46a402127e2","rel":"reference","text":"[IR 7849]"},{"href":"#197f7ba7-9af8-4a67-b3a4-5523d850e53b","rel":"reference","text":"[IR 7870]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#30213e10-2aca-47b3-8cdb-61303e0959f5","rel":"reference","text":"[IR 7966]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8."}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Multifactor Authentication to Privileged Accounts","properties":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"IA-02(01)"}],"links":[{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"Implement multifactor authentication for access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","prose":"Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Multifactor Authentication to Non-privileged Accounts","properties":[{"name":"label","value":"IA-2(2)"},{"name":"sort-id","value":"IA-02(02)"}],"links":[{"href":"#ac-5","rel":"related","text":"AC-5"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"Implement multifactor authentication for access to non-privileged accounts."},{"id":"ia-2.2_gdn","name":"guidance","prose":"Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Access to Accounts — Replay Resistant","parameters":[{"id":"ia-2.8_prm_1"}],"properties":[{"name":"label","value":"IA-2(8)"},{"name":"sort-id","value":"IA-02(08)"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"Implement replay-resistant authentication mechanisms for access to {{ ia-2.8_prm_1 }}."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators."}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","properties":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"IA-02(12)"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential."}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","parameters":[{"id":"ia-3_prm_1","label":"organization-defined devices and/or types of devices"},{"id":"ia-3_prm_2"}],"properties":[{"name":"label","value":"IA-3"},{"name":"sort-id","value":"IA-03"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-9","rel":"related","text":"IA-9"},{"href":"#ia-11","rel":"related","text":"IA-11"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"Uniquely identify and authenticate {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Devices that require unique device-to-device identification and authentication are defined by type, by device, or by a combination of type and device. Organization-defined device types can include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on large scale, organizations can restrict the application of the control to a limited number (and type) of devices based on need."}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","parameters":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"IA-4"},{"name":"sort-id","value":"IA-04"}],"links":[{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ia-9","rel":"related","text":"IA-9"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#sc-37","rel":"related","text":"SC-37"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"Manage system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ ia-4_prm_1 }} to assign an individual, group, role, service, or device identifier;"},{"id":"ia-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, service, or device; and"},{"id":"ia-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ ia-4_prm_2 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices."}],"controls":[{"id":"ia-4.4","class":"SP800-53-enhancement","title":"Identify User Status","parameters":[{"id":"ia-4.4_prm_1","label":"organization-defined characteristic identifying individual status"}],"properties":[{"name":"label","value":"IA-4(4)"},{"name":"sort-id","value":"IA-04(04)"}],"parts":[{"id":"ia-4.4_smt","name":"statement","prose":"Manage individual identifiers by uniquely identifying each individual as {{ ia-4.4_prm_1 }}."},{"id":"ia-4.4_gdn","name":"guidance","prose":"Characteristics identifying the status of individuals include contractors and foreign nationals. Identifying the status of individuals by characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor."}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","parameters":[{"id":"ia-5_prm_1","label":"organization-defined time-period by authenticator type"}],"properties":[{"name":"label","value":"IA-5"},{"name":"sort-id","value":"IA-05"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#d4779b49-8acc-45ef-b4f0-30f945e81d1b","rel":"reference","text":"[IR 7539]"},{"href":"#a49f67fc-827c-40e6-9a37-2b1cbe8142fd","rel":"reference","text":"[IR 7817]"},{"href":"#972c10bd-aedf-485f-b0db-f46a402127e2","rel":"reference","text":"[IR 7849]"},{"href":"#197f7ba7-9af8-4a67-b3a4-5523d850e53b","rel":"reference","text":"[IR 7870]"},{"href":"#24738ee6-b3f3-4e37-825b-58775846bdbc","rel":"reference","text":"[IR 8040]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ia-9","rel":"related","text":"IA-9"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"Manage system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"},{"id":"ia-5_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Changing default authenticators prior to first use;"},{"id":"ia-5_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Changing or refreshing authenticators {{ ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed."}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","parameters":[{"id":"ia-5.1_prm_1","label":"organization-defined frequency"},{"id":"ia-5.1_prm_2","label":"organization-defined composition and complexity rules"}],"properties":[{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"IA-05(01)"}],"links":[{"href":"#ia-6","rel":"related","text":"IA-6"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"For password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ ia-5.1_prm_1 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords;"},{"id":"ia-5.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Transmit only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Store passwords using an approved hash algorithm and salt, preferably using a keyed hash;"},{"id":"ia-5.1_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Require immediate selection of a new password upon account recovery;"},{"id":"ia-5.1_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Allow user selection of long passwords and passphrases, including spaces and all printable characters;"},{"id":"ia-5.1_smt.g","name":"item","properties":[{"name":"label","value":"(g)"}],"prose":"Employ automated tools to assist the user in selecting strong password authenticators; and"},{"id":"ia-5.1_smt.h","name":"item","properties":[{"name":"label","value":"(h)"}],"prose":"Enforce the following composition and complexity rules: {{ ia-5.1_prm_2 }}."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof."}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Implement a local cache of revocation data to support path discovery and validation.","properties":[{"name":"label","value":"IA-5(2)"},{"name":"sort-id","value":"IA-05(02)"}],"links":[{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sc-17","rel":"related","text":"SC-17"}],"parts":[{"id":"ia-5.2_smt","name":"statement","prose":"Discussion: Public key cryptography is a valid authentication mechanism for individuals and machines or devices. When PKI is implemented, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation supports system availability in situations where organizations are unable to access revocation information via the network."},{"id":"ia-5.2_gdn","name":"guidance"}]},{"id":"ia-5.6","class":"SP800-53-enhancement","title":"Protection of Authenticators","properties":[{"name":"label","value":"IA-5(6)"},{"name":"sort-id","value":"IA-05(06)"}],"links":[{"href":"#ra-2","rel":"related","text":"RA-2"}],"parts":[{"id":"ia-5.6_smt","name":"statement","prose":"Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access."},{"id":"ia-5.6_gdn","name":"guidance","prose":"For systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process."}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","properties":[{"name":"label","value":"IA-6"},{"name":"sort-id","value":"IA-06"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it."}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","properties":[{"name":"label","value":"IA-7"},{"name":"sort-id","value":"IA-07"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role."}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","properties":[{"name":"label","value":"IA-8"},{"name":"sort-id","value":"IA-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#bb55e71a-e059-4263-8dd8-bc96fd3f063d","rel":"reference","text":"[SP 800-79-2]"},{"href":"#ad7d575f-b5fe-489b-8d48-36a93d964a5f","rel":"reference","text":"[SP 800-116]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-10","rel":"related","text":"IA-10"},{"href":"#ia-11","rel":"related","text":"IA-11"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-8","rel":"related","text":"SC-8"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk."}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","properties":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"IA-08(01)"}],"links":[{"href":"#pe-3","rel":"related","text":"PE-3"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2]."}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of External Credentials","properties":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"IA-08(02)"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"Accept only external credentials that are NIST-compliant."},{"id":"ia-8.2_gdn","name":"guidance","prose":"Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels."}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Nist-issued Profiles","properties":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"IA-08(04)"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"Conform to NIST-issued profiles for identity management."},{"id":"ia-8.4_gdn","name":"guidance","prose":"Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols."}]}]},{"id":"ia-11","class":"SP800-53","title":"Re-authentication","parameters":[{"id":"ia-11_prm_1","label":"organization-defined circumstances or situations requiring re-authentication"}],"properties":[{"name":"label","value":"IA-11"},{"name":"sort-id","value":"IA-11"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-11","rel":"related","text":"AC-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"}],"parts":[{"id":"ia-11_smt","name":"statement","prose":"Require users to re-authenticate when {{ ia-11_prm_1 }}."},{"id":"ia-11_gdn","name":"guidance","prose":"In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically."}]},{"id":"ia-12","class":"SP800-53","title":"Identity Proofing","properties":[{"name":"label","value":"IA-12"},{"name":"sort-id","value":"IA-12"}],"links":[{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#3c50fa31-7f4d-4d30-91d7-27ee87cd5f75","rel":"reference","text":"[SP 800-63A]"},{"href":"#bb55e71a-e059-4263-8dd8-bc96fd3f063d","rel":"reference","text":"[SP 800-79-2]"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-6","rel":"related","text":"IA-6"},{"href":"#ia-8","rel":"related","text":"IA-8"}],"parts":[{"id":"ia-12_smt","name":"statement","parts":[{"id":"ia-12_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;"},{"id":"ia-12_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Resolve user identities to a unique individual; and"},{"id":"ia-12_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Collect, validate, and verify identity evidence."}]},{"id":"ia-12_gdn","name":"guidance","prose":"Identity proofing is the process of collecting, validating, and verifying user’s identity information for the purposes of issuing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3] and [SP 800-63A]."}],"controls":[{"id":"ia-12.2","class":"SP800-53-enhancement","title":"Identity Evidence","properties":[{"name":"label","value":"IA-12(2)"},{"name":"sort-id","value":"IA-12(02)"}],"parts":[{"id":"ia-12.2_smt","name":"statement","prose":"Require evidence of individual identification be presented to the registration authority."},{"id":"ia-12.2_gdn","name":"guidance","prose":"Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risk to the systems, roles, and privileges associated with the user’s account."}]},{"id":"ia-12.3","class":"SP800-53-enhancement","title":"Identity Evidence Validation and Verification","parameters":[{"id":"ia-12.3_prm_1","label":"organizational defined methods of validation and verification"}],"properties":[{"name":"label","value":"IA-12(3)"},{"name":"sort-id","value":"IA-12(03)"}],"parts":[{"id":"ia-12.3_smt","name":"statement","prose":"Require that the presented identity evidence be validated and verified through {{ ia-12.3_prm_1 }}."},{"id":"ia-12.3_gdn","name":"guidance","prose":"Validating and verifying identity evidence increases the assurance that accounts, identifiers, and authenticators are being issued to the correct user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an actual person or individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risk to the systems, roles, and privileges associated with the users account"}]},{"id":"ia-12.5","class":"SP800-53-enhancement","title":"Address Confirmation","parameters":[{"id":"ia-12.5_prm_1"}],"properties":[{"name":"label","value":"IA-12(5)"},{"name":"sort-id","value":"IA-12(05)"}],"links":[{"href":"#ia-12","rel":"related","text":"IA-12"}],"parts":[{"id":"ia-12.5_smt","name":"statement","prose":"Require that a {{ ia-12.5_prm_1 }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record."},{"id":"ia-12.5_gdn","name":"guidance","prose":"To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to increase assurance that the individual associated with an address of record is the same person that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts are obtained from records and not self-asserted by the user. The address can include a physical or a digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses."}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2"},{"id":"ir-1_prm_3","label":"organization-defined official"},{"id":"ir-1_prm_4","label":"organization-defined frequency"},{"id":"ir-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IR-1"},{"name":"sort-id","value":"IR-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","rel":"reference","text":"[SP 800-83]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ir-1_prm_2 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ir-1_prm_4 }}; and"},{"id":"ir-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ir-1_prm_5 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","parameters":[{"id":"ir-2_prm_1","label":"organization-defined time-period"},{"id":"ir-2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IR-2"},{"name":"sort-id","value":"IR-02"}],"links":[{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-9","rel":"related","text":"IR-9"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ ir-2_prm_1 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n {{ ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3."}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","parameters":[{"id":"ir-3_prm_1","label":"organization-defined frequency"},{"id":"ir-3_prm_2","label":"organization-defined tests"}],"properties":[{"name":"label","value":"IR-3"},{"name":"sort-id","value":"IR-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#20bf433b-074c-47a0-8fca-cd591772ccd6","rel":"reference","text":"[SP 800-84]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pm-14","rel":"related","text":"PM-14"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"Test the effectiveness of the incident response capability for the system {{ ir-3_prm_1 }} using the following tests: {{ ir-3_prm_2 }}."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes."}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","properties":[{"name":"label","value":"IR-3(2)"},{"name":"sort-id","value":"IR-03(02)"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"Coordinate incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Contingency Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans."}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","properties":[{"name":"label","value":"IR-4"},{"name":"sort-id","value":"IR-04"}],"links":[{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#35dfd59f-eef2-4f71-bdb5-6d878267456a","rel":"reference","text":"[SP 800-86]"},{"href":"#1e2c475a-84ae-4c60-b420-8fb2ea552b71","rel":"reference","text":"[SP 800-101]"},{"href":"#ad3e8f21-07c6-4968-b002-00b64dfa70ae","rel":"reference","text":"[SP 800-150]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#08f518f7-f9b9-4bee-8986-860214f46b16","rel":"reference","text":"[SP 800-184]"},{"href":"#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","rel":"reference","text":"[IR 7559]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-10","rel":"related","text":"IR-10"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk."}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","parameters":[{"id":"ir-4.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"IR-4(1)"},{"name":"sort-id","value":"IR-04(01)"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"Support the incident handling process using {{ ir-4.1_prm_1 }}."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms supporting incident handling processes include online incident management systems; and tools that support the collection of live response data, full network packet capture, and forensic analysis."}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","properties":[{"name":"label","value":"IR-5"},{"name":"sort-id","value":"IR-05"}],"links":[{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document security, privacy, and supply chain incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports."}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","parameters":[{"id":"ir-6_prm_1","label":"organization-defined time-period"},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"properties":[{"name":"label","value":"IR-6"},{"name":"sort-id","value":"IR-06"}],"links":[{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-9","rel":"related","text":"IR-9"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","parameters":[{"id":"ir-6.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"IR-6(1)"},{"name":"sort-id","value":"IR-06(01)"}],"links":[{"href":"#ir-7","rel":"related","text":"IR-7"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"Report incidents using {{ ir-6.1_prm_1 }}."},{"id":"ir-6.1_gdn","name":"guidance","prose":"Reporting recipients are as specified in IR-6b. Automated reporting mechanisms include email, posting on web sites, and automated incident response tools and programs."}]},{"id":"ir-6.3","class":"SP800-53-enhancement","title":"Supply Chain Coordination","properties":[{"name":"label","value":"IR-6(3)"},{"name":"sort-id","value":"IR-06(03)"}],"links":[{"href":"#sr-8","rel":"related","text":"SR-8"}],"parts":[{"id":"ir-6.3_smt","name":"statement","prose":"Provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident."},{"id":"ir-6.3_gdn","name":"guidance","prose":"Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents including the ability to improve processes or to identify the root cause of an incident."}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","properties":[{"name":"label","value":"IR-7"},{"name":"sort-id","value":"IR-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","rel":"reference","text":"[IR 7559]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pm-26","rel":"related","text":"PM-26"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information and Support","parameters":[{"id":"ir-7.1_prm_1","label":"organization-defined automated mechanisms"}],"properties":[{"name":"label","value":"IR-7(1)"},{"name":"sort-id","value":"IR-07(01)"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"Increase the availability of incident response information and support using {{ ir-7.1_prm_1 }}."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","parameters":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined frequency"},{"id":"ir-8_prm_3","label":"organization-defined entities, personnel, or roles"},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and/or by role) and organizational elements"},{"id":"ir-8_prm_5","label":"organization-defined incident response personnel (identified by name and/or by role) and organizational elements"}],"properties":[{"name":"label","value":"IR-8"},{"name":"sort-id","value":"IR-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#389fe193-866e-46b1-bf1d-38904b56aa7b","rel":"reference","text":"[OMB M-17-12]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-8","rel":"related","text":"SR-8"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ ir-8_prm_1 }}\n {{ ir-8_prm_2 }}; and"},{"id":"ir-8_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}."}]},{"id":"ir-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ ir-8_prm_4 }};"},{"id":"ir-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ ir-8_prm_5 }}; and"},{"id":"ir-8_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2"},{"id":"ma-1_prm_3","label":"organization-defined official"},{"id":"ma-1_prm_4","label":"organization-defined frequency"},{"id":"ma-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MA-1"},{"name":"sort-id","value":"MA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ma-1_smt","name":"statement","parts":[{"id":"ma-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ma-1_prm_2 }} maintenance policy that:","parts":[{"id":"ma-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ma-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;"}]},{"id":"ma-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ma-1_prm_3 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and"},{"id":"ma-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current maintenance:","parts":[{"id":"ma-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ma-1_prm_4 }}; and"},{"id":"ma-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ma-1_prm_5 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","parameters":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined information"},{"id":"ma-2_prm_3","label":"organization-defined information"}],"properties":[{"name":"label","value":"MA-2"},{"name":"sort-id","value":"MA-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"ma-2_smt","name":"statement","parts":[{"id":"ma-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Require that {{ ma-2_prm_1 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ ma-2_prm_2 }};"},{"id":"ma-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and"},{"id":"ma-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Include the following information in organizational maintenance records: {{ ma-2_prm_3 }}."}]},{"id":"ma-2_gdn","name":"guidance","prose":"Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems."}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","parameters":[{"id":"ma-3_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MA-3"},{"name":"sort-id","value":"MA-03"}],"links":[{"href":"#fed6a3b5-2b74-499f-9172-46671f7c24c8","rel":"reference","text":"[SP 800-88]"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#pe-16","rel":"related","text":"PE-16"}],"parts":[{"id":"ma-3_smt","name":"statement","parts":[{"id":"ma-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approve, control, and monitor the use of system maintenance tools; and"},{"id":"ma-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review previously approved system maintenance tools {{ ma-3_prm_1 }}."}]},{"id":"ma-3_gdn","name":"guidance","prose":"Approving, controlling, monitoring, and reviewing maintenance tools are intended to address security-related issues associated with maintenance tools that are not within system boundaries but are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for approval of maintenance tools and how that approval is documented. Periodic review of maintenance tools facilitates withdrawal of the approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items. Such tools can be vehicles for transporting malicious code, intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support system maintenance and are a part of the system, including the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch, are not addressed by maintenance tools."}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","properties":[{"name":"label","value":"MA-3(1)"},{"name":"sort-id","value":"MA-03(01)"}],"links":[{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"Maintenance tools can be brought into a facility directly by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling."}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","properties":[{"name":"label","value":"MA-3(2)"},{"name":"sort-id","value":"MA-03(02)"}],"links":[{"href":"#si-3","rel":"related","text":"SI-3"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"Check media containing diagnostic and test programs for malicious code before the media are used in the system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures."}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","parameters":[{"id":"ma-3.3_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"MA-3(3)"},{"name":"sort-id","value":"MA-03(03)"}],"links":[{"href":"#mp-6","rel":"related","text":"MP-6"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"Prevent the removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the equipment;"},{"id":"ma-3.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards."}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","properties":[{"name":"label","value":"MA-4"},{"name":"sort-id","value":"MA-04"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#bbc7085f-b383-444e-af74-722a55cccc0f","rel":"reference","text":"[FIPS 197]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#fed6a3b5-2b74-499f-9172-46671f7c24c8","rel":"reference","text":"[SP 800-88]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-10","rel":"related","text":"SC-10"}],"parts":[{"id":"ma-4_smt","name":"statement","parts":[{"id":"ma-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approve and monitor nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;"},{"id":"ma-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Maintain records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Terminate session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls."}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","properties":[{"name":"label","value":"MA-5"},{"name":"sort-id","value":"MA-05"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"ma-5_smt","name":"statement","parts":[{"id":"ma-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods."}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","parameters":[{"id":"ma-6_prm_1","label":"organization-defined system components"},{"id":"ma-6_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"MA-6"},{"name":"sort-id","value":"MA-06"}],"links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#si-13","rel":"related","text":"SI-13"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"Obtain maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place."}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2"},{"id":"mp-1_prm_3","label":"organization-defined official"},{"id":"mp-1_prm_4","label":"organization-defined frequency"},{"id":"mp-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MP-1"},{"name":"sort-id","value":"MP-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ mp-1_prm_2 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ mp-1_prm_4 }}; and"},{"id":"mp-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ mp-1_prm_5 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","parameters":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"MP-2"},{"name":"sort-id","value":"MP-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#1b14b50f-7154-4226-958c-7dfff8276755","rel":"reference","text":"[SP 800-111]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"Restrict access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media."}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","parameters":[{"id":"mp-3_prm_1","label":"organization-defined types of system media"},{"id":"mp-3_prm_2","label":"organization-defined controlled areas"}],"properties":[{"name":"label","value":"MP-3"},{"name":"sort-id","value":"MP-03"}],"links":[{"href":"#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc","rel":"reference","text":"[32 CFR 2002]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pe-22","rel":"related","text":"PE-22"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"mp-3_smt","name":"statement","parts":[{"id":"mp-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Exempt {{ mp-3_prm_1 }} from marking if the media remain within {{ mp-3_prm_2 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"Security marking refers to the application or use of human-readable security attributes. Security labeling refers to the application or use of security attributes regarding internal data structures within systems. System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002]. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","parameters":[{"id":"mp-4_prm_1","label":"organization-defined types of digital and/or non-digital media"},{"id":"mp-4_prm_2","label":"organization-defined controlled areas"}],"properties":[{"name":"label","value":"MP-4"},{"name":"sort-id","value":"MP-04"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#77dc1838-3664-4faa-bc6e-4e2a16e52f35","rel":"reference","text":"[SP 800-56A]"},{"href":"#f417e4ec-cadb-47a8-a363-6006b32c28ad","rel":"reference","text":"[SP 800-56B]"},{"href":"#7c3ba335-62bd-4f03-888f-960790409b11","rel":"reference","text":"[SP 800-56C]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#1b14b50f-7154-4226-958c-7dfff8276755","rel":"reference","text":"[SP 800-111]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"mp-4_smt","name":"statement","parts":[{"id":"mp-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Physically control and securely store {{ mp-4_prm_1 }} within {{ mp-4_prm_2 }}; and"},{"id":"mp-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet; or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. For media containing information determined to be in the public domain, to be publicly releasable, or to have limited adverse impact on organizations, operations, or individuals if accessed by other than authorized personnel, fewer controls may be needed. In these situations, physical access controls provide adequate protection."}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","parameters":[{"id":"mp-5_prm_1","label":"organization-defined types of system media"},{"id":"mp-5_prm_2","label":"organization-defined controls"}],"properties":[{"name":"label","value":"MP-5"},{"name":"sort-id","value":"MP-05"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#mp-3","rel":"related","text":"MP-3"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-34","rel":"related","text":"SC-34"}],"parts":[{"id":"mp-5_smt","name":"statement","parts":[{"id":"mp-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Protect and control {{ mp-5_prm_1 }} during transport outside of controlled areas using {{ mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintain accountability for system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document activities associated with the transport of system media; and"},{"id":"mp-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Restrict the activities associated with the transport of system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state and magnetic), compact disks, and digital video disks. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel, and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records."}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","parameters":[{"id":"mp-6_prm_1","label":"organization-defined system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"properties":[{"name":"label","value":"MP-6"},{"name":"sort-id","value":"MP-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#fed6a3b5-2b74-499f-9172-46671f7c24c8","rel":"reference","text":"[SP 800-88]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#a52271dc-11b5-423a-8b6f-14867bd94259","rel":"reference","text":"[NSA MEDIA]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#si-18","rel":"related","text":"SI-18"},{"href":"#si-19","rel":"related","text":"SI-19"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and"},{"id":"mp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information."}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","parameters":[{"id":"mp-7_prm_1"},{"id":"mp-7_prm_2","label":"organization-defined types of system media"},{"id":"mp-7_prm_3","label":"organization-defined systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined controls"}],"properties":[{"name":"label","value":"MP-7"},{"name":"sort-id","value":"MP-07"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#1b14b50f-7154-4226-958c-7dfff8276755","rel":"reference","text":"[SP 800-111]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#sc-41","rel":"related","text":"SC-41"}],"parts":[{"id":"mp-7_smt","name":"statement","parts":[{"id":"mp-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"\n {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}; and"},{"id":"mp-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner."}]},{"id":"mp-7_gdn","name":"guidance","prose":"System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices."}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2"},{"id":"pe-1_prm_3","label":"organization-defined official"},{"id":"pe-1_prm_4","label":"organization-defined frequency"},{"id":"pe-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-1"},{"name":"sort-id","value":"PE-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pe-1_smt","name":"statement","parts":[{"id":"pe-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ pe-1_prm_2 }} physical and environmental protection policy that:","parts":[{"id":"pe-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pe-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;"}]},{"id":"pe-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ pe-1_prm_3 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and"},{"id":"pe-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current physical and environmental protection:","parts":[{"id":"pe-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ pe-1_prm_4 }}; and"},{"id":"pe-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ pe-1_prm_5 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","parameters":[{"id":"pe-2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-2"},{"name":"sort-id","value":"PE-02"}],"links":[{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#pe-8","rel":"related","text":"PE-8"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"}],"parts":[{"id":"pe-2_smt","name":"statement","parts":[{"id":"pe-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;"},{"id":"pe-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Issue authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review the access list detailing authorized facility access by individuals {{ pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Remove individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible."}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","parameters":[{"id":"pe-3_prm_1","label":"organization-defined entry and exit points to the facility where the system resides"},{"id":"pe-3_prm_2"},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems or devices"},{"id":"pe-3_prm_4","label":"organization-defined entry or exit points"},{"id":"pe-3_prm_5","label":"organization-defined controls"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and monitoring"},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency"},{"id":"pe-3_prm_9","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-3"},{"name":"sort-id","value":"PE-03"}],"links":[{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#ad7d575f-b5fe-489b-8d48-36a93d964a5f","rel":"reference","text":"[SP 800-116]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#pe-8","rel":"related","text":"PE-8"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#sr-3","rel":"related","text":"SR-3"}],"parts":[{"id":"pe-3_smt","name":"statement","parts":[{"id":"pe-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforce physical access authorizations at {{ pe-3_prm_1 }} by:","parts":[{"id":"pe-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Controlling ingress and egress to the facility using {{ pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintain physical access audit logs for {{ pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ pe-3_prm_5 }};"},{"id":"pe-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Escort visitors and monitor visitor activity {{ pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Secure keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Inventory {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }}; and"},{"id":"pe-3_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Change combinations and keys {{ pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components."}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission","parameters":[{"id":"pe-4_prm_1","label":"organization-defined system distribution and transmission lines"},{"id":"pe-4_prm_2","label":"organization-defined security controls"}],"properties":[{"name":"label","value":"PE-4"},{"name":"sort-id","value":"PE-04"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#pe-9","rel":"related","text":"PE-9"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-8","rel":"related","text":"SC-8"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"Control physical access to {{ pe-4_prm_1 }} within organizational facilities using {{ pe-4_prm_2 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors."}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","parameters":[{"id":"pe-5_prm_1","label":"organization-defined output devices"}],"properties":[{"name":"label","value":"PE-5"},{"name":"sort-id","value":"PE-05"}],"links":[{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-18","rel":"related","text":"PE-18"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"Control physical access to output from {{ pe-5_prm_1 }} to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only; placing output devices in locations that can be monitored by personnel; installing monitor or screen filters; and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers."}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","parameters":[{"id":"pe-6_prm_1","label":"organization-defined frequency"},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"properties":[{"name":"label","value":"PE-6"},{"name":"sort-id","value":"PE-06"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"}],"parts":[{"id":"pe-6_smt","name":"statement","parts":[{"id":"pe-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review physical access logs {{ pe-6_prm_1 }} and upon occurrence of {{ pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinate results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses."}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms and Surveillance Equipment","properties":[{"name":"label","value":"PE-6(1)"},{"name":"sort-id","value":"PE-06(01)"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_gdn","name":"guidance","prose":"Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards, triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, for example, motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility."}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","parameters":[{"id":"pe-8_prm_1","label":"organization-defined time-period"},{"id":"pe-8_prm_2","label":"organization-defined frequency"},{"id":"pe-8_prm_3","label":"organization-defined personnel"}],"properties":[{"name":"label","value":"PE-8"},{"name":"sort-id","value":"PE-08"}],"links":[{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ pe-8_prm_1 }};"},{"id":"pe-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ pe-8_prm_2 }}; and"},{"id":"pe-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ pe-8_prm_3 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas."}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","properties":[{"name":"label","value":"PE-9"},{"name":"sort-id","value":"PE-09"}],"links":[{"href":"#pe-4","rel":"related","text":"PE-4"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"Protect power equipment and power cabling for the system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. Power equipment and cabling includes generators and power cabling outside of buildings; internal cabling and uninterruptable power sources in offices or data centers; and power sources for self-contained components such as satellites, vehicles, and other deployable systems."}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","parameters":[{"id":"pe-10_prm_1","label":"organization-defined system or individual system components"},{"id":"pe-10_prm_2","label":"organization-defined location by system or system component"}],"properties":[{"name":"label","value":"PE-10"},{"name":"sort-id","value":"PE-10"}],"links":[{"href":"#pe-15","rel":"related","text":"PE-15"}],"parts":[{"id":"pe-10_smt","name":"statement","parts":[{"id":"pe-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide the capability of shutting off power to {{ pe-10_prm_1 }} in emergency situations;"},{"id":"pe-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Place emergency shutoff switches or devices in {{ pe-10_prm_2 }} to facilitate access for authorized personnel; and"},{"id":"pe-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Protect emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"Emergency power shutoff applies primarily to organizational facilities containing concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery."}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","parameters":[{"id":"pe-11_prm_1"}],"properties":[{"name":"label","value":"PE-11"},{"name":"sort-id","value":"PE-11"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"Provide an uninterruptible power supply to facilitate {{ pe-11_prm_1 }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","prose":"An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of most UPS is relatively short but provides sufficient time to start a standby power source such as a backup generator or properly shut down the system."}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","properties":[{"name":"label","value":"PE-12"},{"name":"sort-id","value":"PE-12"}],"links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites."}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","properties":[{"name":"label","value":"PE-13"},{"name":"sort-id","value":"PE-13"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"Employ and maintain fire detection and suppression systems that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors."}],"controls":[{"id":"pe-13.1","class":"SP800-53-enhancement","title":"Detection Systems – Automatic Activation and Notification","parameters":[{"id":"pe-13.1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-13.1_prm_2","label":"organization-defined emergency responders"}],"properties":[{"name":"label","value":"PE-13(1)"},{"name":"sort-id","value":"PE-13(01)"}],"parts":[{"id":"pe-13.1_smt","name":"statement","prose":"Employ fire detection systems that activate automatically and notify {{ pe-13.1_prm_1 }} and {{ pe-13.1_prm_2 }} in the event of a fire."},{"id":"pe-13.1_gdn","name":"guidance","prose":"Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances, for example, to enter to facilities where access is restricted due to the classification or impact level of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire."}]}]},{"id":"pe-14","class":"SP800-53","title":"Environmental Controls","parameters":[{"id":"pe-14_prm_1"},{"id":"pe-14_prm_2","depends-on":"pe-14_prm_1","label":"organization-defined environmental control"},{"id":"pe-14_prm_3","label":"organization-defined acceptable levels"},{"id":"pe-14_prm_4","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-14"},{"name":"sort-id","value":"PE-14"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#pe-21","rel":"related","text":"PE-21"}],"parts":[{"id":"pe-14_smt","name":"statement","parts":[{"id":"pe-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintain {{ pe-14_prm_1 }} levels within the facility where the system resides at {{ pe-14_prm_3 }}; and"},{"id":"pe-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Monitor environmental control levels {{ pe-14_prm_4 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure."}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","properties":[{"name":"label","value":"PE-15"},{"name":"sort-id","value":"PE-15"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pe-10","rel":"related","text":"PE-10"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations."}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","parameters":[{"id":"pe-16_prm_1","label":"organization-defined types of system components"}],"properties":[{"name":"label","value":"PE-16"},{"name":"sort-id","value":"PE-16"}],"links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-6","rel":"related","text":"SR-6"}],"parts":[{"id":"pe-16_smt","name":"statement","parts":[{"id":"pe-16_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorize and control {{ pe-16_prm_1 }} entering and exiting the facility; and"},{"id":"pe-16_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintain records of the system components."}]},{"id":"pe-16_gdn","name":"guidance","prose":"Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries."}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","parameters":[{"id":"pe-17_prm_1","label":"organization-defined alternate work sites"},{"id":"pe-17_prm_2","label":"organization-defined controls"}],"properties":[{"name":"label","value":"PE-17"},{"name":"sort-id","value":"PE-17"}],"links":[{"href":"#7768c184-088d-4ee8-a316-f9286b52df7f","rel":"reference","text":"[SP 800-46]"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#cp-7","rel":"related","text":"CP-7"}],"parts":[{"id":"pe-17_smt","name":"statement","parts":[{"id":"pe-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ pe-17_prm_1 }} allowed for use by employees;"},{"id":"pe-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ the following controls at alternate work sites: {{ pe-17_prm_2 }};"},{"id":"pe-17_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assess the effectiveness of controls at alternate work sites; and"},{"id":"pe-17_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Provide a means for employees to communicate with information security and privacy personnel in case of incidents."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations."}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2"},{"id":"pl-1_prm_3","label":"organization-defined official"},{"id":"pl-1_prm_4","label":"organization-defined frequency"},{"id":"pl-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-1"},{"name":"sort-id","value":"PL-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ pl-1_prm_2 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ pl-1_prm_4 }}; and"},{"id":"pl-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ pl-1_prm_5 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","parameters":[{"id":"pl-2_prm_1","label":"organization-defined individuals or groups"},{"id":"pl-2_prm_2","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-2"},{"name":"sort-id","value":"PL-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-22","rel":"related","text":"SA-22"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.10","name":"item","properties":[{"name":"label","value":"10."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.11","name":"item","properties":[{"name":"label","value":"11."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.12","name":"item","properties":[{"name":"label","value":"12."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and"},{"id":"pl-2_smt.a.13","name":"item","properties":[{"name":"label","value":"13."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }};"},{"id":"pl-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review the plans {{ pl-2_prm_3 }};"},{"id":"pl-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation.\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate."}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","parameters":[{"id":"pl-4_prm_1","label":"organization-defined frequency"},{"id":"pl-4_prm_2"},{"id":"pl-4_prm_3","depends-on":"pl-4_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-4"},{"name":"sort-id","value":"PL-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons."}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site/application Usage Restrictions","properties":[{"name":"label","value":"PL-4(1)"},{"name":"sort-id","value":"PL-04(01)"}],"links":[{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#au-13","rel":"related","text":"AU-13"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites/applications;"},{"id":"pl-4.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information."}]}]},{"id":"pl-8","class":"SP800-53","title":"Security and Privacy Architectures","parameters":[{"id":"pl-8_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-8"},{"name":"sort-id","value":"PL-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pl-9","rel":"related","text":"PL-9"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-17","rel":"related","text":"SA-17"}],"parts":[{"id":"pl-8_smt","name":"statement","parts":[{"id":"pl-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop security and privacy architectures for the system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describe how the architectures are integrated into and support the enterprise architecture; and"},{"id":"pl-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Describe any assumptions about, and dependencies on, external systems and services;"}]},{"id":"pl-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the architectures {{ pl-8_prm_1 }} to reflect changes in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs.\n[SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented.\nPL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures."}]},{"id":"pl-10","class":"SP800-53","title":"Baseline Selection","properties":[{"name":"label","value":"PL-10"},{"name":"sort-id","value":"PL-10"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#31f3c9de-c57c-4281-929b-f9951f9640f1","rel":"reference","text":"[SP 800-53B]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ee96f130-3f91-46ed-a4d8-57e5f220a623","rel":"reference","text":"[CNSSI 1253]"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"pl-10_smt","name":"statement","prose":"Select a control baseline for the system."},{"id":"pl-10_gdn","name":"guidance","prose":"Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments."}]},{"id":"pl-11","class":"SP800-53","title":"Baseline Tailoring","properties":[{"name":"label","value":"PL-11"},{"name":"sort-id","value":"PL-11"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#31f3c9de-c57c-4281-929b-f9951f9640f1","rel":"reference","text":"[SP 800-53B]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ee96f130-3f91-46ed-a4d8-57e5f220a623","rel":"reference","text":"[CNSSI 1253]"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"pl-11_smt","name":"statement","prose":"Tailor the selected control baseline by applying specified tailoring actions."},{"id":"pl-11_gdn","name":"guidance","prose":"The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities."}]}]},{"id":"pm","class":"family","title":"Program Management","controls":[{"id":"pm-1","class":"SP800-53","title":"Information Security Program Plan","parameters":[{"id":"pm-1_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-1"},{"name":"sort-id","value":"PM-01"}],"links":[{"href":"#14958422-54f6-471f-a345-802dca594dd8","rel":"reference","text":"[FISMA]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"pm-1_smt","name":"statement","parts":[{"id":"pm-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide information security program plan that:","parts":[{"id":"pm-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;"},{"id":"pm-1_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Reflects the coordination among organizational entities responsible for information security; and"},{"id":"pm-1_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"}]},{"id":"pm-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review the organization-wide information security program plan {{ pm-1_prm_1 }};"},{"id":"pm-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and"},{"id":"pm-1_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect the information security program plan from unauthorized disclosure and modification."}]},{"id":"pm-1_gdn","name":"guidance","prose":"An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents.\nInformation security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls."}]},{"id":"pm-2","class":"SP800-53","title":"Information Security Program Leadership Role","properties":[{"name":"label","value":"PM-2"},{"name":"sort-id","value":"PM-02"}],"links":[{"href":"#ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3","rel":"reference","text":"[OMB M-17-25]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"}],"parts":[{"id":"pm-2_smt","name":"statement","prose":"Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program."},{"id":"pm-2_gdn","name":"guidance","prose":"The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer."}]},{"id":"pm-3","class":"SP800-53","title":"Information Security and Privacy Resources","properties":[{"name":"label","value":"PM-3"},{"name":"sort-id","value":"PM-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#sa-2","rel":"related","text":"SA-2"}],"parts":[{"id":"pm-3_smt","name":"statement","parts":[{"id":"pm-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;"},{"id":"pm-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and"},{"id":"pm-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Make available for expenditure, the planned information security and privacy resources."}]},{"id":"pm-3_gdn","name":"guidance","prose":"Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process."}]},{"id":"pm-4","class":"SP800-53","title":"Plan of Action and Milestones Process","properties":[{"name":"label","value":"PM-4"},{"name":"sort-id","value":"PM-04"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-3","rel":"related","text":"PM-3"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pm-4_smt","name":"statement","parts":[{"id":"pm-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:","parts":[{"id":"pm-4_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are developed and maintained;"},{"id":"pm-4_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and"},{"id":"pm-4_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Are reported in accordance with established reporting requirements."}]},{"id":"pm-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-4_gdn","name":"guidance","prose":"The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5."}]},{"id":"pm-5","class":"SP800-53","title":"System Inventory","parameters":[{"id":"pm-5_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-5"},{"name":"sort-id","value":"PM-05"}],"links":[{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"}],"parts":[{"id":"pm-5_smt","name":"statement","prose":"Develop and update {{ pm-5_prm_1 }} an inventory of organizational systems."},{"id":"pm-5_gdn","name":"guidance","prose":"[OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8."}],"controls":[{"id":"pm-5.1","class":"SP800-53-enhancement","title":"Inventory of Personally Identifiable Information","parameters":[{"id":"pm-5.1_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-5(1)"},{"name":"sort-id","value":"PM-05(01)"}],"links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-12","rel":"related","text":"CM-12"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pm-5.1_smt","name":"statement","prose":"Establish, maintain, and update {{ pm-5.1_prm_1 }} an inventory of all systems, applications, and projects that process personally identifiable information."},{"id":"pm-5.1_gdn","name":"guidance","prose":"An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein."}]}]},{"id":"pm-6","class":"SP800-53","title":"Measures of Performance","properties":[{"name":"label","value":"PM-6"},{"name":"sort-id","value":"PM-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#8ba0d54e-fa16-4f5d-baa1-763ec3e33e26","rel":"reference","text":"[SP 800-55]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ca-7","rel":"related","text":"CA-7"}],"parts":[{"id":"pm-6_smt","name":"statement","prose":"Develop, monitor, and report on the results of information security and privacy measures of performance."},{"id":"pm-6_gdn","name":"guidance","prose":"Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program."}]},{"id":"pm-7","class":"SP800-53","title":"Enterprise Architecture","properties":[{"name":"label","value":"PM-7"},{"name":"sort-id","value":"PM-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-17","rel":"related","text":"SA-17"}],"parts":[{"id":"pm-7_smt","name":"statement","prose":"Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."},{"id":"pm-7_gdn","name":"guidance","prose":"The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines."}],"controls":[{"id":"pm-7.1","class":"SP800-53-enhancement","title":"Offloading","parameters":[{"id":"pm-7.1_prm_1","label":"organization-defined non-essential functions or services"}],"properties":[{"name":"label","value":"PM-7(1)"},{"name":"sort-id","value":"PM-07(01)"}],"links":[{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"pm-7.1_smt","name":"statement","prose":"Offload {{ pm-7.1_prm_1 }} to other systems, system components, or an external provider."},{"id":"pm-7.1_gdn","name":"guidance","prose":"Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services."}]}]},{"id":"pm-8","class":"SP800-53","title":"Critical Infrastructure Plan","properties":[{"name":"label","value":"PM-8"},{"name":"sort-id","value":"PM-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#cde25174-38e0-4a00-8919-8ee3674b8088","rel":"reference","text":"[HSPD 7]"},{"href":"#24b7b1ec-6430-41de-9353-29fdb1b488fc","rel":"reference","text":"[DHS NIPP]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#pe-18","rel":"related","text":"PE-18"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pm-8_smt","name":"statement","prose":"Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan."},{"id":"pm-8_gdn","name":"guidance","prose":"Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."}]},{"id":"pm-9","class":"SP800-53","title":"Risk Management Strategy","parameters":[{"id":"pm-9_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-9"},{"name":"sort-id","value":"PM-09"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#at-1","rel":"related","text":"AT-1"},{"href":"#ca-1","rel":"related","text":"CA-1"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cp-1","rel":"related","text":"CP-1"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ma-1","rel":"related","text":"MA-1"},{"href":"#mp-1","rel":"related","text":"MP-1"},{"href":"#pe-1","rel":"related","text":"PE-1"},{"href":"#pl-1","rel":"related","text":"PL-1"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-2","rel":"related","text":"PM-2"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#ps-1","rel":"related","text":"PS-1"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-1","rel":"related","text":"SA-1"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-1","rel":"related","text":"SC-1"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-1","rel":"related","text":"SI-1"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"pm-9_smt","name":"statement","parts":[{"id":"pm-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a comprehensive strategy to manage:","parts":[{"id":"pm-9_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and"},{"id":"pm-9_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Privacy risk to individuals resulting from the authorized processing of personally identifiable information;"}]},{"id":"pm-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the risk management strategy consistently across the organization; and"},{"id":"pm-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes."}]},{"id":"pm-9_gdn","name":"guidance","prose":"An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive."}]},{"id":"pm-10","class":"SP800-53","title":"Authorization Process","properties":[{"name":"label","value":"PM-10"},{"name":"sort-id","value":"PM-10"}],"links":[{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pl-2","rel":"related","text":"PL-2"}],"parts":[{"id":"pm-10_smt","name":"statement","parts":[{"id":"pm-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;"},{"id":"pm-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and"},{"id":"pm-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Integrate the authorization processes into an organization-wide risk management program."}]},{"id":"pm-10_gdn","name":"guidance","prose":"Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation."}]},{"id":"pm-11","class":"SP800-53","title":"Mission and Business Process Definition","parameters":[{"id":"pm-11_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-11"},{"name":"sort-id","value":"PM-11"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-2","rel":"related","text":"SA-2"}],"parts":[{"id":"pm-11_smt","name":"statement","parts":[{"id":"pm-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"},{"id":"pm-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and"},{"id":"pm-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and revise the mission and business processes {{ pm-11_prm_1 }}."}]},{"id":"pm-11_gdn","name":"guidance","prose":"Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures."}]},{"id":"pm-12","class":"SP800-53","title":"Insider Threat Program","properties":[{"name":"label","value":"PM-12"},{"name":"sort-id","value":"PM-12"}],"links":[{"href":"#2b5e12fb-633f-49e6-8aff-81d75bf53545","rel":"reference","text":"[EO 13587]"},{"href":"#286d42a1-efbe-49a2-9ce1-4c9bf68feb3b","rel":"reference","text":"[ODNI NITP]"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-16","rel":"related","text":"PM-16"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#pm-14","rel":"related","text":"PM-14"}],"parts":[{"id":"pm-12_smt","name":"statement","prose":"Implement an insider threat program that includes a cross-discipline insider threat incident handling team."},{"id":"pm-12_gdn","name":"guidance","prose":"Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture.\nInsider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}]},{"id":"pm-13","class":"SP800-53","title":"Security and Privacy Workforce","properties":[{"name":"label","value":"PM-13"},{"name":"sort-id","value":"PM-13"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#f4c3f657-de83-47ae-9aec-e144de8268d1","rel":"reference","text":"[SP 800-181]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"}],"parts":[{"id":"pm-13_smt","name":"statement","prose":"Establish a security and privacy workforce development and improvement program."},{"id":"pm-13_gdn","name":"guidance","prose":"Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals."}]},{"id":"pm-14","class":"SP800-53","title":"Testing, Training, and Monitoring","properties":[{"name":"label","value":"PM-14"},{"name":"sort-id","value":"PM-14"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"pm-14_smt","name":"statement","parts":[{"id":"pm-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:","parts":[{"id":"pm-14_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are developed and maintained; and"},{"id":"pm-14_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Continue to be executed; and"}]},{"id":"pm-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-14_gdn","name":"guidance","prose":"This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments."}]},{"id":"pm-15","class":"SP800-53","title":"Security and Privacy Groups and Associations","properties":[{"name":"label","value":"PM-15"},{"name":"sort-id","value":"PM-15"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-5","rel":"related","text":"SI-5"}],"parts":[{"id":"pm-15_smt","name":"statement","prose":"Establish and institutionalize contact with selected groups and associations within the security and privacy communities:","parts":[{"id":"pm-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"To facilitate ongoing security and privacy education and training for organizational personnel;"},{"id":"pm-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"To maintain currency with recommended security and privacy practices, techniques, and technologies; and"},{"id":"pm-15_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"To share current security and privacy information, including threats, vulnerabilities, and incidents."}]},{"id":"pm-15_gdn","name":"guidance","prose":"Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."}]},{"id":"pm-16","class":"SP800-53","title":"Threat Awareness Program","properties":[{"name":"label","value":"PM-16"},{"name":"sort-id","value":"PM-16"}],"links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pm-12","rel":"related","text":"PM-12"}],"parts":[{"id":"pm-16_smt","name":"statement","prose":"Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence."},{"id":"pm-16_gdn","name":"guidance","prose":"Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared."}],"controls":[{"id":"pm-16.1","class":"SP800-53-enhancement","title":"Automated Means for Sharing Threat Intelligence","properties":[{"name":"label","value":"PM-16(1)"},{"name":"sort-id","value":"PM-16(01)"}],"parts":[{"id":"pm-16.1_smt","name":"statement","prose":"Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information."},{"id":"pm-16.1_gdn","name":"guidance","prose":"To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures."}]}]},{"id":"pm-17","class":"SP800-53","title":"Protecting Controlled Unclassified Information on External Systems","parameters":[{"id":"pm-17_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-17"},{"name":"sort-id","value":"PM-17"}],"links":[{"href":"#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc","rel":"reference","text":"[32 CFR 2002]"},{"href":"#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","rel":"reference","text":"[SP 800-171]"},{"href":"#dd87fdf0-840d-4392-9de4-220b2327e340","rel":"reference","text":"[NARA CUI]"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#pm-10","rel":"related","text":"PM-10"}],"parts":[{"id":"pm-17_smt","name":"statement","parts":[{"id":"pm-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards."},{"id":"pm-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update the policy and procedures {{ pm-17_prm_1 }}."}]},{"id":"pm-17_gdn","name":"guidance","prose":"Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes."}]},{"id":"pm-18","class":"SP800-53","title":"Privacy Program Plan","properties":[{"name":"label","value":"PM-18"},{"name":"sort-id","value":"PM-18"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-19","rel":"related","text":"PM-19"}],"parts":[{"id":"pm-18_smt","name":"statement","parts":[{"id":"pm-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:","parts":[{"id":"pm-18_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;"},{"id":"pm-18_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-18_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;"},{"id":"pm-18_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;"},{"id":"pm-18_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Reflects coordination among organizational entities responsible for the different aspects of privacy; and"},{"id":"pm-18_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and"}]},{"id":"pm-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments."}]},{"id":"pm-18_gdn","name":"guidance","prose":"A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls."}]},{"id":"pm-19","class":"SP800-53","title":"Privacy Program Leadership Role","properties":[{"name":"label","value":"PM-19"},{"name":"sort-id","value":"PM-19"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#pm-20","rel":"related","text":"PM-20"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-24","rel":"related","text":"PM-24"}],"parts":[{"id":"pm-19_smt","name":"statement","prose":"Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."},{"id":"pm-19_gdn","name":"guidance","prose":"The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24)."}]},{"id":"pm-20","class":"SP800-53","title":"Dissemination of Privacy Program Information","properties":[{"name":"label","value":"PM-20"},{"name":"sort-id","value":"PM-20"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#f7d3617a-9a4f-4f1a-a688-845081b70390","rel":"reference","text":"[OMB M-17-06]"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#pt-7","rel":"related","text":"PT-7"},{"href":"#ra-8","rel":"related","text":"RA-8"}],"parts":[{"id":"pm-20_smt","name":"statement","prose":"Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:","parts":[{"id":"pm-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;"},{"id":"pm-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that organizational privacy practices and reports are publicly available; and"},{"id":"pm-20_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices."}]},{"id":"pm-20_gdn","name":"guidance","prose":"Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications."}]},{"id":"pm-21","class":"SP800-53","title":"Accounting of Disclosures","properties":[{"name":"label","value":"PM-21"},{"name":"sort-id","value":"PM-21"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pt-2","rel":"related","text":"PT-2"}],"parts":[{"id":"pm-21_smt","name":"statement","parts":[{"id":"pm-21_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:","parts":[{"id":"pm-21_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Date, nature, and purpose of each disclosure; and"},{"id":"pm-21_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Name and address, or other contact information of the person or organization to which the disclosure was made;"}]},{"id":"pm-21_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and"},{"id":"pm-21_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request."}]},{"id":"pm-21_gdn","name":"guidance","prose":"The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions."}]},{"id":"pm-22","class":"SP800-53","title":"Personally Identifiable Information Quality Management","properties":[{"name":"label","value":"PM-22"},{"name":"sort-id","value":"PM-22"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#eadef75e-7e4d-4554-b818-44946c1dde0e","rel":"reference","text":"[SP 800-188]"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pm-22_smt","name":"statement","prose":"Develop and document policies and procedures for:","parts":[{"id":"pm-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;"},{"id":"pm-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Correcting or deleting inaccurate or outdated personally identifiable information;"},{"id":"pm-22_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and"},{"id":"pm-22_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Appeals of adverse decisions on correction or deletion requests."}]},{"id":"pm-22_gdn","name":"guidance","prose":"Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem."}]},{"id":"pm-23","class":"SP800-53","title":"Data Governance Body","parameters":[{"id":"pm-23_prm_1","label":"organization-defined roles"},{"id":"pm-23_prm_2","label":"organization-defined responsibilities"}],"properties":[{"name":"label","value":"PM-23"},{"name":"sort-id","value":"PM-23"}],"links":[{"href":"#43facb7b-0afb-480f-8191-34790d5b444b","rel":"reference","text":"[EVIDACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#d843e915-eeb6-4bbe-8cab-ccc802088703","rel":"reference","text":"[OMB M-19-23]"},{"href":"#eadef75e-7e4d-4554-b818-44946c1dde0e","rel":"reference","text":"[SP 800-188]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-19","rel":"related","text":"SI-19"}],"parts":[{"id":"pm-23_smt","name":"statement","prose":"Establish a Data Governance Body consisting of {{ pm-23_prm_1 }} with {{ pm-23_prm_2 }}."},{"id":"pm-23_gdn","name":"guidance","prose":"A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23]."}]},{"id":"pm-24","class":"SP800-53","title":"Data Integrity Board","properties":[{"name":"label","value":"PM-24"},{"name":"sort-id","value":"PM-24"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pt-8","rel":"related","text":"PT-8"}],"parts":[{"id":"pm-24_smt","name":"statement","prose":"Establish a Data Integrity Board to:","parts":[{"id":"pm-24_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Review proposals to conduct or participate in a matching program; and"},{"id":"pm-24_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Conduct an annual review of all matching programs in which the agency has participated."}]},{"id":"pm-24_gdn","name":"guidance","prose":"A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy."}]},{"id":"pm-25","class":"SP800-53","title":"Minimization of Pii Used in Testing, Training, and Research","parameters":[{"id":"pm-25_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-25"},{"name":"sort-id","value":"PM-25"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#sa-3","rel":"related","text":"SA-3"}],"parts":[{"id":"pm-25_smt","name":"statement","parts":[{"id":"pm-25_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;"},{"id":"pm-25_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;"},{"id":"pm-25_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and"},{"id":"pm-25_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review and update policies and procedures {{ pm-25_prm_1 }}."}]},{"id":"pm-25_gdn","name":"guidance","prose":"The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2)."}]},{"id":"pm-26","class":"SP800-53","title":"Complaint Management","parameters":[{"id":"pm-26_prm_1","label":"organization-defined time-period"},{"id":"pm-26_prm_2","label":"organization-defined time-period"},{"id":"pm-26_prm_3","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PM-26"},{"name":"sort-id","value":"PM-26"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pm-26_smt","name":"statement","prose":"Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:","parts":[{"id":"pm-26_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Mechanisms that are easy to use and readily accessible by the public;"},{"id":"pm-26_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"All information necessary for successfully filing complaints;"},{"id":"pm-26_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }};"},{"id":"pm-26_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and"},{"id":"pm-26_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}."}]},{"id":"pm-26_gdn","name":"guidance","prose":"Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information."}]},{"id":"pm-27","class":"SP800-53","title":"Privacy Reporting","parameters":[{"id":"pm-27_prm_1","label":"organization-defined privacy reports"},{"id":"pm-27_prm_2","label":"organization-defined officials"},{"id":"pm-27_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-27"},{"name":"sort-id","value":"PM-27"}],"links":[{"href":"#14958422-54f6-471f-a345-802dca594dd8","rel":"reference","text":"[FISMA]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-19","rel":"related","text":"PM-19"}],"parts":[{"id":"pm-27_smt","name":"statement","parts":[{"id":"pm-27_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop {{ pm-27_prm_1 }} and disseminate to:","parts":[{"id":"pm-27_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and"},{"id":"pm-27_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and"}]},{"id":"pm-27_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update privacy reports {{ pm-27_prm_3 }}."}]},{"id":"pm-27_gdn","name":"guidance","prose":"Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements."}]},{"id":"pm-28","class":"SP800-53","title":"Risk Framing","parameters":[{"id":"pm-28_prm_1","label":"organization-defined personnel"},{"id":"pm-28_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-28"},{"name":"sort-id","value":"PM-28"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-7","rel":"related","text":"RA-7"}],"parts":[{"id":"pm-28_smt","name":"statement","parts":[{"id":"pm-28_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify and document:","parts":[{"id":"pm-28_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Assumptions affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Constraints affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Priorities and trade-offs considered by the organization for managing risk; and"},{"id":"pm-28_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Organizational risk tolerance; and"}]},{"id":"pm-28_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute the results of risk framing activities to {{ pm-28_prm_1 }};"},{"id":"pm-28_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update risk framing considerations {{ pm-28_prm_2 }}."}]},{"id":"pm-28_gdn","name":"guidance","prose":"Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management."}]},{"id":"pm-29","class":"SP800-53","title":"Risk Management Program Leadership Roles","properties":[{"name":"label","value":"PM-29"},{"name":"sort-id","value":"PM-29"}],"links":[{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#pm-2","rel":"related","text":"PM-2"},{"href":"#pm-19","rel":"related","text":"PM-19"}],"parts":[{"id":"pm-29_smt","name":"statement","parts":[{"id":"pm-29_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and"},{"id":"pm-29_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization."}]},{"id":"pm-29_gdn","name":"guidance","prose":"The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities."}]},{"id":"pm-30","class":"SP800-53","title":"Supply Chain Risk Management Strategy","parameters":[{"id":"pm-30_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-30"},{"name":"sort-id","value":"PM-30"}],"links":[{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-7","rel":"related","text":"SR-7"},{"href":"#sr-8","rel":"related","text":"SR-8"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"pm-30_smt","name":"statement","parts":[{"id":"pm-30_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;"},{"id":"pm-30_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the supply chain risk management strategy consistently across the organization; and"},{"id":"pm-30_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the supply chain risk management strategy on {{ pm-30_prm_1 }} or as required, to address organizational changes."}]},{"id":"pm-30_gdn","name":"guidance","prose":"An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level."}]},{"id":"pm-31","class":"SP800-53","title":"Continuous Monitoring Strategy","parameters":[{"id":"pm-31_prm_1","label":"organization-defined metrics"},{"id":"pm-31_prm_2","label":"organization-defined frequencies"},{"id":"pm-31_prm_3","label":"organization-defined frequencies"},{"id":"pm-31_prm_4","label":"organization-defined personnel or roles"},{"id":"pm-31_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-31"},{"name":"sort-id","value":"PM-31"}],"links":[{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"pm-31_smt","name":"statement","prose":"Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:","parts":[{"id":"pm-31_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }};"},{"id":"pm-31_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness;"},{"id":"pm-31_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"pm-31_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"pm-31_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"pm-31_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }}\n {{ pm-31_prm_5 }}."}]},{"id":"pm-31_gdn","name":"guidance","prose":"Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4."}]},{"id":"pm-32","class":"SP800-53","title":"Purposing","parameters":[{"id":"pm-32_prm_1","label":"organization-defined systems or systems components"}],"properties":[{"name":"label","value":"PM-32"},{"name":"sort-id","value":"PM-32"}],"links":[{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"}],"parts":[{"id":"pm-32_smt","name":"statement","prose":"Analyze {{ pm-32_prm_1 }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose."},{"id":"pm-32_gdn","name":"guidance","prose":"Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures."}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2"},{"id":"ps-1_prm_3","label":"organization-defined official"},{"id":"ps-1_prm_4","label":"organization-defined frequency"},{"id":"ps-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-1"},{"name":"sort-id","value":"PS-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ps-1_smt","name":"statement","parts":[{"id":"ps-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ps-1_prm_2 }} personnel security policy that:","parts":[{"id":"ps-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ps-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;"}]},{"id":"ps-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ps-1_prm_3 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and"},{"id":"ps-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current personnel security:","parts":[{"id":"ps-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ps-1_prm_4 }}; and"},{"id":"ps-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ps-1_prm_5 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","parameters":[{"id":"ps-2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-2"},{"name":"sort-id","value":"PS-02"}],"links":[{"href":"#2383ccfd-d8a0-4e3a-bf40-21288ae1e07a","rel":"reference","text":"[5 CFR 731]"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-21","rel":"related","text":"SA-21"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ps-2_smt","name":"statement","parts":[{"id":"ps-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assign a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establish screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update position risk designations {{ ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions."}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","parameters":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening"}],"properties":[{"name":"label","value":"PS-3"},{"name":"sort-id","value":"PS-03"}],"links":[{"href":"#52a8b0c6-0c6b-424b-928d-41c50ba87838","rel":"reference","text":"[EO 13526]"},{"href":"#2b5e12fb-633f-49e6-8aff-81d75bf53545","rel":"reference","text":"[EO 13587]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#d5ef0056-c807-44c3-a7b5-6eb491538f8e","rel":"reference","text":"[SP 800-76-2]"},{"href":"#013e098f-0680-4856-a130-b768c69dab9c","rel":"reference","text":"[SP 800-78-4]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-21","rel":"related","text":"SA-21"}],"parts":[{"id":"ps-3_smt","name":"statement","parts":[{"id":"ps-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Screen individuals prior to authorizing access to the system; and"},{"id":"ps-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Rescreen individuals in accordance with {{ ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","parameters":[{"id":"ps-4_prm_1","label":"organization-defined time-period"},{"id":"ps-4_prm_2","label":"organization-defined information security topics"}],"properties":[{"name":"label","value":"PS-4"},{"name":"sort-id","value":"PS-04"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"Upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Disable system access within {{ ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Terminate or revoke any authenticators and credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conduct exit interviews that include a discussion of {{ ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Retrieve all security-related organizational system-related property; and"},{"id":"ps-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Retain access to organizational information and systems formerly controlled by terminated individual."}]},{"id":"ps-4_gdn","name":"guidance","prose":"System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified."}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","parameters":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time-period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PS-5"},{"name":"sort-id","value":"PS-05"}],"links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-7","rel":"related","text":"PS-7"}],"parts":[{"id":"ps-5_smt","name":"statement","parts":[{"id":"ps-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Initiate {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Notify {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts."}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","parameters":[{"id":"ps-6_prm_1","label":"organization-defined frequency"},{"id":"ps-6_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-6"},{"name":"sort-id","value":"PS-06"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-21","rel":"related","text":"SA-21"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."}]},{"id":"ps-7","class":"SP800-53","title":"External Personnel Security","parameters":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PS-7"},{"name":"sort-id","value":"PS-07"}],"links":[{"href":"#ed919d0d-8e21-4df6-801d-3fbc4cb8a505","rel":"reference","text":"[SP 800-35]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-21","rel":"related","text":"SA-21"}],"parts":[{"id":"ps-7_smt","name":"statement","parts":[{"id":"ps-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish personnel security requirements, including security roles and responsibilities for external providers;"},{"id":"ps-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Require external providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Require external providers to notify {{ ps-7_prm_1 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Monitor provider compliance with personnel security requirements."}]},{"id":"ps-7_gdn","name":"guidance","prose":"External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated."}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","parameters":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PS-8"},{"name":"sort-id","value":"PS-08"}],"links":[{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#at-1","rel":"related","text":"AT-1"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#ca-1","rel":"related","text":"CA-1"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cp-1","rel":"related","text":"CP-1"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ma-1","rel":"related","text":"MA-1"},{"href":"#mp-1","rel":"related","text":"MP-1"},{"href":"#pe-1","rel":"related","text":"PE-1"},{"href":"#pl-1","rel":"related","text":"PL-1"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#ps-1","rel":"related","text":"PS-1"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#sa-1","rel":"related","text":"SA-1"},{"href":"#sc-1","rel":"related","text":"SC-1"},{"href":"#si-1","rel":"related","text":"SI-1"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#pt-1","rel":"related","text":"PT-1"}],"parts":[{"id":"ps-8_smt","name":"statement","parts":[{"id":"ps-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Notify {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions."}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2"},{"id":"ra-1_prm_3","label":"organization-defined official"},{"id":"ra-1_prm_4","label":"organization-defined frequency"},{"id":"ra-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-1"},{"name":"sort-id","value":"RA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ra-1_prm_2 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ra-1_prm_4 }}; and"},{"id":"ra-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ra-1_prm_5 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","properties":[{"name":"label","value":"RA-2"},{"name":"sort-id","value":"RA-02"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ra-2_smt","name":"statement","parts":[{"id":"ra-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Categorize the system and information it processes, stores, and transmits;"},{"id":"ra-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document the security categorization results, including supporting rationale, in the security plan for the system; and"},{"id":"ra-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals.\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts.\nSecurity categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant."}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","parameters":[{"id":"ra-3_prm_1"},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document"},{"id":"ra-3_prm_3","label":"organization-defined frequency"},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-3"},{"name":"sort-id","value":"RA-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-18","rel":"related","text":"PE-18"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ ra-3_prm_1 }};"},{"id":"ra-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ ra-3_prm_3 }};"},{"id":"ra-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ ra-3_prm_4 }}; and"},{"id":"ra-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities.\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\nIn addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."}],"controls":[{"id":"ra-3.1","class":"SP800-53-enhancement","title":"Supply Chain Risk Assessment","parameters":[{"id":"ra-3.1_prm_1","label":"organization-defined systems, system components, and system services"},{"id":"ra-3.1_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-3(1)"},{"name":"sort-id","value":"RA-03(01)"}],"links":[{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#pm-17","rel":"related","text":"PM-17"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"ra-3.1_smt","name":"statement","parts":[{"id":"ra-3.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Assess supply chain risks associated with {{ ra-3.1_prm_1 }}; and"},{"id":"ra-3.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Update the supply chain risk assessment {{ ra-3.1_prm_2 }}, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_gdn","name":"guidance","prose":"Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Monitoring and Scanning","parameters":[{"id":"ra-5_prm_1","label":"organization-defined frequency and/or randomly in accordance with organization-defined process"},{"id":"ra-5_prm_2","label":"organization-defined response times"},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"RA-5"},{"name":"sort-id","value":"RA-05"}],"links":[{"href":"#1126ec09-2b27-4a21-80b2-fef70b31c49d","rel":"reference","text":"[SP 800-40]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f","rel":"reference","text":"[SP 800-126]"},{"href":"#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c","rel":"reference","text":"[IR 7788]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"ra-5_smt","name":"statement","parts":[{"id":"ra-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor and scan for vulnerabilities in the system and hosted applications {{ ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Analyze vulnerability scan reports and results from vulnerability monitoring;"},{"id":"ra-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Remediate legitimate vulnerabilities {{ ra-5_prm_2 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Share information obtained from the vulnerability monitoring process and control assessments with {{ ra-5_prm_3 }} to help eliminate similar vulnerabilities in other systems; and"},{"id":"ra-5_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\nVulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\nOrganizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points."}],"controls":[{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update System Vulnerabilities","parameters":[{"id":"ra-5.2_prm_1"},{"id":"ra-5.2_prm_2","depends-on":"ra-5.2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-5(2)"},{"name":"sort-id","value":"RA-05(02)"}],"links":[{"href":"#si-5","rel":"related","text":"SI-5"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"Update the system vulnerabilities to be scanned {{ ra-5.2_prm_1 }}."},{"id":"ra-5.2_gdn","name":"guidance","prose":"Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner."}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","parameters":[{"id":"ra-5.5_prm_1","label":"organization-defined system components"},{"id":"ra-5.5_prm_2","label":"organization-defined vulnerability scanning activities"}],"properties":[{"name":"label","value":"RA-5(5)"},{"name":"sort-id","value":"RA-05(05)"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"Implement privileged access authorization to {{ ra-5.5_prm_1 }} for {{ ra-5.5_prm_2 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning."}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","properties":[{"name":"label","value":"RA-7"},{"name":"sort-id","value":"RA-07"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."}]},{"id":"ra-9","class":"SP800-53","title":"Criticality Analysis","parameters":[{"id":"ra-9_prm_1","label":"organization-defined systems, system components, or system services"},{"id":"ra-9_prm_2","label":"organization-defined decision points in the system development life cycle"}],"properties":[{"name":"label","value":"RA-9"},{"name":"sort-id","value":"RA-09"}],"links":[{"href":"#7a93e915-fd58-4147-be12-e48044c367e6","rel":"reference","text":"[IR 8179]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-20","rel":"related","text":"SA-20"}],"parts":[{"id":"ra-9_smt","name":"statement","prose":"Identify critical system components and functions by performing a criticality analysis for {{ ra-9_prm_1 }} at {{ ra-9_prm_2 }}."},{"id":"ra-9_gdn","name":"guidance","prose":"Not all system components, functions, or services necessarily require significant protections. Criticality analysis is a key tenet of, for example, supply chain risk management, and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders regulations, directives, policies, and standards; system functionality requirements; system and component interfaces; and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system; decomposition into the specific functions to perform those missions; and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system containing the components and functions. Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, for example, by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2."}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2"},{"id":"sa-1_prm_3","label":"organization-defined official"},{"id":"sa-1_prm_4","label":"organization-defined frequency"},{"id":"sa-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SA-1"},{"name":"sort-id","value":"SA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ sa-1_prm_2 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ sa-1_prm_4 }}; and"},{"id":"sa-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ sa-1_prm_5 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","properties":[{"name":"label","value":"SA-2"},{"name":"sort-id","value":"SA-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pm-3","rel":"related","text":"PM-3"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle."}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","parameters":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"properties":[{"name":"label","value":"SA-3"},{"name":"sort-id","value":"SA-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","rel":"reference","text":"[SP 800-171]"},{"href":"#aad55f03-8ece-4b21-b09c-9ef65b5a9f55","rel":"reference","text":"[SP 800-171B]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-22","rel":"related","text":"SA-22"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-9","rel":"related","text":"SR-9"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ sa-3_prm_1 }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle."}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","parameters":[{"id":"sa-4_prm_1"},{"id":"sa-4_prm_2","depends-on":"sa-4_prm_1","label":"organization-defined contract language"}],"properties":[{"name":"label","value":"SA-4"},{"name":"sort-id","value":"SA-04"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#6ddb507b-6ddb-4e15-a8d4-0854e704446e","rel":"reference","text":"[ISO 15408-1]"},{"href":"#18abb755-c10f-407d-b0ef-4f99e5ec4a49","rel":"reference","text":"[ISO 15408-2]"},{"href":"#2ce3a8bf-7f8b-4249-bd16-808231415b14","rel":"reference","text":"[ISO 15408-3]"},{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#ed919d0d-8e21-4df6-801d-3fbc4cb8a505","rel":"reference","text":"[SP 800-35]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#d4779b49-8acc-45ef-b4f0-30f945e81d1b","rel":"reference","text":"[IR 7539]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#daf69edb-a0ef-4447-9880-8c4bf553181f","rel":"reference","text":"[IR 7676]"},{"href":"#197f7ba7-9af8-4a67-b3a4-5523d850e53b","rel":"reference","text":"[IR 7870]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#5dac2312-1d0d-416f-aebb-400fa9775b74","rel":"reference","text":"[NIAP CCEVS]"},{"href":"#634dec27-df88-4c30-b1a4-b57cdfd24f20","rel":"reference","text":"[NSA CSFC]"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-16","rel":"related","text":"SA-16"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-21","rel":"related","text":"SA-21"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle.\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement."}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Controls","properties":[{"name":"label","value":"SA-4(1)"},{"name":"sort-id","value":"SA-04(01)"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls."}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design and Implementation Information for Controls","parameters":[{"id":"sa-4.2_prm_1"},{"id":"sa-4.2_prm_2","depends-on":"sa-4.2_prm_1","label":"organization-defined design and implementation information"},{"id":"sa-4.2_prm_3","label":"organization-defined level of detail"}],"properties":[{"name":"label","value":"SA-4(2)"},{"name":"sort-id","value":"SA-04(02)"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in the documentation for the design and implementation for controls in organizational systems, system components, or system services based on mission and business requirements; requirements for resiliency and trustworthiness; and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system."}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions, Ports, Protocols, and Services in Use","properties":[{"name":"label","value":"SA-4(9)"},{"name":"sort-id","value":"SA-04(09)"}],"links":[{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#sa-9","rel":"related","text":"SA-9"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle, for example, during the initial requirements definition and design stages, allows organizations to influence the design of the system, system component, or system service. This early involvement in the system life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or when requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources."}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","properties":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"SA-04(10)"}],"links":[{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pm-9","rel":"related","text":"PM-9"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."},{"id":"sa-4.10_gdn","name":"guidance","prose":"Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations."}]}]},{"id":"sa-5","class":"SP800-53","title":"System Documentation","parameters":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SA-5"},{"name":"sort-id","value":"SA-05"}],"links":[{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-16","rel":"related","text":"SA-16"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-3","rel":"related","text":"SR-3"}],"parts":[{"id":"sa-5_smt","name":"statement","parts":[{"id":"sa-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Obtain administrator documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security and privacy functions and mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative or privileged functions;"}]},{"id":"sa-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Obtain user documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and"},{"id":"sa-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;"}]},{"id":"sa-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes {{ sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect documentation as required, in accordance with the organizational risk management strategy; and"},{"id":"sa-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Distribute documentation to {{ sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation."}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","parameters":[{"id":"sa-8_prm_1","label":"organization-defined systems security and privacy engineering principles"}],"properties":[{"name":"label","value":"SA-8"},{"name":"sort-id","value":"SA-08"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-20","rel":"related","text":"SA-20"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-32","rel":"related","text":"SC-32"},{"href":"#sc-39","rel":"related","text":"SC-39"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\nThe application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design."}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","parameters":[{"id":"sa-9_prm_1","label":"organization-defined controls"},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques"}],"properties":[{"name":"label","value":"SA-9"},{"name":"sort-id","value":"SA-09"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ed919d0d-8e21-4df6-801d-3fbc4cb8a505","rel":"reference","text":"[SP 800-35]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-2","rel":"related","text":"SA-2"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }};"},{"id":"sa-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."}],"controls":[{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions, Ports, Protocols, and Services","parameters":[{"id":"sa-9.2_prm_1","label":"organization-defined external system services"}],"properties":[{"name":"label","value":"SA-9(2)"},{"name":"sort-id","value":"SA-09(02)"}],"links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ sa-9.2_prm_1 }}."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols."}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","parameters":[{"id":"sa-10_prm_1"},{"id":"sa-10_prm_2","label":"organization-defined configuration items under configuration management"},{"id":"sa-10_prm_3","label":"organization-defined personnel"}],"properties":[{"name":"label","value":"SA-10"},{"name":"sort-id","value":"SA-10"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ sa-10_prm_1 }};"},{"id":"sa-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }};"},{"id":"sa-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ sa-10_prm_3 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting from unauthorized modification or destruction, the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes.\nThe configuration items that are placed under configuration management include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle."}]},{"id":"sa-11","class":"SP800-53","title":"Developer Testing and Evaluation","parameters":[{"id":"sa-11_prm_1"},{"id":"sa-11_prm_2","label":"organization-defined frequency"},{"id":"sa-11_prm_3","label":"organization-defined depth and coverage"}],"properties":[{"name":"label","value":"SA-11"},{"name":"sort-id","value":"SA-11"}],"links":[{"href":"#2ce3a8bf-7f8b-4249-bd16-808231415b14","rel":"reference","text":"[ISO 15408-3]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#fd0f14f5-8910-45c4-b60a-0c8936e00daa","rel":"reference","text":"[SP 800-154]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-7","rel":"related","text":"SR-7"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:","parts":[{"id":"sa-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and implement a plan for ongoing security and privacy assessments;"},{"id":"sa-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Perform {{ sa-11_prm_1 }} testing/evaluation {{ sa-11_prm_2 }} at {{ sa-11_prm_3 }};"},{"id":"sa-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;"},{"id":"sa-11_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during testing and evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation."}]},{"id":"sa-15","class":"SP800-53","title":"Development Process, Standards, and Tools","parameters":[{"id":"sa-15_prm_1","label":"organization-defined frequency"},{"id":"sa-15_prm_2","label":"organization-defined security and privacy requirements"}],"properties":[{"name":"label","value":"SA-15"},{"name":"sort-id","value":"SA-15"}],"links":[{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#7a93e915-fd58-4147-be12-e48044c367e6","rel":"reference","text":"[IR 8179]"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-9","rel":"related","text":"SR-9"}],"parts":[{"id":"sa-15_smt","name":"statement","parts":[{"id":"sa-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Require the developer of the system, system component, or system service to follow a documented development process that:","parts":[{"id":"sa-15_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Explicitly addresses security and privacy requirements;"},{"id":"sa-15_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Identifies the standards and tools used in the development process;"},{"id":"sa-15_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Documents the specific tool options and tool configurations used in the development process; and"},{"id":"sa-15_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and"}]},{"id":"sa-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review the development process, standards, tools, tool options, and tool configurations {{ sa-15_prm_1 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ sa-15_prm_2 }}."}]},{"id":"sa-15_gdn","name":"guidance","prose":"Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes."}],"controls":[{"id":"sa-15.3","class":"SP800-53-enhancement","title":"Criticality Analysis","parameters":[{"id":"sa-15.3_prm_1","label":"organization-defined decision points in the system development life cycle"},{"id":"sa-15.3_prm_2","label":"organization-defined breadth and depth of criticality analysis"}],"properties":[{"name":"label","value":"SA-15(3)"},{"name":"sort-id","value":"SA-15(03)"}],"links":[{"href":"#ra-9","rel":"related","text":"RA-9"}],"parts":[{"id":"sa-15.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform a criticality analysis:","parts":[{"id":"sa-15.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"At the following decision points in the system development life cycle: {{ sa-15.3_prm_1 }}; and"},{"id":"sa-15.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"At the following level of rigor: {{ sa-15.3_prm_2 }}."}]},{"id":"sa-15.3_gdn","name":"guidance","prose":"Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, and source code and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses."}]}]},{"id":"sa-22","class":"SP800-53","title":"Unsupported System Components","parameters":[{"id":"sa-22_prm_1"},{"id":"sa-22_prm_2","depends-on":"sa-22_prm_1","label":"organization-defined support from external providers"}],"properties":[{"name":"label","value":"SA-22"},{"name":"sort-id","value":"SA-22"}],"links":[{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sa-3","rel":"related","text":"SA-3"}],"parts":[{"id":"sa-22_smt","name":"statement","parts":[{"id":"sa-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or"},{"id":"sa-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provide the following options for alternative sources for continued support for unsupported components {{ sa-22_prm_1 }}."}]},{"id":"sa-22_gdn","name":"guidance","prose":"Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors."}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2"},{"id":"sc-1_prm_3","label":"organization-defined official"},{"id":"sc-1_prm_4","label":"organization-defined frequency"},{"id":"sc-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SC-1"},{"name":"sort-id","value":"SC-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"sc-1_smt","name":"statement","parts":[{"id":"sc-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ sc-1_prm_2 }} system and communications protection policy that:","parts":[{"id":"sc-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sc-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;"}]},{"id":"sc-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ sc-1_prm_3 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and"},{"id":"sc-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current system and communications protection:","parts":[{"id":"sc-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ sc-1_prm_4 }}; and"},{"id":"sc-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ sc-1_prm_5 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"sc-2","class":"SP800-53","title":"Separation of System and User Functionality","properties":[{"name":"label","value":"SC-2"},{"name":"sort-id","value":"SC-02"}],"links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-22","rel":"related","text":"SC-22"},{"href":"#sc-32","rel":"related","text":"SC-32"},{"href":"#sc-39","rel":"related","text":"SC-39"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"Separate user functionality, including user interface services, from system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations implement separation of system management functions from user functions, for example, by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18)."}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared System Resources","properties":[{"name":"label","value":"SC-4"},{"name":"sort-id","value":"SC-04"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"Prevent unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This control also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. This control does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles."}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","parameters":[{"id":"sc-5_prm_1"},{"id":"sc-5_prm_2","label":"organization-defined types of denial of service events"},{"id":"sc-5_prm_3","label":"organization-defined controls by type of denial of service event"}],"properties":[{"name":"label","value":"SC-5"},{"name":"sort-id","value":"SC-05"}],"links":[{"href":"#3862cd94-ff25-4631-9a9a-b92c21a0a923","rel":"reference","text":"[SP 800-189]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#sc-6","rel":"related","text":"SC-6"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-40","rel":"related","text":"SC-40"}],"parts":[{"id":"sc-5_smt","name":"statement","parts":[{"id":"sc-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"\n {{ sc-5_prm_1 }} the effects of the following types of denial of service events: {{ sc-5_prm_2 }}; and"},{"id":"sc-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ the following controls to achieve the denial of service objective: {{ sc-5_prm_3 }}."}]},{"id":"sc-5_gdn","name":"guidance","prose":"Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events."}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","parameters":[{"id":"sc-7_prm_1"}],"properties":[{"name":"label","value":"SC-7"},{"name":"sort-id","value":"SC-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#db7877cf-1013-4fb1-b943-ca9361d16370","rel":"reference","text":"[SP 800-41]"},{"href":"#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","rel":"reference","text":"[SP 800-77]"},{"href":"#3862cd94-ff25-4631-9a9a-b92c21a0a923","rel":"reference","text":"[SP 800-189]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-32","rel":"related","text":"SC-32"},{"href":"#sc-43","rel":"related","text":"SC-43"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions."}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","properties":[{"name":"label","value":"SC-7(3)"},{"name":"sort-id","value":"SC-07(03)"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"Limit the number of external network connections to the system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline requiring limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system."}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","parameters":[{"id":"sc-7.4_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SC-7(4)"},{"name":"sort-id","value":"SC-07(04)"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#sc-8","rel":"related","text":"SC-8"}],"parts":[{"id":"sc-7.4_smt","name":"statement","parts":[{"id":"sc-7.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Implement a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Establish a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Protect the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;"},{"id":"sc-7.4_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Review exceptions to the traffic flow policy {{ sc-7.4_prm_1 }} and remove exceptions that are no longer supported by an explicit mission or business need;"},{"id":"sc-7.4_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Prevent unauthorized exchange of control plane traffic with external networks;"},{"id":"sc-7.4_smt.g","name":"item","properties":[{"name":"label","value":"(g)"}],"prose":"Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and"},{"id":"sc-7.4_smt.h","name":"item","properties":[{"name":"label","value":"(h)"}],"prose":"Filter unauthorized control plane traffic from external networks."}]},{"id":"sc-7.4_gdn","name":"guidance","prose":"External commercial telecommunications services may provide data or voice communications services. Examples of control plane traffic include routing, domain name system (DNS), and management. Unauthorized control plane traffic can occur for example, through a technique known as “spoofing.”"}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default — Allow by Exception","parameters":[{"id":"sc-7.5_prm_1"},{"id":"sc-7.5_prm_2","depends-on":"sc-7.5_prm_1","label":"organization-defined systems"}],"properties":[{"name":"label","value":"SC-7(5)"},{"name":"sort-id","value":"SC-07(05)"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"Deny network communications traffic by default and allow network communications traffic by exception {{ sc-7.5_prm_1 }}."},{"id":"sc-7.5_gdn","name":"guidance","prose":"Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system."}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Prevent Split Tunneling for Remote Devices","properties":[{"name":"label","value":"SC-7(7)"},{"name":"sort-id","value":"SC-07(07)"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"Prevent a remote device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."},{"id":"sc-7.7_gdn","name":"guidance","prose":"Prevention of split tunneling is implemented in remote devices through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being configurable by users. Prevention of split tunneling is implemented within the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information."}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","parameters":[{"id":"sc-7.8_prm_1","label":"organization-defined internal communications traffic"},{"id":"sc-7.8_prm_2","label":"organization-defined external networks"}],"properties":[{"name":"label","value":"SC-7(8)"},{"name":"sort-id","value":"SC-07(08)"}],"links":[{"href":"#ac-3","rel":"related","text":"AC-3"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"Route {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers can support logging of Transmission Control Protocol sessions and blocking specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for “man-in-the-middle” attacks (depending on the implementation)."}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","parameters":[{"id":"sc-8_prm_1"}],"properties":[{"name":"label","value":"SC-8"},{"name":"sort-id","value":"SC-08"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#bbc7085f-b383-444e-af74-722a55cccc0f","rel":"reference","text":"[FIPS 197]"},{"href":"#286604ec-e383-4c1d-bd8c-d88f88e54a0f","rel":"reference","text":"[SP 800-52]"},{"href":"#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","rel":"reference","text":"[SP 800-77]"},{"href":"#93d44344-59f9-4669-845d-6cc2a5852621","rel":"reference","text":"[SP 800-81-2]"},{"href":"#36132a58-56fd-4980-9f6c-c010d3faf52b","rel":"reference","text":"[SP 800-113]"},{"href":"#64e044e4-b2a9-490f-a079-1106407c812f","rel":"reference","text":"[SP 800-177]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ia-9","rel":"related","text":"IA-9"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-16","rel":"related","text":"SC-16"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-23","rel":"related","text":"SC-23"},{"href":"#sc-28","rel":"related","text":"SC-28"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"Protect the {{ sc-8_prm_1 }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"Protecting the confidentiality and integrity of transmitted information applies to internal and external networks, and any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical means or by logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a term for wireline or fiber-optics telecommunication system that includes terminals and adequate acoustical, electrical, electromagnetic, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\nOrganizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services, may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunication service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls."}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","parameters":[{"id":"sc-8.1_prm_1"}],"properties":[{"name":"label","value":"SC-8(1)"},{"name":"sort-id","value":"SC-08(01)"}],"links":[{"href":"#sc-13","rel":"related","text":"SC-13"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have application in digital signatures, checksums, and message authentication codes. SC-13 is used to specify the specific protocols, algorithms, and algorithm parameters to be implemented on each transmission path."}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","parameters":[{"id":"sc-10_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"SC-10"},{"name":"sort-id","value":"SC-10"}],"links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#sc-23","rel":"related","text":"SC-23"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"Terminate the network connection associated with a communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time-periods by type of network access or for specific network accesses."}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","parameters":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage, access, and destruction"}],"properties":[{"name":"label","value":"SC-12"},{"name":"sort-id","value":"SC-12"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#77dc1838-3664-4faa-bc6e-4e2a16e52f35","rel":"reference","text":"[SP 800-56A]"},{"href":"#f417e4ec-cadb-47a8-a363-6006b32c28ad","rel":"reference","text":"[SP 800-56B]"},{"href":"#7c3ba335-62bd-4f03-888f-960790409b11","rel":"reference","text":"[SP 800-56C]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#f437b52f-7f26-42aa-8e8f-999e7d67b2fe","rel":"reference","text":"[IR 7956]"},{"href":"#30213e10-2aca-47b3-8cdb-61303e0959f5","rel":"reference","text":"[IR 7966]"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-11","rel":"related","text":"SC-11"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-17","rel":"related","text":"SC-17"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#sc-40","rel":"related","text":"SC-40"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ sc-12_prm_1 }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment."}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","parameters":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses"},{"id":"sc-13_prm_2","label":"organization-defined types of cryptography for each specified cryptographic use"}],"properties":[{"name":"label","value":"SC-13"},{"name":"sort-id","value":"SC-13"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-23","rel":"related","text":"SC-23"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-40","rel":"related","text":"SC-40"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"sc-13_smt","name":"statement","parts":[{"id":"sc-13_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determine the {{ sc-13_prm_1 }}; and"},{"id":"sc-13_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the following types of cryptography required for each specified cryptographic use: {{ sc-13_prm_2 }}."}]},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices and Applications","parameters":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed"}],"properties":[{"name":"label","value":"SC-15"},{"name":"sort-id","value":"SC-15"}],"links":[{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#sc-42","rel":"related","text":"SC-42"}],"parts":[{"id":"sc-15_smt","name":"statement","parts":[{"id":"sc-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated."}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","parameters":[{"id":"sc-17_prm_1","label":"organization-defined certificate policy"}],"properties":[{"name":"label","value":"SC-17"},{"name":"sort-id","value":"SC-17"}],"links":[{"href":"#b7140427-d4c4-467a-97a1-5ca9f7c6584a","rel":"reference","text":"[SP 800-32]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#sc-12","rel":"related","text":"SC-12"}],"parts":[{"id":"sc-17_smt","name":"statement","parts":[{"id":"sc-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Issue public key certificates under an {{ sc-17_prm_1 }} or obtain public key certificates from an approved service provider; and"},{"id":"sc-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Include only approved trust anchors in trust stores or certificate stores managed by the organization."}]},{"id":"sc-17_gdn","name":"guidance","prose":"This control addresses certificates with visibility external to organizational systems and certificates related to internal operations of systems, for example, application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates."}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","properties":[{"name":"label","value":"SC-18"},{"name":"sort-id","value":"SC-18"}],"links":[{"href":"#8e334d74-fc06-47a9-bbb1-804fdfae0e44","rel":"reference","text":"[SP 800-28]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#si-3","rel":"related","text":"SI-3"}],"parts":[{"id":"sc-18_smt","name":"statement","parts":[{"id":"sc-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Define acceptable and unacceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorize, monitor, and control the use of mobile code within the system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java, JavaScript, Flash animations, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name/address Resolution Service (authoritative Source)","properties":[{"name":"label","value":"SC-20"},{"name":"sort-id","value":"SC-20"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#93d44344-59f9-4669-845d-6cc2a5852621","rel":"reference","text":"[SP 800-81-2]"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-22","rel":"related","text":"SC-22"}],"parts":[{"id":"sc-20_smt","name":"statement","parts":[{"id":"sc-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data."}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name/address Resolution Service (recursive or Caching Resolver)","properties":[{"name":"label","value":"SC-21"},{"name":"sort-id","value":"SC-21"}],"links":[{"href":"#93d44344-59f9-4669-845d-6cc2a5852621","rel":"reference","text":"[SP 800-81-2]"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-22","rel":"related","text":"SC-22"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data."}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name/address Resolution Service","properties":[{"name":"label","value":"SC-22"},{"name":"sort-id","value":"SC-22"}],"links":[{"href":"#93d44344-59f9-4669-845d-6cc2a5852621","rel":"reference","text":"[SP 800-81-2]"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-24","rel":"related","text":"SC-24"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists."}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","properties":[{"name":"label","value":"SC-23"},{"name":"sort-id","value":"SC-23"}],"links":[{"href":"#286604ec-e383-4c1d-bd8c-d88f88e54a0f","rel":"reference","text":"[SP 800-52]"},{"href":"#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","rel":"reference","text":"[SP 800-77]"},{"href":"#1d91d984-0cb6-4f96-a01d-c39a3eee7d43","rel":"reference","text":"[SP 800-95]"},{"href":"#36132a58-56fd-4980-9f6c-c010d3faf52b","rel":"reference","text":"[SP 800-113]"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-11","rel":"related","text":"SC-11"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"Protect the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"Protecting session authenticity addresses communications protection at the session, level; not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of information transmitted. Authenticity protection includes protecting against man-in-the-middle attacks and session hijacking, and the insertion of false information into sessions."}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","parameters":[{"id":"sc-28_prm_1"},{"id":"sc-28_prm_2","label":"organization-defined information at rest"}],"properties":[{"name":"label","value":"SC-28"},{"name":"sort-id","value":"SC-28"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#77dc1838-3664-4faa-bc6e-4e2a16e52f35","rel":"reference","text":"[SP 800-56A]"},{"href":"#f417e4ec-cadb-47a8-a363-6006b32c28ad","rel":"reference","text":"[SP 800-56B]"},{"href":"#7c3ba335-62bd-4f03-888f-960790409b11","rel":"reference","text":"[SP 800-56C]"},{"href":"#770f9bdc-4023-48ef-8206-c65397f061ea","rel":"reference","text":"[SP 800-57-1]"},{"href":"#69644a9e-438a-47c3-bac9-cf28b5baf848","rel":"reference","text":"[SP 800-57-2]"},{"href":"#9933c883-e8f3-4a83-9a9a-d1e058038080","rel":"reference","text":"[SP 800-57-3]"},{"href":"#1b14b50f-7154-4226-958c-7dfff8276755","rel":"reference","text":"[SP 800-111]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-16","rel":"related","text":"SI-16"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"Protect the {{ sc-28_prm_1 }} of the following information at rest: {{ sc-28_prm_2 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information requiring protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure off-line storage in lieu of online storage."}],"controls":[{"id":"sc-28.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","parameters":[{"id":"sc-28.1_prm_1","label":"organization-defined system components or media"},{"id":"sc-28.1_prm_2","label":"organization-defined information"}],"properties":[{"name":"label","value":"SC-28(1)"},{"name":"sort-id","value":"SC-28(01)"}],"links":[{"href":"#ac-19","rel":"related","text":"AC-19"}],"parts":[{"id":"sc-28.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ sc-28.1_prm_1 }}: {{ sc-28.1_prm_2 }}."},{"id":"sc-28.1_gdn","name":"guidance","prose":"Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. Organizations using cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13)."}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","properties":[{"name":"label","value":"SC-39"},{"name":"sort-id","value":"SC-39"}],"links":[{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#si-16","rel":"related","text":"SI-16"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"Maintain a separate execution domain for each executing system process."},{"id":"sc-39_gdn","name":"guidance","prose":"Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies."}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2"},{"id":"si-1_prm_3","label":"organization-defined official"},{"id":"si-1_prm_4","label":"organization-defined frequency"},{"id":"si-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-1"},{"name":"sort-id","value":"SI-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ si-1_prm_2 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ si-1_prm_4 }}; and"},{"id":"si-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ si-1_prm_5 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","parameters":[{"id":"si-2_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"SI-2"},{"name":"sort-id","value":"SI-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#1126ec09-2b27-4a21-80b2-fef70b31c49d","rel":"reference","text":"[SP 800-40]"},{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c","rel":"reference","text":"[IR 7788]"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-5","rel":"related","text":"SI-5"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-11","rel":"related","text":"SI-11"}],"parts":[{"id":"si-2_smt","name":"statement","parts":[{"id":"si-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify, report, and correct system flaws;"},{"id":"si-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Install security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Incorporate flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\nOrganization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures."}],"controls":[{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","parameters":[{"id":"si-2.2_prm_1","label":"organization-defined automated mechanisms"},{"id":"si-2.2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-2(2)"},{"name":"sort-id","value":"SI-02(02)"}],"links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"Determine if system components have applicable security-relevant software and firmware updates installed using {{ si-2.2_prm_1 }}\n {{ si-2.2_prm_2 }}."},{"id":"si-2.2_gdn","name":"guidance","prose":"Automated mechanisms can track and determine the status of known flaws for system components."}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","parameters":[{"id":"si-3_prm_1"},{"id":"si-3_prm_2","label":"organization-defined frequency"},{"id":"si-3_prm_3"},{"id":"si-3_prm_4"},{"id":"si-3_prm_5","depends-on":"si-3_prm_4","label":"organization-defined action"},{"id":"si-3_prm_6","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SI-3"},{"name":"sort-id","value":"SI-03"}],"links":[{"href":"#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","rel":"reference","text":"[SP 800-83]"},{"href":"#c972a85c-fa75-4596-be25-a338dc7e4e46","rel":"reference","text":"[SP 800-125B]"},{"href":"#64e044e4-b2a9-490f-a079-1106407c812f","rel":"reference","text":"[SP 800-177]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-23","rel":"related","text":"SC-23"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-44","rel":"related","text":"SC-44"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-8","rel":"related","text":"SI-8"},{"href":"#si-15","rel":"related","text":"SI-15"}],"parts":[{"id":"si-3_smt","name":"statement","parts":[{"id":"si-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement {{ si-3_prm_1 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Configure malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the system {{ si-3_prm_2 }} and real-time scans of files from external sources at {{ si-3_prm_3 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and"},{"id":"si-3_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n {{ si-3_prm_4 }}; and send alert to {{ si-3_prm_6 }} in response to malicious code detection."}]},{"id":"si-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system."}]},{"id":"si-3_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions.\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files."}],"controls":[{"id":"si-3.1","class":"SP800-53-enhancement","title":"Central Management","properties":[{"name":"label","value":"SI-3(1)"},{"name":"sort-id","value":"SI-03(01)"}],"links":[{"href":"#pl-9","rel":"related","text":"PL-9"}],"parts":[{"id":"si-3.1_smt","name":"statement","prose":"Centrally manage malicious code protection mechanisms."},{"id":"si-3.1_gdn","name":"guidance","prose":"Central management addresses the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw and malicious code protection controls."}]}]},{"id":"si-4","class":"SP800-53","title":"System Monitoring","parameters":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5"},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-4"},{"name":"sort-id","value":"SI-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","rel":"reference","text":"[SP 800-83]"},{"href":"#02d8ec60-6197-43f8-9f47-18732127963e","rel":"reference","text":"[SP 800-92]"},{"href":"#41e2e2c6-2260-4258-85c8-09db17c43103","rel":"reference","text":"[SP 800-94]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-10","rel":"related","text":"IA-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-31","rel":"related","text":"SC-31"},{"href":"#sc-35","rel":"related","text":"SC-35"},{"href":"#sc-36","rel":"related","text":"SC-36"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-6","rel":"related","text":"SI-6"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-10","rel":"related","text":"SR-10"}],"parts":[{"id":"si-4_smt","name":"statement","parts":[{"id":"si-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitor the system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Identify unauthorized use of the system through the following techniques and methods: {{ si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Invoke internal monitoring capabilities or deploy monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Strategically within the system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Obtain legal opinion regarding system monitoring activities; and"},{"id":"si-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Provide {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n {{ si-4_prm_5 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\nDepending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}],"controls":[{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools and Mechanisms for Real-time Analysis","properties":[{"name":"label","value":"SI-4(2)"},{"name":"sort-id","value":"SI-04(02)"}],"links":[{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-25","rel":"related","text":"PM-25"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"Employ automated tools and mechanisms to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or Security Information and Event Management technologies that provide real time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","parameters":[{"id":"si-4.4_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-4(4)"},{"name":"sort-id","value":"SI-04(04)"}],"parts":[{"id":"si-4.4_smt","name":"statement","prose":"Monitor inbound and outbound communications traffic {{ si-4.4_prm_1 }} for unusual or unauthorized activities or conditions."},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code within organizational systems or propagating among system components; the unauthorized exporting of information; or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components."}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","parameters":[{"id":"si-4.5_prm_1","label":"organization-defined personnel or roles"},{"id":"si-4.5_prm_2","label":"organization-defined compromise indicators"}],"properties":[{"name":"label","value":"SI-4(5)"},{"name":"sort-id","value":"SI-04(05)"}],"links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#pe-6","rel":"related","text":"PE-6"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"Alert {{ si-4.5_prm_1 }} when the following system-generated indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. This control enhancement addresses the security alerts generated by the system. Alternatively, alerts generated by organizations in SI-4(12) focus on information sources external to the system such as suspicious activity reports and reports on potential insider threats."}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","parameters":[{"id":"si-5_prm_1","label":"organization-defined external organizations"},{"id":"si-5_prm_2"},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"properties":[{"name":"label","value":"SI-5"},{"name":"sort-id","value":"SI-05"}],"links":[{"href":"#1126ec09-2b27-4a21-80b2-fef70b31c49d","rel":"reference","text":"[SP 800-40]"},{"href":"#pm-15","rel":"related","text":"PM-15"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#si-2","rel":"related","text":"SI-2"}],"parts":[{"id":"si-5_smt","name":"statement","parts":[{"id":"si-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receive system security alerts, advisories, and directives from {{ si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Generate internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Disseminate security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations."}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","parameters":[{"id":"si-7_prm_1","label":"organization-defined software, firmware, and information"},{"id":"si-7_prm_2","label":"organization-defined actions"}],"properties":[{"name":"label","value":"SI-7"},{"name":"sort-id","value":"SI-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#e9224c9b-4fa5-40b7-bfbb-02bff7712d92","rel":"reference","text":"[SP 800-147]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#sc-37","rel":"related","text":"SC-37"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-10","rel":"related","text":"SR-10"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"si-7_smt","name":"statement","parts":[{"id":"si-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ si-7_prm_1 }}; and"},{"id":"si-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ si-7_prm_2 }}."}]},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes the Basic Input Output System (BIOS). Information includes personally identifiable information and metadata containing security and privacy attributes associated with information. Integrity-checking mechanisms, including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools can automatically monitor the integrity of systems and hosted applications."}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","parameters":[{"id":"si-7.1_prm_1","label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2"},{"id":"si-7.1_prm_3","depends-on":"si-7.1_prm_2","label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","depends-on":"si-7.1_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-7(1)"},{"name":"sort-id","value":"SI-07(01)"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"Perform an integrity check of {{ si-7.1_prm_1 }}\n {{ si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include the identification of a new threat to which organizational systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort."}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","parameters":[{"id":"si-7.7_prm_1","label":"organization-defined security-relevant changes to the system"}],"properties":[{"name":"label","value":"SI-7(7)"},{"name":"sort-id","value":"SI-07(07)"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ si-7.7_prm_1 }}."},{"id":"si-7.7_gdn","name":"guidance","prose":"This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended time-period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or unauthorized elevation of system privileges."}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","properties":[{"name":"label","value":"SI-8"},{"name":"sort-id","value":"SI-08"}],"links":[{"href":"#23b0a203-c020-47dd-b86c-9f8c35ecaa4e","rel":"reference","text":"[SP 800-45]"},{"href":"#64e044e4-b2a9-490f-a079-1106407c812f","rel":"reference","text":"[SP 800-177]"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"si-8_smt","name":"statement","parts":[{"id":"si-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions."}],"controls":[{"id":"si-8.1","class":"SP800-53-enhancement","title":"Central Management","properties":[{"name":"label","value":"SI-8(1)"},{"name":"sort-id","value":"SI-08(01)"}],"links":[{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"si-8.1_smt","name":"statement","prose":"Centrally manage spam protection mechanisms."},{"id":"si-8.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection controls."}]},{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","parameters":[{"id":"si-8.2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-8(2)"},{"name":"sort-id","value":"SI-08(02)"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"Automatically update spam protection mechanisms {{ si-8.2_prm_1 }}."},{"id":"si-8.2_gdn","name":"guidance","prose":"Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capability."}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","parameters":[{"id":"si-10_prm_1","label":"organization-defined information inputs to the system"}],"properties":[{"name":"label","value":"SI-10"},{"name":"sort-id","value":"SI-10"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"Check the validity of the following information inputs: {{ si-10_prm_1 }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of system inputs, including character set, length, numerical range, and acceptable values, verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks."}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","parameters":[{"id":"si-11_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SI-11"},{"name":"sort-id","value":"SI-11"}],"links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#sc-31","rel":"related","text":"SC-31"},{"href":"#si-2","rel":"related","text":"SI-2"}],"parts":[{"id":"si-11_smt","name":"statement","parts":[{"id":"si-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and"},{"id":"si-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reveal error messages only to {{ si-11_prm_1 }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations consider the structure and the content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information."}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","properties":[{"name":"label","value":"SI-12"},{"name":"sort-id","value":"SI-12"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#at-1","rel":"related","text":"AT-1"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#ca-1","rel":"related","text":"CA-1"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cp-1","rel":"related","text":"CP-1"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ma-1","rel":"related","text":"MA-1"},{"href":"#mp-1","rel":"related","text":"MP-1"},{"href":"#pe-1","rel":"related","text":"PE-1"},{"href":"#pl-1","rel":"related","text":"PL-1"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#ps-1","rel":"related","text":"PS-1"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#sa-1","rel":"related","text":"SA-1"},{"href":"#sc-1","rel":"related","text":"SC-1"},{"href":"#si-1","rel":"related","text":"SI-1"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-3","rel":"related","text":"MP-3"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sr-1","rel":"related","text":"SR-1"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel."}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","parameters":[{"id":"si-16_prm_1","label":"organization-defined controls"}],"properties":[{"name":"label","value":"SI-16"},{"name":"sort-id","value":"SI-16"}],"links":[{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#sc-3","rel":"related","text":"SC-3"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"Implement the following controls to protect the system memory from unauthorized code execution: {{ si-16_prm_1 }}."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism."}]}]},{"id":"sr","class":"family","title":"Supply Chain Risk Management","controls":[{"id":"sr-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"sr-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sr-1_prm_2"},{"id":"sr-1_prm_3","label":"organization-defined official"},{"id":"sr-1_prm_4","label":"organization-defined frequency"},{"id":"sr-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SR-1"},{"name":"sort-id","value":"SR-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"sr-1_smt","name":"statement","parts":[{"id":"sr-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ sr-1_prm_1 }}:","parts":[{"id":"sr-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ sr-1_prm_2 }} supply chain risk management policy that:","parts":[{"id":"sr-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sr-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sr-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;"}]},{"id":"sr-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ sr-1_prm_3 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and"},{"id":"sr-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current supply chain risk management:","parts":[{"id":"sr-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ sr-1_prm_4 }}; and"},{"id":"sr-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ sr-1_prm_5 }}."}]}]},{"id":"sr-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"sr-2","class":"SP800-53","title":"Supply Chain Risk Management Plan","parameters":[{"id":"sr-2_prm_1","label":"organization-defined systems, system components, or system services"},{"id":"sr-2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SR-2"},{"name":"sort-id","value":"SR-02"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-8","rel":"related","text":"SA-8"}],"parts":[{"id":"sr-2_smt","name":"statement","parts":[{"id":"sr-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: {{ sr-2_prm_1 }};"},{"id":"sr-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the supply chain risk management plan consistently across the organization; and"},{"id":"sr-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the supply chain risk management plan {{ sr-2_prm_2 }} or as required, to address threat, organizational or environmental changes."}]},{"id":"sr-2_gdn","name":"guidance","prose":"The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans.\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8)."}],"controls":[{"id":"sr-2.1","class":"SP800-53-enhancement","title":"Establish Scrm Team","parameters":[{"id":"sr-2.1_prm_1","label":"organization-defined personnel, roles, and responsibilities"},{"id":"sr-2.1_prm_2","label":"organization-defined supply chain risk management activities"}],"properties":[{"name":"label","value":"SR-2(1)"},{"name":"sort-id","value":"SR-02(01)"}],"parts":[{"id":"sr-2.1_smt","name":"statement","prose":"Establish a supply chain risk management team consisting of {{ sr-2.1_prm_1 }} to lead and support the following SCRM activities: {{ sr-2.1_prm_2 }}."},{"id":"sr-2.1_gdn","name":"guidance","prose":"To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team."}]}]},{"id":"sr-3","class":"SP800-53","title":"Supply Chain Controls and Processes","parameters":[{"id":"sr-3_prm_1","label":"organization-defined system or system component"},{"id":"sr-3_prm_2","label":"organization-defined supply chain personnel"},{"id":"sr-3_prm_3","label":"organization-defined supply chain controls"},{"id":"sr-3_prm_4"},{"id":"sr-3_prm_5","depends-on":"sr-3_prm_4","label":"organization-defined document"}],"properties":[{"name":"label","value":"SR-3"},{"name":"sort-id","value":"SR-03"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-6","rel":"related","text":"MA-6"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#sa-2","rel":"related","text":"SA-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-29","rel":"related","text":"SC-29"},{"href":"#sc-30","rel":"related","text":"SC-30"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"sr-3_smt","name":"statement","parts":[{"id":"sr-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ sr-3_prm_1 }} in coordination with {{ sr-3_prm_2 }};"},{"id":"sr-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ sr-3_prm_3 }}; and"},{"id":"sr-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document the selected and implemented supply chain processes and controls in {{ sr-3_prm_4 }}."}]},{"id":"sr-3_gdn","name":"guidance","prose":"Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain."}]},{"id":"sr-5","class":"SP800-53","title":"Acquisition Strategies, Tools, and Methods","parameters":[{"id":"sr-5_prm_1","label":"organization-defined acquisition strategies, contract tools, and procurement methods"}],"properties":[{"name":"label","value":"SR-5"},{"name":"sort-id","value":"SR-05"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#sa-2","rel":"related","text":"SA-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-10","rel":"related","text":"SR-10"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"sr-5_smt","name":"statement","prose":"Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ sr-5_prm_1 }}."},{"id":"sr-5_gdn","name":"guidance","prose":"The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements."}]},{"id":"sr-6","class":"SP800-53","title":"Supplier Reviews","parameters":[{"id":"sr-6_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SR-6"},{"name":"sort-id","value":"SR-06"}],"links":[{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","rel":"reference","text":"[FIPS 180-4]"},{"href":"#0b9fe06d-1b89-4dba-b9f8-3baf51504b17","rel":"reference","text":"[FIPS 186-4]"},{"href":"#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","rel":"reference","text":"[FIPS 202]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sr-6_smt","name":"statement","prose":"Review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ sr-6_prm_1 }}."},{"id":"sr-6_gdn","name":"guidance","prose":"A review of supplier risk includes security processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess any subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate to share review results with other organizations in accordance with any applicable inter-organizational agreements or contracts."}]},{"id":"sr-8","class":"SP800-53","title":"Notification Agreements","parameters":[{"id":"sr-8_prm_1"},{"id":"sr-8_prm_2","depends-on":"sr-8_prm_1","label":"organization-defined information"}],"properties":[{"name":"label","value":"SR-8"},{"name":"sort-id","value":"SR-08"}],"links":[{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"}],"parts":[{"id":"sr-8_smt","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ sr-8_prm_1 }}."},{"id":"sr-8_gdn","name":"guidance","prose":"The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes."}]},{"id":"sr-10","class":"SP800-53","title":"Inspection of Systems or Components","parameters":[{"id":"sr-10_prm_1"},{"id":"sr-10_prm_2","depends-on":"sr-10_prm_1","label":"organization-defined frequency"},{"id":"sr-10_prm_3","depends-on":"sr-10_prm_1","label":"organization-defined indications of need for inspection"},{"id":"sr-10_prm_4","label":"organization-defined systems or system components"}],"properties":[{"name":"label","value":"SR-10"},{"name":"sort-id","value":"SR-10"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-4","rel":"related","text":"SR-4"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"sr-10_smt","name":"statement","prose":"Inspect the following systems or system components {{ sr-10_prm_1 }} to detect tampering: {{ sr-10_prm_4 }}."},{"id":"sr-10_gdn","name":"guidance","prose":"Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations."}]},{"id":"sr-11","class":"SP800-53","title":"Component Authenticity","parameters":[{"id":"sr-11_prm_1"},{"id":"sr-11_prm_2","depends-on":"sr-11_prm_1","label":"organization-defined external reporting organizations"},{"id":"sr-11_prm_3","depends-on":"sr-11_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SR-11"},{"name":"sort-id","value":"SR-11"}],"links":[{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#sr-9","rel":"related","text":"SR-9"},{"href":"#sr-10","rel":"related","text":"SR-10"}],"parts":[{"id":"sr-11_smt","name":"statement","parts":[{"id":"sr-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and"},{"id":"sr-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Report counterfeit system components to {{ sr-11_prm_1 }}."}]},{"id":"sr-11_gdn","name":"guidance","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA."}],"controls":[{"id":"sr-11.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","parameters":[{"id":"sr-11.1_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SR-11(1)"},{"name":"sort-id","value":"SR-11(01)"}],"links":[{"href":"#at-3","rel":"related","text":"AT-3"}],"parts":[{"id":"sr-11.1_smt","name":"statement","prose":"Train {{ sr-11.1_prm_1 }} to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_gdn","name":"guidance","prose":"None."}]},{"id":"sr-11.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","parameters":[{"id":"sr-11.2_prm_1","label":"organization-defined system components"}],"properties":[{"name":"label","value":"SR-11(2)"},{"name":"sort-id","value":"SR-11(02)"}],"links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#sa-10","rel":"related","text":"SA-10"}],"parts":[{"id":"sr-11.2_smt","name":"statement","prose":"Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ sr-11.2_prm_1 }}."},{"id":"sr-11.2_gdn","name":"guidance","prose":"None."}]},{"id":"sr-11.3","class":"SP800-53-enhancement","title":"Component Disposal","parameters":[{"id":"sr-11.3_prm_1","label":"organization-defined techniques and methods"}],"properties":[{"name":"label","value":"SR-11(3)"},{"name":"sort-id","value":"SR-11(03)"}],"links":[{"href":"#mp-6","rel":"related","text":"MP-6"}],"parts":[{"id":"sr-11.3_smt","name":"statement","prose":"Dispose of system components using the following techniques and methods: {{ sr-11.3_prm_1 }}."},{"id":"sr-11.3_gdn","name":"guidance","prose":"Proper disposal of system components helps to prevent such components from entering the gray market."}]}]}]}],"back-matter":{"resources":[{"uuid":"a7dfa526-b81f-41d7-9875-c8b0faafe74b","title":"[PRIVACT]","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf"}]},{"uuid":"43facb7b-0afb-480f-8191-34790d5b444b","title":"[EVIDACT]","citation":{"text":"Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019."},"rlinks":[{"href":"https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf"}]},{"uuid":"52a8b0c6-0c6b-424b-928d-41c50ba87838","title":"[EO 13526]","citation":{"text":"Executive Order 13526, *Classified National Security Information*, December 2009."},"rlinks":[{"href":"https://www.archives.gov/isoo/policy-documents/cnsi-eo.html"}]},{"uuid":"14958422-54f6-471f-a345-802dca594dd8","title":"[FISMA]","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf"}]},{"uuid":"2b5e12fb-633f-49e6-8aff-81d75bf53545","title":"[EO 13587]","citation":{"text":"Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information*, October 2011."},"rlinks":[{"href":"https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"cde25174-38e0-4a00-8919-8ee3674b8088","title":"[HSPD 7]","citation":{"text":"Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003."},"rlinks":[{"href":"https://www.dhs.gov/homeland-security-presidential-directive-7"}]},{"uuid":"2383ccfd-d8a0-4e3a-bf40-21288ae1e07a","title":"[5 CFR 731]","citation":{"text":"Code of Federal Regulations, Title 5, *Administrative Personnel*, Section 731.106, *Designation of Public Trust Positions and Investigative Requirements*(5 C.F.R. 731.106)."},"rlinks":[{"href":"https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf"}]},{"uuid":"742b7c0e-218e-4fca-9c3d-5f264bbaf2bc","title":"[32 CFR 2002]","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information*(32 C.F.R 2002)."},"rlinks":[{"href":"https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information"}]},{"uuid":"286d42a1-efbe-49a2-9ce1-4c9bf68feb3b","title":"[ODNI NITP]","citation":{"text":"Office of the Director National Intelligence, *National Insider Threat Policy*\n "},"rlinks":[{"href":"https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf"}]},{"uuid":"395f6bb9-bcc2-41fc-977f-04372f4a6a82","title":"[OMB A-108]","citation":{"text":"Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf"}]},{"uuid":"a646d45d-775f-4887-86d3-5a00ffbc4090","title":"[OMB A-130]","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016."},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf"}]},{"uuid":"f7d3617a-9a4f-4f1a-a688-845081b70390","title":"[OMB M-17-06]","citation":{"text":"Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf"}]},{"uuid":"389fe193-866e-46b1-bf1d-38904b56aa7b","title":"[OMB M-17-12]","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. **\n "},"rlinks":[{"href":"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf"}]},{"uuid":"ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3","title":"[OMB M-17-25]","citation":{"text":"Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure*, May 2017. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf"}]},{"uuid":"d843e915-eeb6-4bbe-8cab-ccc802088703","title":"[OMB M-19-23]","citation":{"text":"Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance*, July 2019. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf"}]},{"uuid":"ee96f130-3f91-46ed-a4d8-57e5f220a623","title":"[CNSSI 1253]","citation":{"text":"Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems*, March 2014."},"rlinks":[{"href":"https://www.cnss.gov/CNSS/issuances/Instructions.cfm"}]},{"uuid":"24b7b1ec-6430-41de-9353-29fdb1b488fc","title":"[DHS NIPP]","citation":{"text":"Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009."},"rlinks":[{"href":"https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf"}]},{"uuid":"6ddb507b-6ddb-4e15-a8d4-0854e704446e","title":"[ISO 15408-1]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf"}]},{"uuid":"18abb755-c10f-407d-b0ef-4f99e5ec4a49","title":"[ISO 15408-2]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf"}]},{"uuid":"2ce3a8bf-7f8b-4249-bd16-808231415b14","title":"[ISO 15408-3]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf"}]},{"uuid":"aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","title":"[FIPS 140-3]","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.140-3"}]},{"uuid":"d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd","title":"[FIPS 180-4]","citation":{"text":"National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.180-4"}]},{"uuid":"0b9fe06d-1b89-4dba-b9f8-3baf51504b17","title":"[FIPS 186-4]","citation":{"text":"National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.186-4"}]},{"uuid":"bbc7085f-b383-444e-af74-722a55cccc0f","title":"[FIPS 197]","citation":{"text":"National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.197"}]},{"uuid":"b3e26423-0687-47c7-ba9a-a96870d58a27","title":"[FIPS 199]","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.199"}]},{"uuid":"f2163084-3287-45e2-9ee7-95f020415495","title":"[FIPS 200]","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.200"}]},{"uuid":"ab414c48-b7a2-4ffe-b74d-4d8b8120adce","title":"[FIPS 201-2]","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.201-2"}]},{"uuid":"11b9fa15-bc4e-4669-ab65-a2bf74daa9fa","title":"[FIPS 202]","citation":{"text":"National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.202"}]},{"uuid":"12702585-0c72-43c9-9185-a76a59f74233","title":"[SP 800-12]","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-12r1"}]},{"uuid":"ae962073-f9bb-4210-b1ad-53ef6f6afad6","title":"[SP 800-18]","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-18r1"}]},{"uuid":"8e334d74-fc06-47a9-bbb1-804fdfae0e44","title":"[SP 800-28]","citation":{"text":"Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-28ver2"}]},{"uuid":"1d9f757b-00d5-4db1-b15b-0ad641c6df7c","title":"[SP 800-30]","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-30r1"}]},{"uuid":"b7140427-d4c4-467a-97a1-5ca9f7c6584a","title":"[SP 800-32]","citation":{"text":"Kuhn R, Hu VC, Polk T, Chang S-jH (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-32"}]},{"uuid":"65774382-fcc6-4bbc-89fc-9d35aab19952","title":"[SP 800-34]","citation":{"text":"Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-34r1"}]},{"uuid":"ed919d0d-8e21-4df6-801d-3fbc4cb8a505","title":"[SP 800-35]","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-35"}]},{"uuid":"e07d73ea-96b9-4330-aff2-e0215f455343","title":"[SP 800-37]","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-37r2"}]},{"uuid":"451e9636-402e-4c27-b3f5-e0e50f957f27","title":"[SP 800-39]","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-39"}]},{"uuid":"1126ec09-2b27-4a21-80b2-fef70b31c49d","title":"[SP 800-40]","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-40r3"}]},{"uuid":"db7877cf-1013-4fb1-b943-ca9361d16370","title":"[SP 800-41]","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-41r1"}]},{"uuid":"23b0a203-c020-47dd-b86c-9f8c35ecaa4e","title":"[SP 800-45]","citation":{"text":"Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-45ver2"}]},{"uuid":"7768c184-088d-4ee8-a316-f9286b52df7f","title":"[SP 800-46]","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-46r2"}]},{"uuid":"2e66c31a-190e-49ad-8e00-f306f8a0df17","title":"[SP 800-47]","citation":{"text":"Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-47"}]},{"uuid":"2e29c363-d5be-47ba-92f5-f8a58a69b65e","title":"[SP 800-50]","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-50"}]},{"uuid":"286604ec-e383-4c1d-bd8c-d88f88e54a0f","title":"[SP 800-52]","citation":{"text":"McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-52r2"}]},{"uuid":"5db6dfe4-788e-4183-93b9-f6fb29d75e41","title":"[SP 800-53A]","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-53Ar4"}]},{"uuid":"31f3c9de-c57c-4281-929b-f9951f9640f1","title":"[SP 800-53B]","citation":{"text":"National Institute of Standards and Technology Special Publication 800-53B, *Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations*. Projected for publication in 2020."}},{"uuid":"8ba0d54e-fa16-4f5d-baa1-763ec3e33e26","title":"[SP 800-55]","citation":{"text":"Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-55r1"}]},{"uuid":"77dc1838-3664-4faa-bc6e-4e2a16e52f35","title":"[SP 800-56A]","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-56Ar3"}]},{"uuid":"f417e4ec-cadb-47a8-a363-6006b32c28ad","title":"[SP 800-56B]","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-56Br2"}]},{"uuid":"7c3ba335-62bd-4f03-888f-960790409b11","title":"[SP 800-56C]","citation":{"text":"Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-56Cr1"}]},{"uuid":"770f9bdc-4023-48ef-8206-c65397f061ea","title":"[SP 800-57-1]","citation":{"text":"Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-57pt1r4"}]},{"uuid":"69644a9e-438a-47c3-bac9-cf28b5baf848","title":"[SP 800-57-2]","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-57pt2r1"}]},{"uuid":"9933c883-e8f3-4a83-9a9a-d1e058038080","title":"[SP 800-57-3]","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-57pt3r1"}]},{"uuid":"68949f14-9cf5-4116-91d8-e820b9df3ffd","title":"[SP 800-60 v1]","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-60v1r1"}]},{"uuid":"e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","title":"[SP 800-60 v2]","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-60v2r1"}]},{"uuid":"7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","title":"[SP 800-61]","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-61r2"}]},{"uuid":"549993c0-9bdd-4d49-875c-f56950cc5f30","title":"[SP 800-63-3]","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-63-3"}]},{"uuid":"3c50fa31-7f4d-4d30-91d7-27ee87cd5f75","title":"[SP 800-63A]","citation":{"text":"Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-63a"}]},{"uuid":"14a7d982-9747-48e0-a877-3e8fbf6ae381","title":"[SP 800-70]","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-70r4"}]},{"uuid":"3d6b3a16-94e7-4a43-8648-8bdeaadb271b","title":"[SP 800-73-4]","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-73-4"}]},{"uuid":"d5ef0056-c807-44c3-a7b5-6eb491538f8e","title":"[SP 800-76-2]","citation":{"text":"Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-76-2"}]},{"uuid":"8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa","title":"[SP 800-77]","citation":{"text":"Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-77"}]},{"uuid":"013e098f-0680-4856-a130-b768c69dab9c","title":"[SP 800-78-4]","citation":{"text":"Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-78-4"}]},{"uuid":"bb55e71a-e059-4263-8dd8-bc96fd3f063d","title":"[SP 800-79-2]","citation":{"text":"Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-79-2"}]},{"uuid":"93d44344-59f9-4669-845d-6cc2a5852621","title":"[SP 800-81-2]","citation":{"text":"Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-81-2"}]},{"uuid":"8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","title":"[SP 800-83]","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-83r1"}]},{"uuid":"20bf433b-074c-47a0-8fca-cd591772ccd6","title":"[SP 800-84]","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-84"}]},{"uuid":"35dfd59f-eef2-4f71-bdb5-6d878267456a","title":"[SP 800-86]","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-86"}]},{"uuid":"fed6a3b5-2b74-499f-9172-46671f7c24c8","title":"[SP 800-88]","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-88r1"}]},{"uuid":"02d8ec60-6197-43f8-9f47-18732127963e","title":"[SP 800-92]","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-92"}]},{"uuid":"41e2e2c6-2260-4258-85c8-09db17c43103","title":"[SP 800-94]","citation":{"text":"Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-94"}]},{"uuid":"1d91d984-0cb6-4f96-a01d-c39a3eee7d43","title":"[SP 800-95]","citation":{"text":"Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-95"}]},{"uuid":"6bed1550-cd5d-4e80-8d83-4e597c1514fe","title":"[SP 800-97]","citation":{"text":"Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-97"}]},{"uuid":"9183bd83-170e-4701-b32c-97e08ef8bedb","title":"[SP 800-100]","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-100"}]},{"uuid":"1e2c475a-84ae-4c60-b420-8fb2ea552b71","title":"[SP 800-101]","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-101r1"}]},{"uuid":"1b14b50f-7154-4226-958c-7dfff8276755","title":"[SP 800-111]","citation":{"text":"Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-111"}]},{"uuid":"36132a58-56fd-4980-9f6c-c010d3faf52b","title":"[SP 800-113]","citation":{"text":"Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-113"}]},{"uuid":"49fa1ee1-aaf7-4270-bb5a-a86497f717dc","title":"[SP 800-114]","citation":{"text":"Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-114r1"}]},{"uuid":"a6b97214-55d4-4b86-a3a4-53d5911d96f7","title":"[SP 800-115]","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-115"}]},{"uuid":"ad7d575f-b5fe-489b-8d48-36a93d964a5f","title":"[SP 800-116]","citation":{"text":"Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-116r1"}]},{"uuid":"60b24979-65b8-4ca5-a442-11b74339fab5","title":"[SP 800-121]","citation":{"text":"Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-121r2"}]},{"uuid":"18c6942b-95f8-414c-b548-c8e6b8d8a172","title":"[SP 800-124]","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-124r1"}]},{"uuid":"c972a85c-fa75-4596-be25-a338dc7e4e46","title":"[SP 800-125B]","citation":{"text":"Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-125B"}]},{"uuid":"0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f","title":"[SP 800-126]","citation":{"text":"Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-126r3"}]},{"uuid":"a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","title":"[SP 800-128]","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-128"}]},{"uuid":"ae412317-c2b4-47bb-b47b-c329ce0d7a0b","title":"[SP 800-130]","citation":{"text":"Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-130"}]},{"uuid":"c3b34083-77b2-4dab-a980-73068f8933bd","title":"[SP 800-137]","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-137"}]},{"uuid":"e9224c9b-4fa5-40b7-bfbb-02bff7712d92","title":"[SP 800-147]","citation":{"text":"Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-147"}]},{"uuid":"ad3e8f21-07c6-4968-b002-00b64dfa70ae","title":"[SP 800-150]","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-150"}]},{"uuid":"38dbdf55-9a14-446f-b563-c48e4e3d37fb","title":"[SP 800-152]","citation":{"text":"Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-152"}]},{"uuid":"fd0f14f5-8910-45c4-b60a-0c8936e00daa","title":"[SP 800-154]","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154."},"rlinks":[{"href":"https://csrc.nist.gov/publications/detail/sp/800-154/draft"}]},{"uuid":"f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa","title":"[SP 800-156]","citation":{"text":"Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-156"}]},{"uuid":"8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","title":"[SP 800-160 v1]","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-160v1"}]},{"uuid":"8411e6e8-09bd-431d-bbcb-3423d36ad880","title":"[SP 800-160 v2]","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-160v2"}]},{"uuid":"66476e76-46b4-47fb-be19-d13e6f3840df","title":"[SP 800-161]","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-161"}]},{"uuid":"359f960c-2598-454c-ba3b-a30c553e498f","title":"[SP 800-162]","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-162"}]},{"uuid":"a8f55663-86c5-415b-aabe-d2a126981d65","title":"[SP 800-166]","citation":{"text":"Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-166"}]},{"uuid":"893d1736-324c-41d6-a5f4-d526b5ca981a","title":"[SP 800-167]","citation":{"text":"Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-167"}]},{"uuid":"0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a","title":"[SP 800-171]","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-171r2"}]},{"uuid":"aad55f03-8ece-4b21-b09c-9ef65b5a9f55","title":"[SP 800-171B]","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B."},"rlinks":[{"href":"https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf"}]},{"uuid":"64e044e4-b2a9-490f-a079-1106407c812f","title":"[SP 800-177]","citation":{"text":"Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-177r1"}]},{"uuid":"223b23a9-baea-4a50-8058-63cf7967b61f","title":"[SP 800-178]","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-178"}]},{"uuid":"f4c3f657-de83-47ae-9aec-e144de8268d1","title":"[SP 800-181]","citation":{"text":"Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-181"}]},{"uuid":"08f518f7-f9b9-4bee-8986-860214f46b16","title":"[SP 800-184]","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-184"}]},{"uuid":"eadef75e-7e4d-4554-b818-44946c1dde0e","title":"[SP 800-188]","citation":{"text":"Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188."},"rlinks":[{"href":"https://csrc.nist.gov/publications/detail/sp/800-188/draft"}]},{"uuid":"3862cd94-ff25-4631-9a9a-b92c21a0a923","title":"[SP 800-189]","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-189"}]},{"uuid":"06d3c11a-4a00-42d9-ad75-e6a777ffae5e","title":"[SP 800-192]","citation":{"text":"Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-192"}]},{"uuid":"d4779b49-8acc-45ef-b4f0-30f945e81d1b","title":"[IR 7539]","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7539"}]},{"uuid":"09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","title":"[IR 7559]","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7559"}]},{"uuid":"7b03adec-4405-4aac-94a0-6a9eb3f42e31","title":"[IR 7622]","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7622"}]},{"uuid":"daf69edb-a0ef-4447-9880-8c4bf553181f","title":"[IR 7676]","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7676"}]},{"uuid":"bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c","title":"[IR 7788]","citation":{"text":"Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7788"}]},{"uuid":"a49f67fc-827c-40e6-9a37-2b1cbe8142fd","title":"[IR 7817]","citation":{"text":"Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7817"}]},{"uuid":"972c10bd-aedf-485f-b0db-f46a402127e2","title":"[IR 7849]","citation":{"text":"Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7849"}]},{"uuid":"197f7ba7-9af8-4a67-b3a4-5523d850e53b","title":"[IR 7870]","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7870"}]},{"uuid":"bb22d510-54a9-4588-b725-00d37576562b","title":"[IR 7874]","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7874"}]},{"uuid":"f437b52f-7f26-42aa-8e8f-999e7d67b2fe","title":"[IR 7956]","citation":{"text":"Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7956"}]},{"uuid":"30213e10-2aca-47b3-8cdb-61303e0959f5","title":"[IR 7966]","citation":{"text":"Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7966"}]},{"uuid":"851b5ba4-6aa0-4583-857c-4c360cbdf2a0","title":"[IR 8011 v1]","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8011-1"}]},{"uuid":"7e7538d7-9c3a-4e5f-bbb4-638cec975415","title":"[IR 8023]","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8023"}]},{"uuid":"24738ee6-b3f3-4e37-825b-58775846bdbc","title":"[IR 8040]","citation":{"text":"Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8040"}]},{"uuid":"817b4227-5857-494d-9032-915980b32f15","title":"[IR 8062]","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8062"}]},{"uuid":"7a93e915-fd58-4147-be12-e48044c367e6","title":"[IR 8179]","citation":{"text":"Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8179"}]},{"uuid":"294eed19-7471-4517-9480-2ec73e7c6a78","title":"[DOD STIG]","citation":{"text":"Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*."},"rlinks":[{"href":"https://iase.disa.mil/stigs/Pages/index.aspx"}]},{"uuid":"17ca9481-ea11-4ef2-81c1-885fd37d4be5","title":"[IETF 5905]","citation":{"text":""}},{"uuid":"dd87fdf0-840d-4392-9de4-220b2327e340","title":"[NARA CUI]","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https://www.archives.gov/cui"}]},{"uuid":"5dac2312-1d0d-416f-aebb-400fa9775b74","title":"[NIAP CCEVS]","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https://www.niap-ccevs.org/"}]},{"uuid":"5cc04a1c-5489-4751-a493-746a9639067b","title":"[NCPR]","citation":{"text":"National Institute of Standards and Technology (2020) *National Checklist Program Repository*. Available at"},"rlinks":[{"href":"https://nvd.nist.gov/ncp/repository"}]},{"uuid":"634dec27-df88-4c30-b1a4-b57cdfd24f20","title":"[NSA CSFC]","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https://www.nsa.gov/resources/everyone/csfc"}]},{"uuid":"a52271dc-11b5-423a-8b6f-14867bd94259","title":"[NSA MEDIA]","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https://www.nsa.gov/resources/everyone/media-destruction"}]},{"uuid":"06842bea-64c9-4e20-807a-b8fc003fa737","title":"[USGCB]","citation":{"text":"National Institute of Standards and Technology (2020) *United States Government Configuration Baseline*. Available at"},"rlinks":[{"href":"https://csrc.nist.gov/projects/united-states-government-configuration-baseline"}]}]}}} \ No newline at end of file diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.json deleted file mode 100644 index 823e60eb6f..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.json +++ /dev/null @@ -1,36638 +0,0 @@ -{ - "catalog": { - "uuid": "b50ea9d9-e0b8-4e91-a6b8-1ad84fb0488e", - "metadata": { - "title": "SP800-53 MODERATE IMPACT BASELINE", - "last-modified": "2020-08-26T16:28:37.775-04:00", - "version": "FPD", - "oscal-version": "1.0.0-milestone3", - "properties": [ - { - "name": "resolution-timestamp", - "value": "2020-08-31T17:39:50.308351Z" - } - ], - "links": [ - { - "href": "NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml", - "rel": "resolution-source", - "text": "SP800-53 MODERATE IMPACT BASELINE" - } - ], - "roles": [ - { - "id": "creator", - "title": "Document Creator" - }, - { - "id": "contact", - "title": "Contact" - } - ], - "parties": [ - { - "uuid": "2ef7cfec-cb8e-4571-a7a2-a5c609b4767a", - "type": "organization", - "party-name": "Joint Task Force, Transformation Initiative", - "addresses": [ - { - "postal-address": [ - "National Institute of Standards and Technology", - "Attn: Computer Security Division", - "Information Technology Laboratory", - "100 Bureau Drive (Mail Stop 8930)" - ], - "city": "Gaithersburg", - "state": "MD", - "postal-code": "20899-8930" - } - ], - "email-addresses": [ - "sec-cert@nist.gov" - ] - } - ], - "responsible-parties": { - "creator": { - "party-uuids": [ - "2ef7cfec-cb8e-4571-a7a2-a5c609b4767a" - ] - }, - "contact": { - "party-uuids": [ - "2ef7cfec-cb8e-4571-a7a2-a5c609b4767a" - ] - } - } - }, - "groups": [ - { - "id": "ac", - "class": "family", - "title": "Access Control", - "controls": [ - { - "id": "ac-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ac-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ac-1_prm_2" - }, - { - "id": "ac-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ac-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ac-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-1" - }, - { - "name": "sort-id", - "value": "AC-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ac-1_smt", - "name": "statement", - "parts": [ - { - "id": "ac-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ac-1_prm_1 }}:", - "parts": [ - { - "id": "ac-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ac-1_prm_2 }} access control policy that:", - "parts": [ - { - "id": "ac-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ac-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ac-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" - } - ] - }, - { - "id": "ac-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" - }, - { - "id": "ac-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current access control:", - "parts": [ - { - "id": "ac-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ac-1_prm_4 }}; and" - }, - { - "id": "ac-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ac-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ac-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ac-2", - "class": "SP800-53", - "title": "Account Management", - "parameters": [ - { - "id": "ac-2_prm_1", - "label": "organization-defined attributes (as required)" - }, - { - "id": "ac-2_prm_2", - "label": "organization-defined personnel or roles" - }, - { - "id": "ac-2_prm_3", - "label": "organization-defined policy, procedures, and conditions" - }, - { - "id": "ac-2_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "ac-2_prm_5", - "label": "organization-defined time-period" - }, - { - "id": "ac-2_prm_6", - "label": "organization-defined time-period" - }, - { - "id": "ac-2_prm_7", - "label": "organization-defined time-period" - }, - { - "id": "ac-2_prm_8", - "label": "organization-defined attributes (as required)" - }, - { - "id": "ac-2_prm_9", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2" - }, - { - "name": "sort-id", - "value": "AC-02" - } - ], - "links": [ - { - "href": "#359f960c-2598-454c-ba3b-a30c553e498f", - "rel": "reference", - "text": "[SP 800-162]" - }, - { - "href": "#223b23a9-baea-4a50-8058-63cf7967b61f", - "rel": "reference", - "text": "[SP 800-178]" - }, - { - "href": "#06d3c11a-4a00-42d9-ad75-e6a777ffae5e", - "rel": "reference", - "text": "[SP 800-192]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ac-24", - "rel": "related", - "text": "AC-24" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - } - ], - "parts": [ - { - "id": "ac-2_smt", - "name": "statement", - "parts": [ - { - "id": "ac-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Define and document the types of accounts allowed for use within the system;" - }, - { - "id": "ac-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Assign account managers;" - }, - { - "id": "ac-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Establish conditions for group and role membership;" - }, - { - "id": "ac-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Specify:", - "parts": [ - { - "id": "ac-2_smt.d.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Authorized users of the system;" - }, - { - "id": "ac-2_smt.d.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Group and role membership; and" - }, - { - "id": "ac-2_smt.d.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Access authorizations (i.e., privileges) and {{ ac-2_prm_1 }} for each account;" - } - ] - }, - { - "id": "ac-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Require approvals by {{ ac-2_prm_2 }} for requests to create accounts;" - }, - { - "id": "ac-2_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ ac-2_prm_3 }};" - }, - { - "id": "ac-2_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Monitor the use of accounts;" - }, - { - "id": "ac-2_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "h." - } - ], - "prose": "Notify account managers and {{ ac-2_prm_4 }} within:", - "parts": [ - { - "id": "ac-2_smt.h.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ac-2_prm_5 }} when accounts are no longer required;" - }, - { - "id": "ac-2_smt.h.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "\n {{ ac-2_prm_6 }} when users are terminated or transferred; and" - }, - { - "id": "ac-2_smt.h.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "\n {{ ac-2_prm_7 }} when system usage or need-to-know changes for an individual;" - } - ] - }, - { - "id": "ac-2_smt.i", - "name": "item", - "properties": [ - { - "name": "label", - "value": "i." - } - ], - "prose": "Authorize access to the system based on:", - "parts": [ - { - "id": "ac-2_smt.i.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "A valid access authorization;" - }, - { - "id": "ac-2_smt.i.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Intended system usage; and" - }, - { - "id": "ac-2_smt.i.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "\n {{ ac-2_prm_8 }};" - } - ] - }, - { - "id": "ac-2_smt.j", - "name": "item", - "properties": [ - { - "name": "label", - "value": "j." - } - ], - "prose": "Review accounts for compliance with account management requirements {{ ac-2_prm_9 }};" - }, - { - "id": "ac-2_smt.k", - "name": "item", - "properties": [ - { - "name": "label", - "value": "k." - } - ], - "prose": "Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and" - }, - { - "id": "ac-2_smt.l", - "name": "item", - "properties": [ - { - "name": "label", - "value": "l." - } - ], - "prose": "Align account management processes with personnel termination and transfer processes." - } - ] - }, - { - "id": "ac-2_gdn", - "name": "guidance", - "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy.\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." - } - ], - "controls": [ - { - "id": "ac-2.1", - "class": "SP800-53-enhancement", - "title": "Automated System Account Management", - "parameters": [ - { - "id": "ac-2.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(1)" - }, - { - "name": "sort-id", - "value": "AC-02(01)" - } - ], - "parts": [ - { - "id": "ac-2.1_smt", - "name": "statement", - "prose": "Support the management of system accounts using {{ ac-2.1_prm_1 }}." - }, - { - "id": "ac-2.1_gdn", - "name": "guidance", - "prose": "Automated mechanisms include using email or text messaging to automatically notify account managers when users are terminated or transferred; using the system to monitor account usage; and using telephonic notification to report atypical system account usage." - } - ] - }, - { - "id": "ac-2.2", - "class": "SP800-53-enhancement", - "title": "Automated Temporary and Emergency Account Management", - "parameters": [ - { - "id": "ac-2.2_prm_1" - }, - { - "id": "ac-2.2_prm_2", - "label": "organization-defined time-period for each type of account" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(2)" - }, - { - "name": "sort-id", - "value": "AC-02(02)" - } - ], - "parts": [ - { - "id": "ac-2.2_smt", - "name": "statement", - "prose": "Automatically {{ ac-2.2_prm_1 }} temporary and emergency accounts after {{ ac-2.2_prm_2 }}." - }, - { - "id": "ac-2.2_gdn", - "name": "guidance", - "prose": "Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time-period, rather than at the convenience of the systems administrator. Automatic removal or disabling of accounts provides a more consistent implementation." - } - ] - }, - { - "id": "ac-2.3", - "class": "SP800-53-enhancement", - "title": "Disable Accounts", - "parameters": [ - { - "id": "ac-2.3_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(3)" - }, - { - "name": "sort-id", - "value": "AC-02(03)" - } - ], - "parts": [ - { - "id": "ac-2.3_smt", - "name": "statement", - "prose": "Disable accounts when the accounts:", - "parts": [ - { - "id": "ac-2.3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Have expired;" - }, - { - "id": "ac-2.3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Are no longer associated with a user or individual;" - }, - { - "id": "ac-2.3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Are in violation of organizational policy; or" - }, - { - "id": "ac-2.3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(d)" - } - ], - "prose": "Have been inactive for {{ ac-2.3_prm_1 }}." - } - ] - }, - { - "id": "ac-2.3_gdn", - "name": "guidance", - "prose": "Disabling expired, inactive, or otherwise anomalous accounts supports the concept of least privilege and least functionality which reduces the attack surface of the system." - } - ] - }, - { - "id": "ac-2.4", - "class": "SP800-53-enhancement", - "title": "Automated Audit Actions", - "properties": [ - { - "name": "label", - "value": "AC-2(4)" - }, - { - "name": "sort-id", - "value": "AC-02(04)" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - } - ], - "parts": [ - { - "id": "ac-2.4_smt", - "name": "statement", - "prose": "Automatically audit account creation, modification, enabling, disabling, and removal actions." - }, - { - "id": "ac-2.4_gdn", - "name": "guidance", - "prose": "Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6." - } - ] - }, - { - "id": "ac-2.5", - "class": "SP800-53-enhancement", - "title": "Inactivity Logout", - "parameters": [ - { - "id": "ac-2.5_prm_1", - "label": "organization-defined time-period of expected inactivity or description of when to log out" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(5)" - }, - { - "name": "sort-id", - "value": "AC-02(05)" - } - ], - "links": [ - { - "href": "#ac-11", - "rel": "related", - "text": "AC-11" - } - ], - "parts": [ - { - "id": "ac-2.5_smt", - "name": "statement", - "prose": "Require that users log out when {{ ac-2.5_prm_1 }}." - }, - { - "id": "ac-2.5_gdn", - "name": "guidance", - "prose": "Inactivity logout is behavior or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of this control enhancement is addressed by AC-11." - } - ] - }, - { - "id": "ac-2.13", - "class": "SP800-53-enhancement", - "title": "Disable Accounts for High-risk Individuals", - "parameters": [ - { - "id": "ac-2.13_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ac-2.13_prm_2", - "label": "organization-defined significant risks" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-2(13)" - }, - { - "name": "sort-id", - "value": "AC-02(13)" - } - ], - "links": [ - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-2.13_smt", - "name": "statement", - "prose": "Disable accounts of users within {{ ac-2.13_prm_1 }} of discovery of {{ ac-2.13_prm_2 }}." - }, - { - "id": "ac-2.13_gdn", - "name": "guidance", - "prose": "Users posing a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes the adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential for execution of this control enhancement." - } - ] - } - ] - }, - { - "id": "ac-3", - "class": "SP800-53", - "title": "Access Enforcement", - "properties": [ - { - "name": "label", - "value": "AC-3" - }, - { - "name": "sort-id", - "value": "AC-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#359f960c-2598-454c-ba3b-a30c553e498f", - "rel": "reference", - "text": "[SP 800-162]" - }, - { - "href": "#223b23a9-baea-4a50-8058-63cf7967b61f", - "rel": "reference", - "text": "[SP 800-178]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ac-21", - "rel": "related", - "text": "AC-21" - }, - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#ac-24", - "rel": "related", - "text": "AC-24" - }, - { - "href": "#ac-25", - "rel": "related", - "text": "AC-25" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-6", - "rel": "related", - "text": "IA-6" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#ia-11", - "rel": "related", - "text": "IA-11" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pm-2", - "rel": "related", - "text": "PM-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-4", - "rel": "related", - "text": "SC-4" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-31", - "rel": "related", - "text": "SC-31" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-3_smt", - "name": "statement", - "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." - }, - { - "id": "ac-3_gdn", - "name": "guidance", - "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family." - } - ] - }, - { - "id": "ac-4", - "class": "SP800-53", - "title": "Information Flow Enforcement", - "parameters": [ - { - "id": "ac-4_prm_1", - "label": "organization-defined information flow control policies" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-4" - }, - { - "name": "sort-id", - "value": "AC-04" - } - ], - "links": [ - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#359f960c-2598-454c-ba3b-a30c553e498f", - "rel": "reference", - "text": "[SP 800-162]" - }, - { - "href": "#223b23a9-baea-4a50-8058-63cf7967b61f", - "rel": "reference", - "text": "[SP 800-178]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-21", - "rel": "related", - "text": "AC-21" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sc-4", - "rel": "related", - "text": "SC-4" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-16", - "rel": "related", - "text": "SC-16" - }, - { - "href": "#sc-31", - "rel": "related", - "text": "SC-31" - } - ], - "parts": [ - { - "id": "ac-4_smt", - "name": "statement", - "prose": "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ ac-4_prm_1 }}." - }, - { - "id": "ac-4_gdn", - "name": "guidance", - "prose": "Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization; keeping export-controlled information from being transmitted in the clear to the Internet; restricting web requests that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only); verifying write permissions before accepting information from another security or privacy domain or connected system; employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and security or privacy labels.\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. This control also applies to control plane traffic (e.g., routing and DNS)." - } - ] - }, - { - "id": "ac-5", - "class": "SP800-53", - "title": "Separation of Duties", - "parameters": [ - { - "id": "ac-5_prm_1", - "label": "organization-defined duties of individuals requiring separation" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-5" - }, - { - "name": "sort-id", - "value": "AC-05" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - } - ], - "parts": [ - { - "id": "ac-5_smt", - "name": "statement", - "parts": [ - { - "id": "ac-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify and document {{ ac-5_prm_1 }}; and" - }, - { - "id": "ac-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Define system access authorizations to support separation of duties." - } - ] - }, - { - "id": "ac-5_gdn", - "name": "guidance", - "prose": "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles; conducting system support functions with different individuals; and ensuring security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. This control is enforced through the account management activities in AC-2 and access control mechanisms in AC-3." - } - ] - }, - { - "id": "ac-6", - "class": "SP800-53", - "title": "Least Privilege", - "properties": [ - { - "name": "label", - "value": "AC-6" - }, - { - "name": "sort-id", - "value": "AC-06" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - } - ], - "parts": [ - { - "id": "ac-6_smt", - "name": "statement", - "prose": "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks." - }, - { - "id": "ac-6_gdn", - "name": "guidance", - "prose": "Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary, to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems." - } - ], - "controls": [ - { - "id": "ac-6.1", - "class": "SP800-53-enhancement", - "title": "Authorize Access to Security Functions", - "parameters": [ - { - "id": "ac-6.1_prm_1", - "label": "organization-defined individuals or roles" - }, - { - "id": "ac-6.1_prm_2", - "label": "organization-defined security functions (deployed in hardware, software, and firmware)" - }, - { - "id": "ac-6.1_prm_3", - "label": "organization-defined security-relevant information" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-6(1)" - }, - { - "name": "sort-id", - "value": "AC-06(01)" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - } - ], - "parts": [ - { - "id": "ac-6.1_smt", - "name": "statement", - "prose": "Explicitly authorize access for {{ ac-6.1_prm_1 }} to:", - "parts": [ - { - "id": "ac-6.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "\n {{ ac-6.1_prm_2 }}; and" - }, - { - "id": "ac-6.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "\n {{ ac-6.1_prm_3 }}." - } - ] - }, - { - "id": "ac-6.1_gdn", - "name": "guidance", - "prose": "Security functions include establishing system accounts; configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Explicitly authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users." - } - ] - }, - { - "id": "ac-6.2", - "class": "SP800-53-enhancement", - "title": "Non-privileged Access for Nonsecurity Functions", - "parameters": [ - { - "id": "ac-6.2_prm_1", - "label": "organization-defined security functions or security-relevant information" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-6(2)" - }, - { - "name": "sort-id", - "value": "AC-06(02)" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - } - ], - "parts": [ - { - "id": "ac-6.2_smt", - "name": "statement", - "prose": "Require that users of system accounts (or roles) with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or roles, when accessing nonsecurity functions." - }, - { - "id": "ac-6.2_gdn", - "name": "guidance", - "prose": "Requiring use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account." - } - ] - }, - { - "id": "ac-6.5", - "class": "SP800-53-enhancement", - "title": "Privileged Accounts", - "parameters": [ - { - "id": "ac-6.5_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-6(5)" - }, - { - "name": "sort-id", - "value": "AC-06(05)" - } - ], - "links": [ - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - } - ], - "parts": [ - { - "id": "ac-6.5_smt", - "name": "statement", - "prose": "Restrict privileged accounts on the system to {{ ac-6.5_prm_1 }}." - }, - { - "id": "ac-6.5_gdn", - "name": "guidance", - "prose": "Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided they retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk." - } - ] - }, - { - "id": "ac-6.7", - "class": "SP800-53-enhancement", - "title": "Review of User Privileges", - "parameters": [ - { - "id": "ac-6.7_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ac-6.7_prm_2", - "label": "organization-defined roles or classes of users" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-6(7)" - }, - { - "name": "sort-id", - "value": "AC-06(07)" - } - ], - "links": [ - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - } - ], - "parts": [ - { - "id": "ac-6.7_smt", - "name": "statement", - "parts": [ - { - "id": "ac-6.7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Review {{ ac-6.7_prm_1 }} the privileges assigned to {{ ac-6.7_prm_2 }} to validate the need for such privileges; and" - }, - { - "id": "ac-6.7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs." - } - ] - }, - { - "id": "ac-6.7_gdn", - "name": "guidance", - "prose": "The need for certain assigned user privileges may change over time reflecting changes in organizational missions and business functions, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions." - } - ] - }, - { - "id": "ac-6.9", - "class": "SP800-53-enhancement", - "title": "Log Use of Privileged Functions", - "properties": [ - { - "name": "label", - "value": "AC-6(9)" - }, - { - "name": "sort-id", - "value": "AC-06(09)" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - } - ], - "parts": [ - { - "id": "ac-6.9_smt", - "name": "statement", - "prose": "Audit the execution of privileged functions." - }, - { - "id": "ac-6.9_gdn", - "name": "guidance", - "prose": "The misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Capturing the use of privileged functions in audit logs is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat." - } - ] - }, - { - "id": "ac-6.10", - "class": "SP800-53-enhancement", - "title": "Prohibit Non-privileged Users from Executing Privileged Functions", - "properties": [ - { - "name": "label", - "value": "AC-6(10)" - }, - { - "name": "sort-id", - "value": "AC-06(10)" - } - ], - "parts": [ - { - "id": "ac-6.10_smt", - "name": "statement", - "prose": "Prevent non-privileged users from executing privileged functions." - }, - { - "id": "ac-6.10_gdn", - "name": "guidance", - "prose": "Privileged functions include disabling, circumventing, or altering implemented security or privacy controls; establishing system accounts; performing system integrity checks; and administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. This control enhancement is enforced by AC-3." - } - ] - } - ] - }, - { - "id": "ac-7", - "class": "SP800-53", - "title": "Unsuccessful Logon Attempts", - "parameters": [ - { - "id": "ac-7_prm_1", - "label": "organization-defined number" - }, - { - "id": "ac-7_prm_2", - "label": "organization-defined time-period" - }, - { - "id": "ac-7_prm_3" - }, - { - "id": "ac-7_prm_4", - "depends-on": "ac-7_prm_3", - "label": "organization-defined time-period" - }, - { - "id": "ac-7_prm_5", - "depends-on": "ac-7_prm_3", - "label": "organization-defined delay algorithm" - }, - { - "id": "ac-7_prm_6", - "depends-on": "ac-7_prm_3", - "label": "organization-defined action" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-7" - }, - { - "name": "sort-id", - "value": "AC-07" - } - ], - "links": [ - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-9", - "rel": "related", - "text": "AC-9" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - } - ], - "parts": [ - { - "id": "ac-7_smt", - "name": "statement", - "parts": [ - { - "id": "ac-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Enforce a limit of {{ ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ ac-7_prm_2 }}; and" - }, - { - "id": "ac-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Automatically {{ ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded." - } - ] - }, - { - "id": "ac-7_gdn", - "name": "guidance", - "prose": "This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address.\nTechniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." - } - ] - }, - { - "id": "ac-8", - "class": "SP800-53", - "title": "System Use Notification", - "parameters": [ - { - "id": "ac-8_prm_1", - "label": "organization-defined system use notification message or banner" - }, - { - "id": "ac-8_prm_2", - "label": "organization-defined conditions" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-8" - }, - { - "name": "sort-id", - "value": "AC-08" - } - ], - "links": [ - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-8_smt", - "name": "statement", - "parts": [ - { - "id": "ac-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Display {{ ac-8_prm_1 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", - "parts": [ - { - "id": "ac-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Users are accessing a U.S. Government system;" - }, - { - "id": "ac-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "System usage may be monitored, recorded, and subject to audit;" - }, - { - "id": "ac-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" - }, - { - "id": "ac-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Use of the system indicates consent to monitoring and recording;" - } - ] - }, - { - "id": "ac-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" - }, - { - "id": "ac-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "For publicly accessible systems:", - "parts": [ - { - "id": "ac-8_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Display system use information {{ ac-8_prm_2 }}, before granting further access to the publicly accessible system;" - }, - { - "id": "ac-8_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" - }, - { - "id": "ac-8_smt.c.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Include a description of the authorized uses of the system." - } - ] - } - ] - }, - { - "id": "ac-8_gdn", - "name": "guidance", - "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content." - } - ] - }, - { - "id": "ac-11", - "class": "SP800-53", - "title": "Device Lock", - "parameters": [ - { - "id": "ac-11_prm_1" - }, - { - "id": "ac-11_prm_2", - "depends-on": "ac-11_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-11" - }, - { - "name": "sort-id", - "value": "AC-11" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ia-11", - "rel": "related", - "text": "IA-11" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - } - ], - "parts": [ - { - "id": "ac-11_smt", - "name": "statement", - "parts": [ - { - "id": "ac-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Prevent further access to the system by {{ ac-11_prm_1 }}; and" - }, - { - "id": "ac-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain the device lock until the user reestablishes access using established identification and authentication procedures." - } - ] - }, - { - "id": "ac-11_gdn", - "name": "guidance", - "prose": "Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User initiated device locking is behavior or policy-based and as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, for example, if organizations require users to log out at the end of workdays." - } - ], - "controls": [ - { - "id": "ac-11.1", - "class": "SP800-53-enhancement", - "title": "Pattern-hiding Displays", - "properties": [ - { - "name": "label", - "value": "AC-11(1)" - }, - { - "name": "sort-id", - "value": "AC-11(01)" - } - ], - "parts": [ - { - "id": "ac-11.1_smt", - "name": "statement", - "prose": "Conceal, via the device lock, information previously visible on the display with a publicly viewable image." - }, - { - "id": "ac-11.1_gdn", - "name": "guidance", - "prose": "The pattern-hiding display can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the caveat that controlled unclassified information is not displayed." - } - ] - } - ] - }, - { - "id": "ac-12", - "class": "SP800-53", - "title": "Session Termination", - "parameters": [ - { - "id": "ac-12_prm_1", - "label": "organization-defined conditions or trigger events requiring session disconnect" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-12" - }, - { - "name": "sort-id", - "value": "AC-12" - } - ], - "links": [ - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#sc-10", - "rel": "related", - "text": "SC-10" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - } - ], - "parts": [ - { - "id": "ac-12_smt", - "name": "statement", - "prose": "Automatically terminate a user session after {{ ac-12_prm_1 }}." - }, - { - "id": "ac-12_gdn", - "name": "guidance", - "prose": "Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use." - } - ] - }, - { - "id": "ac-14", - "class": "SP800-53", - "title": "Permitted Actions Without Identification or Authentication", - "parameters": [ - { - "id": "ac-14_prm_1", - "label": "organization-defined user actions" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-14" - }, - { - "name": "sort-id", - "value": "AC-14" - } - ], - "links": [ - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - } - ], - "parts": [ - { - "id": "ac-14_smt", - "name": "statement", - "parts": [ - { - "id": "ac-14_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify {{ ac-14_prm_1 }} that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and" - }, - { - "id": "ac-14_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." - } - ] - }, - { - "id": "ac-14_gdn", - "name": "guidance", - "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none." - } - ] - }, - { - "id": "ac-17", - "class": "SP800-53", - "title": "Remote Access", - "properties": [ - { - "name": "label", - "value": "AC-17" - }, - { - "name": "sort-id", - "value": "AC-17" - } - ], - "links": [ - { - "href": "#7768c184-088d-4ee8-a316-f9286b52df7f", - "rel": "reference", - "text": "[SP 800-46]" - }, - { - "href": "#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "rel": "reference", - "text": "[SP 800-77]" - }, - { - "href": "#36132a58-56fd-4980-9f6c-c010d3faf52b", - "rel": "reference", - "text": "[SP 800-113]" - }, - { - "href": "#49fa1ee1-aaf7-4270-bb5a-a86497f717dc", - "rel": "reference", - "text": "[SP 800-114]" - }, - { - "href": "#60b24979-65b8-4ca5-a442-11b74339fab5", - "rel": "reference", - "text": "[SP 800-121]" - }, - { - "href": "#30213e10-2aca-47b3-8cdb-61303e0959f5", - "rel": "reference", - "text": "[IR 7966]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-17", - "rel": "related", - "text": "PE-17" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sc-10", - "rel": "related", - "text": "SC-10" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-17_smt", - "name": "statement", - "parts": [ - { - "id": "ac-17_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" - }, - { - "id": "ac-17_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Authorize each type of remote access to the system prior to allowing such connections." - } - ] - }, - { - "id": "ac-17_gdn", - "name": "guidance", - "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3." - } - ], - "controls": [ - { - "id": "ac-17.1", - "class": "SP800-53-enhancement", - "title": "Monitoring and Control", - "properties": [ - { - "name": "label", - "value": "AC-17(1)" - }, - { - "name": "sort-id", - "value": "AC-17(01)" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - } - ], - "parts": [ - { - "id": "ac-17.1_smt", - "name": "statement", - "prose": "Employ automated mechanisms to monitor and control remote access methods." - }, - { - "id": "ac-17.1_gdn", - "name": "guidance", - "prose": "Monitoring and control of remote access methods allows organizations to detect attacks and ensure compliance with remote access policies by auditing connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a." - } - ] - }, - { - "id": "ac-17.2", - "class": "SP800-53-enhancement", - "title": "Protection of Confidentiality and Integrity Using Encryption", - "properties": [ - { - "name": "label", - "value": "AC-17(2)" - }, - { - "name": "sort-id", - "value": "AC-17(02)" - } - ], - "links": [ - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "ac-17.2_smt", - "name": "statement", - "prose": "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions." - }, - { - "id": "ac-17.2_gdn", - "name": "guidance", - "prose": "Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions." - } - ] - }, - { - "id": "ac-17.3", - "class": "SP800-53-enhancement", - "title": "Managed Access Control Points", - "properties": [ - { - "name": "label", - "value": "AC-17(3)" - }, - { - "name": "sort-id", - "value": "AC-17(03)" - } - ], - "links": [ - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - } - ], - "parts": [ - { - "id": "ac-17.3_smt", - "name": "statement", - "prose": "Route remote accesses through authorized and managed network access control points." - }, - { - "id": "ac-17.3_gdn", - "name": "guidance", - "prose": "Organizations consider the Trusted Internet Connections initiative [DHS TIC] requirements for external network connections since limiting the number of access control points for remote accesses reduces attack surface." - } - ] - }, - { - "id": "ac-17.4", - "class": "SP800-53-enhancement", - "title": "Privileged Commands and Access", - "parameters": [ - { - "id": "ac-17.4_prm_1", - "label": "organization-defined needs" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-17(4)" - }, - { - "name": "sort-id", - "value": "AC-17(04)" - } - ], - "links": [ - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "ac-17.4_smt", - "name": "statement", - "parts": [ - { - "id": "ac-17.4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ ac-17.4_prm_1 }}; and" - }, - { - "id": "ac-17.4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Document the rationale for remote access in the security plan for the system." - } - ] - }, - { - "id": "ac-17.4_gdn", - "name": "guidance", - "prose": "Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability." - } - ] - } - ] - }, - { - "id": "ac-18", - "class": "SP800-53", - "title": "Wireless Access", - "properties": [ - { - "name": "label", - "value": "AC-18" - }, - { - "name": "sort-id", - "value": "AC-18" - } - ], - "links": [ - { - "href": "#41e2e2c6-2260-4258-85c8-09db17c43103", - "rel": "reference", - "text": "[SP 800-94]" - }, - { - "href": "#6bed1550-cd5d-4e80-8d83-4e597c1514fe", - "rel": "reference", - "text": "[SP 800-97]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-18_smt", - "name": "statement", - "parts": [ - { - "id": "ac-18_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" - }, - { - "id": "ac-18_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Authorize each type of wireless access to the system prior to allowing such connections." - } - ] - }, - { - "id": "ac-18_gdn", - "name": "guidance", - "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication." - } - ], - "controls": [ - { - "id": "ac-18.1", - "class": "SP800-53-enhancement", - "title": "Authentication and Encryption", - "parameters": [ - { - "id": "ac-18.1_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-18(1)" - }, - { - "name": "sort-id", - "value": "AC-18(01)" - } - ], - "links": [ - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "ac-18.1_smt", - "name": "statement", - "prose": "Protect wireless access to the system using authentication of {{ ac-18.1_prm_1 }} and encryption." - }, - { - "id": "ac-18.1_gdn", - "name": "guidance", - "prose": "Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices with encryption can reduce susceptibility to threats by adversaries involving wireless technologies." - } - ] - }, - { - "id": "ac-18.3", - "class": "SP800-53-enhancement", - "title": "Disable Wireless Networking", - "properties": [ - { - "name": "label", - "value": "AC-18(3)" - }, - { - "name": "sort-id", - "value": "AC-18(03)" - } - ], - "parts": [ - { - "id": "ac-18.3_smt", - "name": "statement", - "prose": "Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment." - }, - { - "id": "ac-18.3_gdn", - "name": "guidance", - "prose": "Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies." - } - ] - } - ] - }, - { - "id": "ac-19", - "class": "SP800-53", - "title": "Access Control for Mobile Devices", - "properties": [ - { - "name": "label", - "value": "AC-19" - }, - { - "name": "sort-id", - "value": "AC-19" - } - ], - "links": [ - { - "href": "#49fa1ee1-aaf7-4270-bb5a-a86497f717dc", - "rel": "reference", - "text": "[SP 800-114]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-11", - "rel": "related", - "text": "AC-11" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ac-19_smt", - "name": "statement", - "parts": [ - { - "id": "ac-19_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" - }, - { - "id": "ac-19_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Authorize the connection of mobile devices to organizational systems." - } - ] - }, - { - "id": "ac-19_gdn", - "name": "guidance", - "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled." - } - ], - "controls": [ - { - "id": "ac-19.5", - "class": "SP800-53-enhancement", - "title": "Full Device and Container-based Encryption", - "parameters": [ - { - "id": "ac-19.5_prm_1" - }, - { - "id": "ac-19.5_prm_2", - "label": "organization-defined mobile devices" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-19(5)" - }, - { - "name": "sort-id", - "value": "AC-19(05)" - } - ], - "links": [ - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - } - ], - "parts": [ - { - "id": "ac-19.5_smt", - "name": "statement", - "prose": "Employ {{ ac-19.5_prm_1 }} to protect the confidentiality and integrity of information on {{ ac-19.5_prm_2 }}." - }, - { - "id": "ac-19.5_gdn", - "name": "guidance", - "prose": "Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields." - } - ] - } - ] - }, - { - "id": "ac-20", - "class": "SP800-53", - "title": "Use of External Systems", - "parameters": [ - { - "id": "ac-20_prm_1" - }, - { - "id": "ac-20_prm_2", - "depends-on": "ac-20_prm_1", - "label": "organization-defined terms and conditions" - }, - { - "id": "ac-20_prm_3", - "depends-on": "ac-20_prm_1", - "label": "organization-defined controls asserted to be implemented on external systems" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-20" - }, - { - "name": "sort-id", - "value": "AC-20" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "rel": "reference", - "text": "[SP 800-171]" - }, - { - "href": "#aad55f03-8ece-4b21-b09c-9ef65b5a9f55", - "rel": "reference", - "text": "[SP 800-171B]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - } - ], - "parts": [ - { - "id": "ac-20_smt", - "name": "statement", - "prose": "Establish {{ ac-20_prm_1 }}, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", - "parts": [ - { - "id": "ac-20_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Access the system from external systems; and" - }, - { - "id": "ac-20_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Process, store, or transmit organization-controlled information using external systems." - } - ] - }, - { - "id": "ac-20_gdn", - "name": "guidance", - "prose": "External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries.\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\nThis control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." - } - ], - "controls": [ - { - "id": "ac-20.1", - "class": "SP800-53-enhancement", - "title": "Limits on Authorized Use", - "properties": [ - { - "name": "label", - "value": "AC-20(1)" - }, - { - "name": "sort-id", - "value": "AC-20(01)" - } - ], - "links": [ - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - } - ], - "parts": [ - { - "id": "ac-20.1_smt", - "name": "statement", - "prose": "Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:", - "parts": [ - { - "id": "ac-20.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or" - }, - { - "id": "ac-20.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Retention of approved system connection or processing agreements with the organizational entity hosting the external system." - } - ] - }, - { - "id": "ac-20.1_gdn", - "name": "guidance", - "prose": "Limits on authorized use recognizes the circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations." - } - ] - }, - { - "id": "ac-20.2", - "class": "SP800-53-enhancement", - "title": "Portable Storage Devices — Restricted Use", - "parameters": [ - { - "id": "ac-20.2_prm_1", - "label": "organization-defined restrictions" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-20(2)" - }, - { - "name": "sort-id", - "value": "AC-20(02)" - } - ], - "links": [ - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#sc-41", - "rel": "related", - "text": "SC-41" - } - ], - "parts": [ - { - "id": "ac-20.2_smt", - "name": "statement", - "prose": "Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ ac-20.2_prm_1 }}." - }, - { - "id": "ac-20.2_gdn", - "name": "guidance", - "prose": "Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used." - } - ] - } - ] - }, - { - "id": "ac-21", - "class": "SP800-53", - "title": "Information Sharing", - "parameters": [ - { - "id": "ac-21_prm_1", - "label": "organization-defined information sharing circumstances where user discretion is required" - }, - { - "id": "ac-21_prm_2", - "label": "organization-defined automated mechanisms or manual processes" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-21" - }, - { - "name": "sort-id", - "value": "AC-21" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ad3e8f21-07c6-4968-b002-00b64dfa70ae", - "rel": "reference", - "text": "[SP 800-150]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sc-15", - "rel": "related", - "text": "SC-15" - } - ], - "parts": [ - { - "id": "ac-21_smt", - "name": "statement", - "parts": [ - { - "id": "ac-21_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ ac-21_prm_1 }}; and" - }, - { - "id": "ac-21_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ {{ ac-21_prm_2 }} to assist users in making information sharing and collaboration decisions." - } - ] - }, - { - "id": "ac-21_gdn", - "name": "guidance", - "prose": "Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA)." - } - ] - }, - { - "id": "ac-22", - "class": "SP800-53", - "title": "Publicly Accessible Content", - "parameters": [ - { - "id": "ac-22_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-22" - }, - { - "name": "sort-id", - "value": "AC-22" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - } - ], - "parts": [ - { - "id": "ac-22_smt", - "name": "statement", - "parts": [ - { - "id": "ac-22_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Designate individuals authorized to make information publicly accessible;" - }, - { - "id": "ac-22_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" - }, - { - "id": "ac-22_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" - }, - { - "id": "ac-22_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review the content on the publicly accessible system for nonpublic information {{ ac-22_prm_1 }} and remove such information, if discovered." - } - ] - }, - { - "id": "ac-22_gdn", - "name": "guidance", - "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible." - } - ] - } - ] - }, - { - "id": "at", - "class": "family", - "title": "Awareness and Training", - "controls": [ - { - "id": "at-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "at-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "at-1_prm_2" - }, - { - "id": "at-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "at-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "at-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-1" - }, - { - "name": "sort-id", - "value": "AT-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "at-1_smt", - "name": "statement", - "parts": [ - { - "id": "at-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ at-1_prm_1 }}:", - "parts": [ - { - "id": "at-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ at-1_prm_2 }} awareness and training policy that:", - "parts": [ - { - "id": "at-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "at-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "at-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" - } - ] - }, - { - "id": "at-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" - }, - { - "id": "at-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current awareness and training:", - "parts": [ - { - "id": "at-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ at-1_prm_4 }}; and" - }, - { - "id": "at-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ at-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "at-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "at-2", - "class": "SP800-53", - "title": "Awareness Training", - "parameters": [ - { - "id": "at-2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "at-2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-2" - }, - { - "name": "sort-id", - "value": "AT-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-13", - "rel": "related", - "text": "PM-13" - }, - { - "href": "#pm-21", - "rel": "related", - "text": "PM-21" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - } - ], - "parts": [ - { - "id": "at-2_smt", - "name": "statement", - "parts": [ - { - "id": "at-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):", - "parts": [ - { - "id": "at-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and" - }, - { - "id": "at-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "When required by system changes; and" - } - ] - }, - { - "id": "at-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update awareness training {{ at-2_prm_2 }}." - } - ] - }, - { - "id": "at-2_gdn", - "name": "guidance", - "prose": "Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective." - } - ], - "controls": [ - { - "id": "at-2.2", - "class": "SP800-53-enhancement", - "title": "Insider Threat", - "properties": [ - { - "name": "label", - "value": "AT-2(2)" - }, - { - "name": "sort-id", - "value": "AT-02(02)" - } - ], - "links": [ - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - } - ], - "parts": [ - { - "id": "at-2.2_smt", - "name": "statement", - "prose": "Provide awareness training on recognizing and reporting potential indicators of insider threat." - }, - { - "id": "at-2.2_gdn", - "name": "guidance", - "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations." - } - ] - }, - { - "id": "at-2.3", - "class": "SP800-53-enhancement", - "title": "Social Engineering and Mining", - "properties": [ - { - "name": "label", - "value": "AT-2(3)" - }, - { - "name": "sort-id", - "value": "AT-02(03)" - } - ], - "parts": [ - { - "id": "at-2.3_smt", - "name": "statement", - "prose": "Provide awareness training on recognizing and reporting potential and actual instances of social engineering and social mining." - }, - { - "id": "at-2.3_gdn", - "name": "guidance", - "prose": "Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Awareness training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures." - } - ] - } - ] - }, - { - "id": "at-3", - "class": "SP800-53", - "title": "Role-based Training", - "parameters": [ - { - "id": "at-3_prm_1", - "label": "organization-defined roles and responsibilities" - }, - { - "id": "at-3_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "at-3_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-3" - }, - { - "name": "sort-id", - "value": "AT-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#ir-10", - "rel": "related", - "text": "IR-10" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-13", - "rel": "related", - "text": "PM-13" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "at-3_smt", - "name": "statement", - "parts": [ - { - "id": "at-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}:", - "parts": [ - { - "id": "at-3_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and" - }, - { - "id": "at-3_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "When required by system changes; and" - } - ] - }, - { - "id": "at-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update role-based training {{ at-3_prm_3 }}." - } - ] - }, - { - "id": "at-3_gdn", - "name": "guidance", - "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information.\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective." - } - ] - }, - { - "id": "at-4", - "class": "SP800-53", - "title": "Training Records", - "parameters": [ - { - "id": "at-4_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-4" - }, - { - "name": "sort-id", - "value": "AT-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "at-4_smt", - "name": "statement", - "parts": [ - { - "id": "at-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" - }, - { - "id": "at-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain individual training records for {{ at-4_prm_1 }}." - } - ] - }, - { - "id": "at-4_gdn", - "name": "guidance", - "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." - } - ] - } - ] - }, - { - "id": "au", - "class": "family", - "title": "Audit and Accountability", - "controls": [ - { - "id": "au-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "au-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "au-1_prm_2" - }, - { - "id": "au-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "au-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "au-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-1" - }, - { - "name": "sort-id", - "value": "AU-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "au-1_smt", - "name": "statement", - "parts": [ - { - "id": "au-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ au-1_prm_1 }}:", - "parts": [ - { - "id": "au-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ au-1_prm_2 }} audit and accountability policy that:", - "parts": [ - { - "id": "au-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "au-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "au-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" - } - ] - }, - { - "id": "au-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" - }, - { - "id": "au-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current audit and accountability:", - "parts": [ - { - "id": "au-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ au-1_prm_4 }}; and" - }, - { - "id": "au-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ au-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "au-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "au-2", - "class": "SP800-53", - "title": "Event Logging", - "parameters": [ - { - "id": "au-2_prm_1", - "label": "organization-defined event types that the system is capable of logging" - }, - { - "id": "au-2_prm_2", - "label": "organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type" - }, - { - "id": "au-2_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-2" - }, - { - "name": "sort-id", - "value": "AU-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#02d8ec60-6197-43f8-9f47-18732127963e", - "rel": "reference", - "text": "[SP 800-92]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pm-21", - "rel": "related", - "text": "PM-21" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - }, - { - "href": "#si-11", - "rel": "related", - "text": "SI-11" - } - ], - "parts": [ - { - "id": "au-2_smt", - "name": "statement", - "parts": [ - { - "id": "au-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }};" - }, - { - "id": "au-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" - }, - { - "id": "au-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Specify the following event types for logging within the system: {{ au-2_prm_2 }};" - }, - { - "id": "au-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" - }, - { - "id": "au-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Review and update the event types selected for logging {{ au-2_prm_3 }}." - } - ] - }, - { - "id": "au-2_gdn", - "name": "guidance", - "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\nTo balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage.\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." - } - ] - }, - { - "id": "au-3", - "class": "SP800-53", - "title": "Content of Audit Records", - "properties": [ - { - "name": "label", - "value": "AU-3" - }, - { - "name": "sort-id", - "value": "AU-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-8", - "rel": "related", - "text": "AU-8" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-11", - "rel": "related", - "text": "SI-11" - } - ], - "parts": [ - { - "id": "au-3_smt", - "name": "statement", - "prose": "Ensure that audit records contain information that establishes the following:", - "parts": [ - { - "id": "au-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "What type of event occurred;" - }, - { - "id": "au-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "When the event occurred;" - }, - { - "id": "au-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Where the event occurred;" - }, - { - "id": "au-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Source of the event;" - }, - { - "id": "au-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Outcome of the event; and" - }, - { - "id": "au-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." - } - ] - }, - { - "id": "au-3_gdn", - "name": "guidance", - "prose": "Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage." - } - ], - "controls": [ - { - "id": "au-3.1", - "class": "SP800-53-enhancement", - "title": "Additional Audit Information", - "parameters": [ - { - "id": "au-3.1_prm_1", - "label": "organization-defined additional information" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-3(1)" - }, - { - "name": "sort-id", - "value": "AU-03(01)" - } - ], - "parts": [ - { - "id": "au-3.1_smt", - "name": "statement", - "prose": "Generate audit records containing the following additional information: {{ au-3.1_prm_1 }}." - }, - { - "id": "au-3.1_gdn", - "name": "guidance", - "prose": "The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading or that could make it more difficult to locate information of interest." - } - ] - } - ] - }, - { - "id": "au-4", - "class": "SP800-53", - "title": "Audit Log Storage Capacity", - "parameters": [ - { - "id": "au-4_prm_1", - "label": "organization-defined audit log retention requirements" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-4" - }, - { - "name": "sort-id", - "value": "AU-04" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "au-4_smt", - "name": "statement", - "prose": "Allocate audit log storage capacity to accommodate {{ au-4_prm_1 }}." - }, - { - "id": "au-4_gdn", - "name": "guidance", - "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." - } - ] - }, - { - "id": "au-5", - "class": "SP800-53", - "title": "Response to Audit Logging Process Failures", - "parameters": [ - { - "id": "au-5_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "au-5_prm_2", - "label": "organization-defined time-period" - }, - { - "id": "au-5_prm_3", - "label": "organization-defined additional actions" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-5" - }, - { - "name": "sort-id", - "value": "AU-05" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "au-5_smt", - "name": "statement", - "parts": [ - { - "id": "au-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Alert {{ au-5_prm_1 }} within {{ au-5_prm_2 }} in the event of an audit logging process failure; and" - }, - { - "id": "au-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Take the following additional actions: {{ au-5_prm_3 }}." - } - ] - }, - { - "id": "au-5_gdn", - "name": "guidance", - "prose": "Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." - } - ] - }, - { - "id": "au-6", - "class": "SP800-53", - "title": "Audit Record Review, Analysis, and Reporting", - "parameters": [ - { - "id": "au-6_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "au-6_prm_2", - "label": "organization-defined inappropriate or unusual activity" - }, - { - "id": "au-6_prm_3", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-6" - }, - { - "name": "sort-id", - "value": "AU-06" - } - ], - "links": [ - { - "href": "#35dfd59f-eef2-4f71-bdb5-6d878267456a", - "rel": "reference", - "text": "[SP 800-86]" - }, - { - "href": "#1e2c475a-84ae-4c60-b420-8fb2ea552b71", - "rel": "reference", - "text": "[SP 800-101]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-16", - "rel": "related", - "text": "AU-16" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "au-6_smt", - "name": "statement", - "parts": [ - { - "id": "au-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Review and analyze system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};" - }, - { - "id": "au-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Report findings to {{ au-6_prm_3 }}; and" - }, - { - "id": "au-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." - } - ] - }, - { - "id": "au-6_gdn", - "name": "guidance", - "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." - } - ], - "controls": [ - { - "id": "au-6.1", - "class": "SP800-53-enhancement", - "title": "Automated Process Integration", - "parameters": [ - { - "id": "au-6.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-6(1)" - }, - { - "name": "sort-id", - "value": "AU-06(01)" - } - ], - "links": [ - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - } - ], - "parts": [ - { - "id": "au-6.1_smt", - "name": "statement", - "prose": "Integrate audit record review, analysis, and reporting processes using {{ au-6.1_prm_1 }}." - }, - { - "id": "au-6.1_gdn", - "name": "guidance", - "prose": "Organizational processes benefiting from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits." - } - ] - }, - { - "id": "au-6.3", - "class": "SP800-53-enhancement", - "title": "Correlate Audit Record Repositories", - "properties": [ - { - "name": "label", - "value": "AU-6(3)" - }, - { - "name": "sort-id", - "value": "AU-06(03)" - } - ], - "links": [ - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - } - ], - "parts": [ - { - "id": "au-6.3_smt", - "name": "statement", - "prose": "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness." - }, - { - "id": "au-6.3_gdn", - "name": "guidance", - "prose": "Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness." - } - ] - } - ] - }, - { - "id": "au-7", - "class": "SP800-53", - "title": "Audit Record Reduction and Report Generation", - "properties": [ - { - "name": "label", - "value": "AU-7" - }, - { - "name": "sort-id", - "value": "AU-07" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-16", - "rel": "related", - "text": "AU-16" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "au-7_smt", - "name": "statement", - "prose": "Provide and implement an audit record reduction and report generation capability that:", - "parts": [ - { - "id": "au-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and" - }, - { - "id": "au-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Does not alter the original content or time ordering of audit records." - } - ] - }, - { - "id": "au-7_gdn", - "name": "guidance", - "prose": "Audit record reduction is a process that manipulates collected audit log information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities conducting audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient." - } - ], - "controls": [ - { - "id": "au-7.1", - "class": "SP800-53-enhancement", - "title": "Automatic Processing", - "parameters": [ - { - "id": "au-7.1_prm_1", - "label": "organization-defined fields within audit records" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-7(1)" - }, - { - "name": "sort-id", - "value": "AU-07(01)" - } - ], - "parts": [ - { - "id": "au-7.1_smt", - "name": "statement", - "prose": "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ au-7.1_prm_1 }}." - }, - { - "id": "au-7.1_gdn", - "name": "guidance", - "prose": "Events of interest can be identified by the content of audit records including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, for example, locations selectable by a general networking location or by specific system component." - } - ] - } - ] - }, - { - "id": "au-8", - "class": "SP800-53", - "title": "Time Stamps", - "parameters": [ - { - "id": "au-8_prm_1", - "label": "organization-defined granularity of time measurement" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-8" - }, - { - "name": "sort-id", - "value": "AU-08" - } - ], - "links": [ - { - "href": "#17ca9481-ea11-4ef2-81c1-885fd37d4be5", - "rel": "reference", - "text": "[IETF 5905]" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#sc-45", - "rel": "related", - "text": "SC-45" - } - ], - "parts": [ - { - "id": "au-8_smt", - "name": "statement", - "parts": [ - { - "id": "au-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Use internal system clocks to generate time stamps for audit records; and" - }, - { - "id": "au-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Record time stamps for audit records that meet {{ au-8_prm_1 }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." - } - ] - }, - { - "id": "au-8_gdn", - "name": "guidance", - "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." - } - ], - "controls": [ - { - "id": "au-8.1", - "class": "SP800-53-enhancement", - "title": "Synchronization with Authoritative Time Source", - "parameters": [ - { - "id": "au-8.1_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "au-8.1_prm_2", - "label": "organization-defined authoritative time source" - }, - { - "id": "au-8.1_prm_3", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-8(1)" - }, - { - "name": "sort-id", - "value": "AU-08(01)" - } - ], - "parts": [ - { - "id": "au-8.1_smt", - "name": "statement", - "parts": [ - { - "id": "au-8.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Compare the internal system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and" - }, - { - "id": "au-8.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ au-8.1_prm_3 }}." - } - ] - }, - { - "id": "au-8.1_gdn", - "name": "guidance", - "prose": "Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network." - } - ] - } - ] - }, - { - "id": "au-9", - "class": "SP800-53", - "title": "Protection of Audit Information", - "properties": [ - { - "name": "label", - "value": "AU-9" - }, - { - "name": "sort-id", - "value": "AU-09" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#au-15", - "rel": "related", - "text": "AU-15" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "au-9_smt", - "name": "statement", - "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion." - }, - { - "id": "au-9_gdn", - "name": "guidance", - "prose": "Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." - } - ], - "controls": [ - { - "id": "au-9.4", - "class": "SP800-53-enhancement", - "title": "Access by Subset of Privileged Users", - "parameters": [ - { - "id": "au-9.4_prm_1", - "label": "organization-defined subset of privileged users or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-9(4)" - }, - { - "name": "sort-id", - "value": "AU-09(04)" - } - ], - "links": [ - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - } - ], - "parts": [ - { - "id": "au-9.4_smt", - "name": "statement", - "prose": "Authorize access to management of audit logging functionality to only {{ au-9.4_prm_1 }}." - }, - { - "id": "au-9.4_gdn", - "name": "guidance", - "prose": "Individuals or roles with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges, limits the number of users or roles with audit-related privileges." - } - ] - } - ] - }, - { - "id": "au-11", - "class": "SP800-53", - "title": "Audit Record Retention", - "parameters": [ - { - "id": "au-11_prm_1", - "label": "organization-defined time-period consistent with records retention policy" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-11" - }, - { - "name": "sort-id", - "value": "AU-11" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "au-11_smt", - "name": "statement", - "prose": "Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." - }, - { - "id": "au-11_gdn", - "name": "guidance", - "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention." - } - ] - }, - { - "id": "au-12", - "class": "SP800-53", - "title": "Audit Record Generation", - "parameters": [ - { - "id": "au-12_prm_1", - "label": "organization-defined system components" - }, - { - "id": "au-12_prm_2", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-12" - }, - { - "name": "sort-id", - "value": "AU-12" - } - ], - "links": [ - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - } - ], - "parts": [ - { - "id": "au-12_smt", - "name": "statement", - "parts": [ - { - "id": "au-12_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on {{ au-12_prm_1 }};" - }, - { - "id": "au-12_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Allow {{ au-12_prm_2 }} to select the event types that are to be logged by specific components of the system; and" - }, - { - "id": "au-12_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." - } - ] - }, - { - "id": "au-12_gdn", - "name": "guidance", - "prose": "Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." - } - ] - } - ] - }, - { - "id": "ca", - "class": "family", - "title": "Assessment, Authorization, and Monitoring", - "controls": [ - { - "id": "ca-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ca-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ca-1_prm_2" - }, - { - "id": "ca-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ca-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ca-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-1" - }, - { - "name": "sort-id", - "value": "CA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-1_smt", - "name": "statement", - "parts": [ - { - "id": "ca-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ca-1_prm_1 }}:", - "parts": [ - { - "id": "ca-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that:", - "parts": [ - { - "id": "ca-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ca-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ca-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" - } - ] - }, - { - "id": "ca-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" - }, - { - "id": "ca-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current assessment, authorization, and monitoring:", - "parts": [ - { - "id": "ca-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ca-1_prm_4 }}; and" - }, - { - "id": "ca-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ca-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ca-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ca-2", - "class": "SP800-53", - "title": "Control Assessments", - "parameters": [ - { - "id": "ca-2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ca-2_prm_2", - "label": "organization-defined individuals or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-2" - }, - { - "name": "sort-id", - "value": "CA-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - } - ], - "parts": [ - { - "id": "ca-2_smt", - "name": "statement", - "parts": [ - { - "id": "ca-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a control assessment plan that describes the scope of the assessment including:", - "parts": [ - { - "id": "ca-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Controls and control enhancements under assessment;" - }, - { - "id": "ca-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Assessment procedures to be used to determine control effectiveness; and" - }, - { - "id": "ca-2_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" - } - ] - }, - { - "id": "ca-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" - }, - { - "id": "ca-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" - }, - { - "id": "ca-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Produce a control assessment report that document the results of the assessment; and" - }, - { - "id": "ca-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Provide the results of the control assessment to {{ ca-2_prm_2 }}." - } - ] - }, - { - "id": "ca-2_gdn", - "name": "guidance", - "prose": "Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\nOrganizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control." - } - ], - "controls": [ - { - "id": "ca-2.1", - "class": "SP800-53-enhancement", - "title": "Independent Assessors", - "properties": [ - { - "name": "label", - "value": "CA-2(1)" - }, - { - "name": "sort-id", - "value": "CA-02(01)" - } - ], - "parts": [ - { - "id": "ca-2.1_smt", - "name": "statement", - "prose": "Employ independent assessors or assessment teams to conduct control assessments." - }, - { - "id": "ca-2.1_gdn", - "name": "guidance", - "prose": "Independent assessors or assessment teams are individuals or groups conducting impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in positions of advocacy for the organizations acquiring their services.\nIndependent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination also includes whether contracted assessment services have sufficient independence, for example, when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, the analogy to independent assessors is having independent SMEs involved in design reviews.\nWhen organizations that own the systems are small or the structures of the organizations require that assessments are conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions, are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." - } - ] - } - ] - }, - { - "id": "ca-3", - "class": "SP800-53", - "title": "Information Exchange", - "parameters": [ - { - "id": "ca-3_prm_1" - }, - { - "id": "ca-3_prm_2", - "depends-on": "ca-3_prm_1", - "label": "organization-defined type of agreement" - }, - { - "id": "ca-3_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-3" - }, - { - "name": "sort-id", - "value": "CA-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#2e66c31a-190e-49ad-8e00-f306f8a0df17", - "rel": "reference", - "text": "[SP 800-47]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#au-16", - "rel": "related", - "text": "AU-16" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-3_smt", - "name": "statement", - "parts": [ - { - "id": "ca-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Approve and manage the exchange of information between the system and other systems using {{ ca-3_prm_1 }};" - }, - { - "id": "ca-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" - }, - { - "id": "ca-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the agreements {{ ca-3_prm_3 }}." - } - ] - }, - { - "id": "ca-3_gdn", - "name": "guidance", - "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk.\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks." - } - ] - }, - { - "id": "ca-5", - "class": "SP800-53", - "title": "Plan of Action and Milestones", - "parameters": [ - { - "id": "ca-5_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-5" - }, - { - "name": "sort-id", - "value": "CA-05" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-5_smt", - "name": "statement", - "parts": [ - { - "id": "ca-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" - }, - { - "id": "ca-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities." - } - ] - }, - { - "id": "ca-5_gdn", - "name": "guidance", - "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB." - } - ] - }, - { - "id": "ca-6", - "class": "SP800-53", - "title": "Authorization", - "parameters": [ - { - "id": "ca-6_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-6" - }, - { - "name": "sort-id", - "value": "CA-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-6_smt", - "name": "statement", - "parts": [ - { - "id": "ca-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Assign a senior official as the authorizing official for the system;" - }, - { - "id": "ca-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" - }, - { - "id": "ca-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ensure that the authorizing official for the system, before commencing operations:", - "parts": [ - { - "id": "ca-6_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Accepts the use of common controls inherited by the system; and" - }, - { - "id": "ca-6_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Authorizes the system to operate;" - } - ] - }, - { - "id": "ca-6_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" - }, - { - "id": "ca-6_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Update the authorizations {{ ca-6_prm_1 }}." - } - ] - }, - { - "id": "ca-6_gdn", - "name": "guidance", - "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." - } - ] - }, - { - "id": "ca-7", - "class": "SP800-53", - "title": "Continuous Monitoring", - "parameters": [ - { - "id": "ca-7_prm_1", - "label": "organization-defined system-level metrics" - }, - { - "id": "ca-7_prm_2", - "label": "organization-defined frequencies" - }, - { - "id": "ca-7_prm_3", - "label": "organization-defined frequencies" - }, - { - "id": "ca-7_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "ca-7_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-7" - }, - { - "name": "sort-id", - "value": "CA-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#851b5ba4-6aa0-4583-857c-4c360cbdf2a0", - "rel": "reference", - "text": "[IR 8011 v1]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pe-14", - "rel": "related", - "text": "PE-14" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-6", - "rel": "related", - "text": "PM-6" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#pm-31", - "rel": "related", - "text": "PM-31" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - } - ], - "parts": [ - { - "id": "ca-7_smt", - "name": "statement", - "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", - "parts": [ - { - "id": "ca-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }};" - }, - { - "id": "ca-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness;" - }, - { - "id": "ca-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" - }, - { - "id": "ca-7_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" - }, - { - "id": "ca-7_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Correlation and analysis of information generated by control assessments and monitoring;" - }, - { - "id": "ca-7_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" - }, - { - "id": "ca-7_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Reporting the security and privacy status of the system to {{ ca-7_prm_4 }}\n {{ ca-7_prm_5 }}." - } - ] - }, - { - "id": "ca-7_gdn", - "name": "guidance", - "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4." - } - ], - "controls": [ - { - "id": "ca-7.1", - "class": "SP800-53-enhancement", - "title": "Independent Assessment", - "properties": [ - { - "name": "label", - "value": "CA-7(1)" - }, - { - "name": "sort-id", - "value": "CA-07(01)" - } - ], - "parts": [ - { - "id": "ca-7.1_smt", - "name": "statement", - "prose": "Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis." - }, - { - "id": "ca-7.1_gdn", - "name": "guidance", - "prose": "Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in advocacy positions for the organizations acquiring their services." - } - ] - }, - { - "id": "ca-7.4", - "class": "SP800-53-enhancement", - "title": "Risk Monitoring", - "properties": [ - { - "name": "label", - "value": "CA-7(4)" - }, - { - "name": "sort-id", - "value": "CA-07(04)" - } - ], - "parts": [ - { - "id": "ca-7.4_smt", - "name": "statement", - "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", - "parts": [ - { - "id": "ca-7.4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Effectiveness monitoring;" - }, - { - "id": "ca-7.4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Compliance monitoring; and" - }, - { - "id": "ca-7.4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Change monitoring." - } - ] - }, - { - "id": "ca-7.4_gdn", - "name": "guidance", - "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." - } - ] - } - ] - }, - { - "id": "ca-9", - "class": "SP800-53", - "title": "Internal System Connections", - "parameters": [ - { - "id": "ca-9_prm_1", - "label": "organization-defined system components or classes of components" - }, - { - "id": "ca-9_prm_2", - "label": "organization-defined conditions" - }, - { - "id": "ca-9_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-9" - }, - { - "name": "sort-id", - "value": "CA-09" - } - ], - "links": [ - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-9_smt", - "name": "statement", - "parts": [ - { - "id": "ca-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Authorize internal connections of {{ ca-9_prm_1 }} to the system;" - }, - { - "id": "ca-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" - }, - { - "id": "ca-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Terminate internal system connections after {{ ca-9_prm_2 }}; and" - }, - { - "id": "ca-9_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review {{ ca-9_prm_3 }} the continued need for each internal connection." - } - ] - }, - { - "id": "ca-9_gdn", - "name": "guidance", - "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." - } - ] - } - ] - }, - { - "id": "cm", - "class": "family", - "title": "Configuration Management", - "controls": [ - { - "id": "cm-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "cm-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "cm-1_prm_2" - }, - { - "id": "cm-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "cm-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "cm-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-1" - }, - { - "name": "sort-id", - "value": "CM-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cm-1_smt", - "name": "statement", - "parts": [ - { - "id": "cm-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ cm-1_prm_1 }}:", - "parts": [ - { - "id": "cm-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ cm-1_prm_2 }} configuration management policy that:", - "parts": [ - { - "id": "cm-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "cm-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "cm-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" - } - ] - }, - { - "id": "cm-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" - }, - { - "id": "cm-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current configuration management:", - "parts": [ - { - "id": "cm-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ cm-1_prm_4 }}; and" - }, - { - "id": "cm-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ cm-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "cm-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "cm-2", - "class": "SP800-53", - "title": "Baseline Configuration", - "parameters": [ - { - "id": "cm-2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "cm-2_prm_2", - "label": "Assignment organization-defined circumstances" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-2" - }, - { - "name": "sort-id", - "value": "CM-02" - } - ], - "links": [ - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#cp-12", - "rel": "related", - "text": "CP-12" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - } - ], - "parts": [ - { - "id": "cm-2_smt", - "name": "statement", - "parts": [ - { - "id": "cm-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" - }, - { - "id": "cm-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the baseline configuration of the system:", - "parts": [ - { - "id": "cm-2_smt.b.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ cm-2_prm_1 }};" - }, - { - "id": "cm-2_smt.b.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "When required due to {{ cm-2_prm_2 }}; and" - }, - { - "id": "cm-2_smt.b.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "When system components are installed or upgraded." - } - ] - } - ] - }, - { - "id": "cm-2_gdn", - "name": "guidance", - "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." - } - ], - "controls": [ - { - "id": "cm-2.2", - "class": "SP800-53-enhancement", - "title": "Automation Support for Accuracy and Currency", - "parameters": [ - { - "id": "cm-2.2_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-2(2)" - }, - { - "name": "sort-id", - "value": "CM-02(02)" - } - ], - "links": [ - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - } - ], - "parts": [ - { - "id": "cm-2.2_smt", - "name": "statement", - "prose": "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ cm-2.2_prm_1 }}." - }, - { - "id": "cm-2.2_gdn", - "name": "guidance", - "prose": "Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, and firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission/business process level or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities." - } - ] - }, - { - "id": "cm-2.3", - "class": "SP800-53-enhancement", - "title": "Retention of Previous Configurations", - "parameters": [ - { - "id": "cm-2.3_prm_1", - "label": "organization-defined number" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-2(3)" - }, - { - "name": "sort-id", - "value": "CM-02(03)" - } - ], - "parts": [ - { - "id": "cm-2.3_smt", - "name": "statement", - "prose": "Retain {{ cm-2.3_prm_1 }} of previous versions of baseline configurations of the system to support rollback." - }, - { - "id": "cm-2.3_gdn", - "name": "guidance", - "prose": "Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, and configuration records." - } - ] - }, - { - "id": "cm-2.7", - "class": "SP800-53-enhancement", - "title": "Configure Systems and Components for High-risk Areas", - "parameters": [ - { - "id": "cm-2.7_prm_1", - "label": "organization-defined systems or system components" - }, - { - "id": "cm-2.7_prm_2", - "label": "organization-defined configurations" - }, - { - "id": "cm-2.7_prm_3", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-2(7)" - }, - { - "name": "sort-id", - "value": "CM-02(07)" - } - ], - "links": [ - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - } - ], - "parts": [ - { - "id": "cm-2.7_smt", - "name": "statement", - "parts": [ - { - "id": "cm-2.7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Issue {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems to be of significant risk; and" - }, - { - "id": "cm-2.7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Apply the following controls to the systems or components when the individuals return from travel: {{ cm-2.7_prm_3 }}." - } - ] - }, - { - "id": "cm-2.7_gdn", - "name": "guidance", - "prose": "When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family." - } - ] - } - ] - }, - { - "id": "cm-3", - "class": "SP800-53", - "title": "Configuration Change Control", - "parameters": [ - { - "id": "cm-3_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "cm-3_prm_2", - "label": "organization-defined configuration change control element" - }, - { - "id": "cm-3_prm_3" - }, - { - "id": "cm-3_prm_4", - "depends-on": "cm-3_prm_3", - "label": "organization-defined frequency" - }, - { - "id": "cm-3_prm_5", - "depends-on": "cm-3_prm_3", - "label": "organization-defined configuration change conditions" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-3" - }, - { - "name": "sort-id", - "value": "CM-03" - } - ], - "links": [ - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pt-7", - "rel": "related", - "text": "PT-7" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "cm-3_smt", - "name": "statement", - "parts": [ - { - "id": "cm-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Determine and document the types of changes to the system that are configuration-controlled;" - }, - { - "id": "cm-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;" - }, - { - "id": "cm-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document configuration change decisions associated with the system;" - }, - { - "id": "cm-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Implement approved configuration-controlled changes to the system;" - }, - { - "id": "cm-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Retain records of configuration-controlled changes to the system for {{ cm-3_prm_1 }};" - }, - { - "id": "cm-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Monitor and review activities associated with configuration-controlled changes to the system; and" - }, - { - "id": "cm-3_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Coordinate and provide oversight for configuration change control activities through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}." - } - ] - }, - { - "id": "cm-3_gdn", - "name": "guidance", - "prose": "Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations and configuration items of systems; changes to operational procedures; changes to configuration settings for system components; unscheduled or unauthorized changes; and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes impacting privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10." - } - ], - "controls": [ - { - "id": "cm-3.2", - "class": "SP800-53-enhancement", - "title": "Testing, Validation, and Documentation of Changes", - "properties": [ - { - "name": "label", - "value": "CM-3(2)" - }, - { - "name": "sort-id", - "value": "CM-03(02)" - } - ], - "parts": [ - { - "id": "cm-3.2_smt", - "name": "statement", - "prose": "Test, validate, and document changes to the system before finalizing the implementation of the changes." - }, - { - "id": "cm-3.2_gdn", - "name": "guidance", - "prose": "Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with system operations supporting organizational missions and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls." - } - ] - }, - { - "id": "cm-3.4", - "class": "SP800-53-enhancement", - "title": "Security and Privacy Representatives", - "parameters": [ - { - "id": "cm-3.4_prm_1", - "label": "organization-defined security and privacy representatives" - }, - { - "id": "cm-3.4_prm_2", - "label": "organization-defined configuration change control element" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-3(4)" - }, - { - "name": "sort-id", - "value": "CM-03(04)" - } - ], - "parts": [ - { - "id": "cm-3.4_smt", - "name": "statement", - "prose": "Require {{ cm-3.4_prm_1 }} to be members of the {{ cm-3.4_prm_2 }}." - }, - { - "id": "cm-3.4_gdn", - "name": "guidance", - "prose": "Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3." - } - ] - } - ] - }, - { - "id": "cm-4", - "class": "SP800-53", - "title": "Impact Analyses", - "properties": [ - { - "name": "label", - "value": "CM-4" - }, - { - "name": "sort-id", - "value": "CM-04" - } - ], - "links": [ - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - } - ], - "parts": [ - { - "id": "cm-4_smt", - "name": "statement", - "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." - }, - { - "id": "cm-4_gdn", - "name": "guidance", - "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required." - } - ], - "controls": [ - { - "id": "cm-4.2", - "class": "SP800-53-enhancement", - "title": "Verification of Controls", - "properties": [ - { - "name": "label", - "value": "CM-4(2)" - }, - { - "name": "sort-id", - "value": "CM-04(02)" - } - ], - "links": [ - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#si-6", - "rel": "related", - "text": "SI-6" - } - ], - "parts": [ - { - "id": "cm-4.2_smt", - "name": "statement", - "prose": "After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system." - }, - { - "id": "cm-4.2_gdn", - "name": "guidance", - "prose": "Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls." - } - ] - } - ] - }, - { - "id": "cm-5", - "class": "SP800-53", - "title": "Access Restrictions for Change", - "properties": [ - { - "name": "label", - "value": "CM-5" - }, - { - "name": "sort-id", - "value": "CM-05" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - } - ], - "parts": [ - { - "id": "cm-5_smt", - "name": "statement", - "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." - }, - { - "id": "cm-5_gdn", - "name": "guidance", - "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." - } - ] - }, - { - "id": "cm-6", - "class": "SP800-53", - "title": "Configuration Settings", - "parameters": [ - { - "id": "cm-6_prm_1", - "label": "organization-defined common secure configurations" - }, - { - "id": "cm-6_prm_2", - "label": "organization-defined system components" - }, - { - "id": "cm-6_prm_3", - "label": "organization-defined operational requirements" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-6" - }, - { - "name": "sort-id", - "value": "CM-06" - } - ], - "links": [ - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f", - "rel": "reference", - "text": "[SP 800-126]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#06842bea-64c9-4e20-807a-b8fc003fa737", - "rel": "reference", - "text": "[USGCB]" - }, - { - "href": "#5cc04a1c-5489-4751-a493-746a9639067b", - "rel": "reference", - "text": "[NCPR]" - }, - { - "href": "#294eed19-7471-4517-9480-2ec73e7c6a78", - "rel": "reference", - "text": "[DOD STIG]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-6", - "rel": "related", - "text": "SI-6" - } - ], - "parts": [ - { - "id": "cm-6_smt", - "name": "statement", - "parts": [ - { - "id": "cm-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish and document configuration settings for components employed within the system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;" - }, - { - "id": "cm-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the configuration settings;" - }, - { - "id": "cm-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Identify, document, and approve any deviations from established configuration settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and" - }, - { - "id": "cm-6_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." - } - ] - }, - { - "id": "cm-6_gdn", - "name": "guidance", - "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\nImplementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." - } - ] - }, - { - "id": "cm-7", - "class": "SP800-53", - "title": "Least Functionality", - "parameters": [ - { - "id": "cm-7_prm_1", - "label": "organization-defined mission essential capabilities" - }, - { - "id": "cm-7_prm_2", - "label": "organization-defined prohibited or restricted functions, ports, protocols, software, and/or services" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-7" - }, - { - "name": "sort-id", - "value": "CM-07" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#893d1736-324c-41d6-a5f4-d526b5ca981a", - "rel": "reference", - "text": "[SP 800-167]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "cm-7_smt", - "name": "statement", - "parts": [ - { - "id": "cm-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Configure the system to provide only {{ cm-7_prm_1 }}; and" - }, - { - "id": "cm-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ cm-7_prm_2 }}." - } - ] - }, - { - "id": "cm-7_gdn", - "name": "guidance", - "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3)." - } - ], - "controls": [ - { - "id": "cm-7.1", - "class": "SP800-53-enhancement", - "title": "Periodic Review", - "parameters": [ - { - "id": "cm-7.1_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "cm-7.1_prm_2", - "label": "organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-7(1)" - }, - { - "name": "sort-id", - "value": "CM-07(01)" - } - ], - "links": [ - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - } - ], - "parts": [ - { - "id": "cm-7.1_smt", - "name": "statement", - "parts": [ - { - "id": "cm-7.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Review the system {{ cm-7.1_prm_1 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and" - }, - { - "id": "cm-7.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Disable or remove {{ cm-7.1_prm_2 }}." - } - ] - }, - { - "id": "cm-7.1_gdn", - "name": "guidance", - "prose": "Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking." - } - ] - }, - { - "id": "cm-7.2", - "class": "SP800-53-enhancement", - "title": "Prevent Program Execution", - "parameters": [ - { - "id": "cm-7.2_prm_1" - }, - { - "id": "cm-7.2_prm_2", - "depends-on": "cm-7.2_prm_1", - "label": "organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-7(2)" - }, - { - "name": "sort-id", - "value": "CM-07(02)" - } - ], - "links": [ - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - } - ], - "parts": [ - { - "id": "cm-7.2_smt", - "name": "statement", - "prose": "Prevent program execution in accordance with {{ cm-7.2_prm_1 }}." - }, - { - "id": "cm-7.2_gdn", - "name": "guidance", - "prose": "Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements restricting software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features; restricting roles allowed to approve program execution; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time." - } - ] - }, - { - "id": "cm-7.5", - "class": "SP800-53-enhancement", - "title": "Authorized Software — Whitelisting", - "parameters": [ - { - "id": "cm-7.5_prm_1", - "label": "organization-defined software programs authorized to execute on the system" - }, - { - "id": "cm-7.5_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-7(5)" - }, - { - "name": "sort-id", - "value": "CM-07(05)" - } - ], - "links": [ - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "cm-7.5_smt", - "name": "statement", - "parts": [ - { - "id": "cm-7.5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Identify {{ cm-7.5_prm_1 }};" - }, - { - "id": "cm-7.5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and" - }, - { - "id": "cm-7.5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Review and update the list of authorized software programs {{ cm-7.5_prm_2 }}." - } - ] - }, - { - "id": "cm-7.5_gdn", - "name": "guidance", - "prose": "The process used to identify specific software programs or entire categories of software programs that are authorized to execute on organizational systems is commonly referred to as whitelisting. Software programs identified can be limited to specific versions or from a specific source. To facilitate comprehensive whitelisting and increase the strength of protection for attacks that bypass application level whitelisting, software programs may be decomposed into and monitored at different levels of detail. Software program levels of detail include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of whitelisting may also be applied to user actions, ports, IP addresses, and media access control (MAC) addresses. Organizations consider verifying the integrity of white-listed software programs using, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Whitelisting of URLs for websites is addressed in CA-3(5) and SC-7." - } - ] - } - ] - }, - { - "id": "cm-8", - "class": "SP800-53", - "title": "System Component Inventory", - "parameters": [ - { - "id": "cm-8_prm_1", - "label": "organization-defined information deemed necessary to achieve effective system component accountability" - }, - { - "id": "cm-8_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-8" - }, - { - "name": "sort-id", - "value": "CM-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "cm-8_smt", - "name": "statement", - "parts": [ - { - "id": "cm-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and document an inventory of system components that:", - "parts": [ - { - "id": "cm-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Accurately reflects the system;" - }, - { - "id": "cm-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Includes all components within the system;" - }, - { - "id": "cm-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" - }, - { - "id": "cm-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Includes the following information to achieve system component accountability: {{ cm-8_prm_1 }}; and" - } - ] - }, - { - "id": "cm-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the system component inventory {{ cm-8_prm_2 }}." - } - ] - }, - { - "id": "cm-8_gdn", - "name": "guidance", - "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location." - } - ], - "controls": [ - { - "id": "cm-8.1", - "class": "SP800-53-enhancement", - "title": "Updates During Installation and Removal", - "properties": [ - { - "name": "label", - "value": "CM-8(1)" - }, - { - "name": "sort-id", - "value": "CM-08(01)" - } - ], - "links": [ - { - "href": "#pm-16", - "rel": "related", - "text": "PM-16" - } - ], - "parts": [ - { - "id": "cm-8.1_smt", - "name": "statement", - "prose": "Update the inventory of system components as part of component installations, removals, and system updates." - }, - { - "id": "cm-8.1_gdn", - "name": "guidance", - "prose": "Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated routinely as part of component installations or removals, or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components." - } - ] - }, - { - "id": "cm-8.3", - "class": "SP800-53-enhancement", - "title": "Automated Unauthorized Component Detection", - "parameters": [ - { - "id": "cm-8.3_prm_1", - "label": "organization-defined automated mechanisms" - }, - { - "id": "cm-8.3_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "cm-8.3_prm_3" - }, - { - "id": "cm-8.3_prm_4", - "depends-on": "cm-8.3_prm_3", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-8(3)" - }, - { - "name": "sort-id", - "value": "CM-08(03)" - } - ], - "links": [ - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-39", - "rel": "related", - "text": "SC-39" - }, - { - "href": "#sc-44", - "rel": "related", - "text": "SC-44" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "cm-8.3_smt", - "name": "statement", - "parts": [ - { - "id": "cm-8.3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ cm-8.3_prm_1 }}\n {{ cm-8.3_prm_2 }}; and" - }, - { - "id": "cm-8.3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Take the following actions when unauthorized components are detected: {{ cm-8.3_prm_3 }}." - } - ] - }, - { - "id": "cm-8.3_gdn", - "name": "guidance", - "prose": "Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices). Isolation can be achieved, for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing." - } - ] - } - ] - }, - { - "id": "cm-9", - "class": "SP800-53", - "title": "Configuration Management Plan", - "parameters": [ - { - "id": "cm-9_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-9" - }, - { - "name": "sort-id", - "value": "CM-09" - } - ], - "links": [ - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cm-9_smt", - "name": "statement", - "prose": "Develop, document, and implement a configuration management plan for the system that:", - "parts": [ - { - "id": "cm-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Addresses roles, responsibilities, and configuration management processes and procedures;" - }, - { - "id": "cm-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;" - }, - { - "id": "cm-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Defines the configuration items for the system and places the configuration items under configuration management;" - }, - { - "id": "cm-9_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Is reviewed and approved by {{ cm-9_prm_1 }}; and" - }, - { - "id": "cm-9_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Protects the configuration management plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "cm-9_gdn", - "name": "guidance", - "prose": "Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes, how to update configuration settings and baselines, how to maintain component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents.\nOrganizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Templates can represent a master configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, for example, the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control." - } - ] - }, - { - "id": "cm-10", - "class": "SP800-53", - "title": "Software Usage Restrictions", - "properties": [ - { - "name": "label", - "value": "CM-10" - }, - { - "name": "sort-id", - "value": "CM-10" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - } - ], - "parts": [ - { - "id": "cm-10_smt", - "name": "statement", - "parts": [ - { - "id": "cm-10_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" - }, - { - "id": "cm-10_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" - }, - { - "id": "cm-10_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." - } - ] - }, - { - "id": "cm-10_gdn", - "name": "guidance", - "prose": "Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement." - } - ] - }, - { - "id": "cm-11", - "class": "SP800-53", - "title": "User-installed Software", - "parameters": [ - { - "id": "cm-11_prm_1", - "label": "organization-defined policies" - }, - { - "id": "cm-11_prm_2", - "label": "organization-defined methods" - }, - { - "id": "cm-11_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-11" - }, - { - "name": "sort-id", - "value": "CM-11" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "cm-11_smt", - "name": "statement", - "parts": [ - { - "id": "cm-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish {{ cm-11_prm_1 }} governing the installation of software by users;" - }, - { - "id": "cm-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Enforce software installation policies through the following methods: {{ cm-11_prm_2 }}; and" - }, - { - "id": "cm-11_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Monitor policy compliance {{ cm-11_prm_3 }}." - } - ] - }, - { - "id": "cm-11_gdn", - "name": "guidance", - "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." - } - ] - }, - { - "id": "cm-12", - "class": "SP800-53", - "title": "Information Location", - "parameters": [ - { - "id": "cm-12_prm_1", - "label": "organization-defined information" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-12" - }, - { - "name": "sort-id", - "value": "CM-12" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-23", - "rel": "related", - "text": "AC-23" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sc-4", - "rel": "related", - "text": "SC-4" - }, - { - "href": "#sc-16", - "rel": "related", - "text": "SC-16" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "cm-12_smt", - "name": "statement", - "parts": [ - { - "id": "cm-12_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify and document the location of {{ cm-12_prm_1 }} and the specific system components on which the information is processed and stored;" - }, - { - "id": "cm-12_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Identify and document the users who have access to the system and system components where the information is processed and stored; and" - }, - { - "id": "cm-12_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document changes to the location (i.e., system or system components) where the information is processed and stored." - } - ] - }, - { - "id": "cm-12_gdn", - "name": "guidance", - "prose": "Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and associated information reside in the system components; and how information is being processed so that information flow can be understood, and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17)." - } - ], - "controls": [ - { - "id": "cm-12.1", - "class": "SP800-53-enhancement", - "title": "Automated Tools to Support Information Location", - "parameters": [ - { - "id": "cm-12.1_prm_1", - "label": "organization-defined information by information type" - }, - { - "id": "cm-12.1_prm_2", - "label": "organization-defined system components" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-12(1)" - }, - { - "name": "sort-id", - "value": "CM-12(01)" - } - ], - "parts": [ - { - "id": "cm-12.1_smt", - "name": "statement", - "prose": "Use automated tools to identify {{ cm-12.1_prm_1 }} on {{ cm-12.1_prm_2 }} to ensure controls are in place to protect organizational information and individual privacy." - }, - { - "id": "cm-12.1_gdn", - "name": "guidance", - "prose": "The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information organization-wide. The output of automated information location tools can be used to guide and inform system architecture and design decisions." - } - ] - } - ] - } - ] - }, - { - "id": "cp", - "class": "family", - "title": "Contingency Planning", - "controls": [ - { - "id": "cp-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "cp-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "cp-1_prm_2" - }, - { - "id": "cp-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "cp-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "cp-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-1" - }, - { - "name": "sort-id", - "value": "CP-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cp-1_smt", - "name": "statement", - "parts": [ - { - "id": "cp-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ cp-1_prm_1 }}:", - "parts": [ - { - "id": "cp-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ cp-1_prm_2 }} contingency planning policy that:", - "parts": [ - { - "id": "cp-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "cp-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "cp-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" - } - ] - }, - { - "id": "cp-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ cp-1_prm_3 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" - }, - { - "id": "cp-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current contingency planning:", - "parts": [ - { - "id": "cp-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ cp-1_prm_4 }}; and" - }, - { - "id": "cp-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ cp-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "cp-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "cp-2", - "class": "SP800-53", - "title": "Contingency Plan", - "parameters": [ - { - "id": "cp-2_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "cp-2_prm_2", - "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - }, - { - "id": "cp-2_prm_3", - "label": "organization-defined frequency" - }, - { - "id": "cp-2_prm_4", - "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-2" - }, - { - "name": "sort-id", - "value": "CP-02" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#7a93e915-fd58-4147-be12-e48044c367e6", - "rel": "reference", - "text": "[IR 8179]" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#cp-11", - "rel": "related", - "text": "CP-11" - }, - { - "href": "#cp-13", - "rel": "related", - "text": "CP-13" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-20", - "rel": "related", - "text": "SA-20" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cp-2_smt", - "name": "statement", - "parts": [ - { - "id": "cp-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a contingency plan for the system that:", - "parts": [ - { - "id": "cp-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Identifies essential missions and business functions and associated contingency requirements;" - }, - { - "id": "cp-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Provides recovery objectives, restoration priorities, and metrics;" - }, - { - "id": "cp-2_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" - }, - { - "id": "cp-2_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure;" - }, - { - "id": "cp-2_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and" - }, - { - "id": "cp-2_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Is reviewed and approved by {{ cp-2_prm_1 }};" - } - ] - }, - { - "id": "cp-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute copies of the contingency plan to {{ cp-2_prm_2 }};" - }, - { - "id": "cp-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Coordinate contingency planning activities with incident handling activities;" - }, - { - "id": "cp-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review the contingency plan for the system {{ cp-2_prm_3 }};" - }, - { - "id": "cp-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" - }, - { - "id": "cp-2_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Communicate contingency plan changes to {{ cp-2_prm_4 }}; and" - }, - { - "id": "cp-2_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Protect the contingency plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "cp-2_gdn", - "name": "guidance", - "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.\nIn addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family." - } - ], - "controls": [ - { - "id": "cp-2.1", - "class": "SP800-53-enhancement", - "title": "Coordinate with Related Plans", - "properties": [ - { - "name": "label", - "value": "CP-2(1)" - }, - { - "name": "sort-id", - "value": "CP-02(01)" - } - ], - "parts": [ - { - "id": "cp-2.1_smt", - "name": "statement", - "prose": "Coordinate contingency plan development with organizational elements responsible for related plans." - }, - { - "id": "cp-2.1_gdn", - "name": "guidance", - "prose": "Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Cyber Incident Response Plans, and Occupant Emergency Plans." - } - ] - }, - { - "id": "cp-2.3", - "class": "SP800-53-enhancement", - "title": "Resume Missions and Business Functions", - "parameters": [ - { - "id": "cp-2.3_prm_1" - }, - { - "id": "cp-2.3_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-2(3)" - }, - { - "name": "sort-id", - "value": "CP-02(03)" - } - ], - "parts": [ - { - "id": "cp-2.3_smt", - "name": "statement", - "prose": "Plan for the resumption of {{ cp-2.3_prm_1 }} missions and business functions within {{ cp-2.3_prm_2 }} of contingency plan activation." - }, - { - "id": "cp-2.3_gdn", - "name": "guidance", - "prose": "Organizations may choose to conduct contingency planning activities to resume missions and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of missions and business functions. The time-period for the resumption of missions and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure." - } - ] - }, - { - "id": "cp-2.8", - "class": "SP800-53-enhancement", - "title": "Identify Critical Assets", - "parameters": [ - { - "id": "cp-2.8_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-2(8)" - }, - { - "name": "sort-id", - "value": "CP-02(08)" - } - ], - "links": [ - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - } - ], - "parts": [ - { - "id": "cp-2.8_smt", - "name": "statement", - "prose": "Identify critical system assets supporting {{ cp-2.8_prm_1 }} missions and business functions." - }, - { - "id": "cp-2.8_gdn", - "name": "guidance", - "prose": "Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational missions and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (manually executed operations) and personnel (individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement." - } - ] - } - ] - }, - { - "id": "cp-3", - "class": "SP800-53", - "title": "Contingency Training", - "parameters": [ - { - "id": "cp-3_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "cp-3_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-3" - }, - { - "name": "sort-id", - "value": "CP-03" - } - ], - "links": [ - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - } - ], - "parts": [ - { - "id": "cp-3_smt", - "name": "statement", - "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", - "parts": [ - { - "id": "cp-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Within {{ cp-3_prm_1 }} of assuming a contingency role or responsibility;" - }, - { - "id": "cp-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "When required by system changes; and" - }, - { - "id": "cp-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "\n {{ cp-3_prm_2 }} thereafter." - } - ] - }, - { - "id": "cp-3_gdn", - "name": "guidance", - "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan." - } - ] - }, - { - "id": "cp-4", - "class": "SP800-53", - "title": "Contingency Plan Testing", - "parameters": [ - { - "id": "cp-4_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "cp-4_prm_2", - "label": "organization-defined tests" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-4" - }, - { - "name": "sort-id", - "value": "CP-04" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#20bf433b-074c-47a0-8fca-cd591772ccd6", - "rel": "reference", - "text": "[SP 800-84]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "cp-4_smt", - "name": "statement", - "parts": [ - { - "id": "cp-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Test the contingency plan for the system {{ cp-4_prm_1 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ cp-4_prm_2 }}." - }, - { - "id": "cp-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review the contingency plan test results; and" - }, - { - "id": "cp-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Initiate corrective actions, if needed." - } - ] - }, - { - "id": "cp-4_gdn", - "name": "guidance", - "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." - } - ], - "controls": [ - { - "id": "cp-4.1", - "class": "SP800-53-enhancement", - "title": "Coordinate with Related Plans", - "properties": [ - { - "name": "label", - "value": "CP-4(1)" - }, - { - "name": "sort-id", - "value": "CP-04(01)" - } - ], - "links": [ - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - } - ], - "parts": [ - { - "id": "cp-4.1_smt", - "name": "statement", - "prose": "Coordinate contingency plan testing with organizational elements responsible for related plans." - }, - { - "id": "cp-4.1_gdn", - "name": "guidance", - "prose": "Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations coordinate with those elements." - } - ] - } - ] - }, - { - "id": "cp-6", - "class": "SP800-53", - "title": "Alternate Storage Site", - "properties": [ - { - "name": "label", - "value": "CP-6" - }, - { - "name": "sort-id", - "value": "CP-06" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sc-36", - "rel": "related", - "text": "SC-36" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - } - ], - "parts": [ - { - "id": "cp-6_smt", - "name": "statement", - "parts": [ - { - "id": "cp-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and" - }, - { - "id": "cp-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Ensure that the alternate storage site provides controls equivalent to that of the primary site." - } - ] - }, - { - "id": "cp-6_gdn", - "name": "guidance", - "prose": "Alternate storage sites are sites that are geographically distinct from primary storage sites and that maintain duplicate copies of information and data if the primary storage site is not available. In contrast to alternate storage sites, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may also be considered as alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems." - } - ], - "controls": [ - { - "id": "cp-6.1", - "class": "SP800-53-enhancement", - "title": "Separation from Primary Site", - "properties": [ - { - "name": "label", - "value": "CP-6(1)" - }, - { - "name": "sort-id", - "value": "CP-06(01)" - } - ], - "links": [ - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "cp-6.1_smt", - "name": "statement", - "prose": "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats." - }, - { - "id": "cp-6.1_gdn", - "name": "guidance", - "prose": "Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." - } - ] - }, - { - "id": "cp-6.3", - "class": "SP800-53-enhancement", - "title": "Accessibility", - "properties": [ - { - "name": "label", - "value": "CP-6(3)" - }, - { - "name": "sort-id", - "value": "CP-06(03)" - } - ], - "links": [ - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "cp-6.3_smt", - "name": "statement", - "prose": "Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions." - }, - { - "id": "cp-6.3_gdn", - "name": "guidance", - "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted." - } - ] - } - ] - }, - { - "id": "cp-7", - "class": "SP800-53", - "title": "Alternate Processing Site", - "parameters": [ - { - "id": "cp-7_prm_1", - "label": "organization-defined system operations" - }, - { - "id": "cp-7_prm_2", - "label": "organization-defined time-period consistent with recovery time and recovery point objectives" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-7" - }, - { - "name": "sort-id", - "value": "CP-07" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-11", - "rel": "related", - "text": "PE-11" - }, - { - "href": "#pe-12", - "rel": "related", - "text": "PE-12" - }, - { - "href": "#pe-17", - "rel": "related", - "text": "PE-17" - }, - { - "href": "#sc-36", - "rel": "related", - "text": "SC-36" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - } - ], - "parts": [ - { - "id": "cp-7_smt", - "name": "statement", - "parts": [ - { - "id": "cp-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ cp-7_prm_1 }} for essential missions and business functions within {{ cp-7_prm_2 }} when the primary processing capabilities are unavailable;" - }, - { - "id": "cp-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time-period for transfer and resumption; and" - }, - { - "id": "cp-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Provide controls at the alternate processing site that are equivalent to those at the primary site." - } - ] - }, - { - "id": "cp-7_gdn", - "name": "guidance", - "prose": "Alternate processing sites are sites that are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives such as failover to a cloud-based service provider or other internally- or externally-provided processing service. Geographically distributed architectures that support contingency requirements may also be considered as alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites; access rules; physical and environmental protection requirements; and the coordination for the transfer and assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems." - } - ], - "controls": [ - { - "id": "cp-7.1", - "class": "SP800-53-enhancement", - "title": "Separation from Primary Site", - "properties": [ - { - "name": "label", - "value": "CP-7(1)" - }, - { - "name": "sort-id", - "value": "CP-07(01)" - } - ], - "links": [ - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "cp-7.1_smt", - "name": "statement", - "prose": "Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats." - }, - { - "id": "cp-7.1_gdn", - "name": "guidance", - "prose": "Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." - } - ] - }, - { - "id": "cp-7.2", - "class": "SP800-53-enhancement", - "title": "Accessibility", - "properties": [ - { - "name": "label", - "value": "CP-7(2)" - }, - { - "name": "sort-id", - "value": "CP-07(02)" - } - ], - "links": [ - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "cp-7.2_smt", - "name": "statement", - "prose": "Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions." - }, - { - "id": "cp-7.2_gdn", - "name": "guidance", - "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk." - } - ] - }, - { - "id": "cp-7.3", - "class": "SP800-53-enhancement", - "title": "Priority of Service", - "properties": [ - { - "name": "label", - "value": "CP-7(3)" - }, - { - "name": "sort-id", - "value": "CP-07(03)" - } - ], - "parts": [ - { - "id": "cp-7.3_smt", - "name": "statement", - "prose": "Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)." - }, - { - "id": "cp-7.3_gdn", - "name": "guidance", - "prose": "Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning." - } - ] - } - ] - }, - { - "id": "cp-8", - "class": "SP800-53", - "title": "Telecommunications Services", - "parameters": [ - { - "id": "cp-8_prm_1", - "label": "organization-defined system operations" - }, - { - "id": "cp-8_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-8" - }, - { - "name": "sort-id", - "value": "CP-08" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-11", - "rel": "related", - "text": "CP-11" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - } - ], - "parts": [ - { - "id": "cp-8_smt", - "name": "statement", - "prose": "Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for essential missions and business functions within {{ cp-8_prm_2 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites." - }, - { - "id": "cp-8_gdn", - "name": "guidance", - "prose": "This control applies to telecommunications services (for data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions and business functions despite the loss of primary telecommunications services. Organizations may specify different time-periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines or the use of satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements." - } - ], - "controls": [ - { - "id": "cp-8.1", - "class": "SP800-53-enhancement", - "title": "Priority of Service Provisions", - "properties": [ - { - "name": "label", - "value": "CP-8(1)" - }, - { - "name": "sort-id", - "value": "CP-08(01)" - } - ], - "parts": [ - { - "id": "cp-8.1_smt", - "name": "statement", - "parts": [ - { - "id": "cp-8.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and" - }, - { - "id": "cp-8.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier." - } - ] - }, - { - "id": "cp-8.1_gdn", - "name": "guidance", - "prose": "Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program and the Department of Homeland Security, manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program." - } - ] - }, - { - "id": "cp-8.2", - "class": "SP800-53-enhancement", - "title": "Single Points of Failure", - "properties": [ - { - "name": "label", - "value": "CP-8(2)" - }, - { - "name": "sort-id", - "value": "CP-08(02)" - } - ], - "parts": [ - { - "id": "cp-8.2_smt", - "name": "statement", - "prose": "Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services." - }, - { - "id": "cp-8.2_gdn", - "name": "guidance", - "prose": "In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services." - } - ] - } - ] - }, - { - "id": "cp-9", - "class": "SP800-53", - "title": "System Backup", - "parameters": [ - { - "id": "cp-9_prm_1", - "label": "organization-defined system components" - }, - { - "id": "cp-9_prm_2", - "label": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "id": "cp-9_prm_3", - "label": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "id": "cp-9_prm_4", - "label": "organization-defined frequency consistent with recovery time and recovery point objectives" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-9" - }, - { - "name": "sort-id", - "value": "CP-09" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#ae412317-c2b4-47bb-b47b-c329ce0d7a0b", - "rel": "reference", - "text": "[SP 800-130]" - }, - { - "href": "#38dbdf55-9a14-446f-b563-c48e4e3d37fb", - "rel": "reference", - "text": "[SP 800-152]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - } - ], - "parts": [ - { - "id": "cp-9_smt", - "name": "statement", - "parts": [ - { - "id": "cp-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Conduct backups of user-level information contained in {{ cp-9_prm_1 }}\n {{ cp-9_prm_2 }};" - }, - { - "id": "cp-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Conduct backups of system-level information contained in the system {{ cp-9_prm_3 }};" - }, - { - "id": "cp-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Conduct backups of system documentation, including security and privacy-related documentation {{ cp-9_prm_4 }}; and" - }, - { - "id": "cp-9_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect the confidentiality, integrity, and availability of backup information." - } - ] - }, - { - "id": "cp-9_gdn", - "name": "guidance", - "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." - } - ], - "controls": [ - { - "id": "cp-9.1", - "class": "SP800-53-enhancement", - "title": "Testing for Reliability and Integrity", - "parameters": [ - { - "id": "cp-9.1_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-9(1)" - }, - { - "name": "sort-id", - "value": "CP-09(01)" - } - ], - "links": [ - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - } - ], - "parts": [ - { - "id": "cp-9.1_smt", - "name": "statement", - "prose": "Test backup information {{ cp-9.1_prm_1 }} to verify media reliability and information integrity." - }, - { - "id": "cp-9.1_gdn", - "name": "guidance", - "prose": "Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance." - } - ] - }, - { - "id": "cp-9.8", - "class": "SP800-53-enhancement", - "title": "Cryptographic Protection", - "parameters": [ - { - "id": "cp-9.8_prm_1", - "label": "organization-defined backup information" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-9(8)" - }, - { - "name": "sort-id", - "value": "CP-09(08)" - } - ], - "links": [ - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - } - ], - "parts": [ - { - "id": "cp-9.8_smt", - "name": "statement", - "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ cp-9.8_prm_1 }}." - }, - { - "id": "cp-9.8_gdn", - "name": "guidance", - "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. This control enhancement applies to system backup information in storage at primary and alternate locations. Organizations implementing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions." - } - ] - } - ] - }, - { - "id": "cp-10", - "class": "SP800-53", - "title": "System Recovery and Reconstitution", - "parameters": [ - { - "id": "cp-10_prm_1", - "label": "organization-defined time-period consistent with recovery time and recovery point objectives" - } - ], - "properties": [ - { - "name": "label", - "value": "CP-10" - }, - { - "name": "sort-id", - "value": "CP-10" - } - ], - "links": [ - { - "href": "#65774382-fcc6-4bbc-89fc-9d35aab19952", - "rel": "reference", - "text": "[SP 800-34]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-24", - "rel": "related", - "text": "SC-24" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - } - ], - "parts": [ - { - "id": "cp-10_smt", - "name": "statement", - "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ cp-10_prm_1 }} after a disruption, compromise, or failure." - }, - { - "id": "cp-10_gdn", - "name": "guidance", - "prose": "Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." - } - ], - "controls": [ - { - "id": "cp-10.2", - "class": "SP800-53-enhancement", - "title": "Transaction Recovery", - "properties": [ - { - "name": "label", - "value": "CP-10(2)" - }, - { - "name": "sort-id", - "value": "CP-10(02)" - } - ], - "parts": [ - { - "id": "cp-10.2_smt", - "name": "statement", - "prose": "Implement transaction recovery for systems that are transaction-based." - }, - { - "id": "cp-10.2_gdn", - "name": "guidance", - "prose": "Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling." - } - ] - } - ] - } - ] - }, - { - "id": "ia", - "class": "family", - "title": "Identification and Authentication", - "controls": [ - { - "id": "ia-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ia-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ia-1_prm_2" - }, - { - "id": "ia-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ia-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ia-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-1" - }, - { - "name": "sort-id", - "value": "IA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ia-1_smt", - "name": "statement", - "parts": [ - { - "id": "ia-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ia-1_prm_1 }}:", - "parts": [ - { - "id": "ia-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ia-1_prm_2 }} identification and authentication policy that:", - "parts": [ - { - "id": "ia-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ia-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ia-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" - } - ] - }, - { - "id": "ia-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ia-1_prm_3 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" - }, - { - "id": "ia-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current identification and authentication:", - "parts": [ - { - "id": "ia-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ia-1_prm_4 }}; and" - }, - { - "id": "ia-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ia-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ia-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ia-2", - "class": "SP800-53", - "title": "Identification and Authentication (organizational Users)", - "properties": [ - { - "name": "label", - "value": "IA-2" - }, - { - "name": "sort-id", - "value": "IA-02" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#bb55e71a-e059-4263-8dd8-bc96fd3f063d", - "rel": "reference", - "text": "[SP 800-79-2]" - }, - { - "href": "#f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa", - "rel": "reference", - "text": "[SP 800-156]" - }, - { - "href": "#a8f55663-86c5-415b-aabe-d2a126981d65", - "rel": "reference", - "text": "[SP 800-166]" - }, - { - "href": "#d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "rel": "reference", - "text": "[IR 7539]" - }, - { - "href": "#daf69edb-a0ef-4447-9880-8c4bf553181f", - "rel": "reference", - "text": "[IR 7676]" - }, - { - "href": "#a49f67fc-827c-40e6-9a37-2b1cbe8142fd", - "rel": "reference", - "text": "[IR 7817]" - }, - { - "href": "#972c10bd-aedf-485f-b0db-f46a402127e2", - "rel": "reference", - "text": "[IR 7849]" - }, - { - "href": "#197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "rel": "reference", - "text": "[IR 7870]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#30213e10-2aca-47b3-8cdb-61303e0959f5", - "rel": "reference", - "text": "[IR 7966]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "ia-2_smt", - "name": "statement", - "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users." - }, - { - "id": "ia-2_gdn", - "name": "guidance", - "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8." - } - ], - "controls": [ - { - "id": "ia-2.1", - "class": "SP800-53-enhancement", - "title": "Multifactor Authentication to Privileged Accounts", - "properties": [ - { - "name": "label", - "value": "IA-2(1)" - }, - { - "name": "sort-id", - "value": "IA-02(01)" - } - ], - "links": [ - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - } - ], - "parts": [ - { - "id": "ia-2.1_smt", - "name": "statement", - "prose": "Implement multifactor authentication for access to privileged accounts." - }, - { - "id": "ia-2.1_gdn", - "name": "guidance", - "prose": "Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." - } - ] - }, - { - "id": "ia-2.2", - "class": "SP800-53-enhancement", - "title": "Multifactor Authentication to Non-privileged Accounts", - "properties": [ - { - "name": "label", - "value": "IA-2(2)" - }, - { - "name": "sort-id", - "value": "IA-02(02)" - } - ], - "links": [ - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - } - ], - "parts": [ - { - "id": "ia-2.2_smt", - "name": "statement", - "prose": "Implement multifactor authentication for access to non-privileged accounts." - }, - { - "id": "ia-2.2_gdn", - "name": "guidance", - "prose": "Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." - } - ] - }, - { - "id": "ia-2.8", - "class": "SP800-53-enhancement", - "title": "Access to Accounts — Replay Resistant", - "parameters": [ - { - "id": "ia-2.8_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-2(8)" - }, - { - "name": "sort-id", - "value": "IA-02(08)" - } - ], - "parts": [ - { - "id": "ia-2.8_smt", - "name": "statement", - "prose": "Implement replay-resistant authentication mechanisms for access to {{ ia-2.8_prm_1 }}." - }, - { - "id": "ia-2.8_gdn", - "name": "guidance", - "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators." - } - ] - }, - { - "id": "ia-2.12", - "class": "SP800-53-enhancement", - "title": "Acceptance of PIV Credentials", - "properties": [ - { - "name": "label", - "value": "IA-2(12)" - }, - { - "name": "sort-id", - "value": "IA-02(12)" - } - ], - "parts": [ - { - "id": "ia-2.12_smt", - "name": "statement", - "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials." - }, - { - "id": "ia-2.12_gdn", - "name": "guidance", - "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential." - } - ] - } - ] - }, - { - "id": "ia-3", - "class": "SP800-53", - "title": "Device Identification and Authentication", - "parameters": [ - { - "id": "ia-3_prm_1", - "label": "organization-defined devices and/or types of devices" - }, - { - "id": "ia-3_prm_2" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-3" - }, - { - "name": "sort-id", - "value": "IA-03" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-9", - "rel": "related", - "text": "IA-9" - }, - { - "href": "#ia-11", - "rel": "related", - "text": "IA-11" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "ia-3_smt", - "name": "statement", - "prose": "Uniquely identify and authenticate {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }} connection." - }, - { - "id": "ia-3_gdn", - "name": "guidance", - "prose": "Devices that require unique device-to-device identification and authentication are defined by type, by device, or by a combination of type and device. Organization-defined device types can include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on large scale, organizations can restrict the application of the control to a limited number (and type) of devices based on need." - } - ] - }, - { - "id": "ia-4", - "class": "SP800-53", - "title": "Identifier Management", - "parameters": [ - { - "id": "ia-4_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ia-4_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-4" - }, - { - "name": "sort-id", - "value": "IA-04" - } - ], - "links": [ - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ia-9", - "rel": "related", - "text": "IA-9" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - } - ], - "parts": [ - { - "id": "ia-4_smt", - "name": "statement", - "prose": "Manage system identifiers by:", - "parts": [ - { - "id": "ia-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Receiving authorization from {{ ia-4_prm_1 }} to assign an individual, group, role, service, or device identifier;" - }, - { - "id": "ia-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" - }, - { - "id": "ia-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" - }, - { - "id": "ia-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Preventing reuse of identifiers for {{ ia-4_prm_2 }}." - } - ] - }, - { - "id": "ia-4_gdn", - "name": "guidance", - "prose": "Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." - } - ], - "controls": [ - { - "id": "ia-4.4", - "class": "SP800-53-enhancement", - "title": "Identify User Status", - "parameters": [ - { - "id": "ia-4.4_prm_1", - "label": "organization-defined characteristic identifying individual status" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-4(4)" - }, - { - "name": "sort-id", - "value": "IA-04(04)" - } - ], - "parts": [ - { - "id": "ia-4.4_smt", - "name": "statement", - "prose": "Manage individual identifiers by uniquely identifying each individual as {{ ia-4.4_prm_1 }}." - }, - { - "id": "ia-4.4_gdn", - "name": "guidance", - "prose": "Characteristics identifying the status of individuals include contractors and foreign nationals. Identifying the status of individuals by characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor." - } - ] - } - ] - }, - { - "id": "ia-5", - "class": "SP800-53", - "title": "Authenticator Management", - "parameters": [ - { - "id": "ia-5_prm_1", - "label": "organization-defined time-period by authenticator type" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-5" - }, - { - "name": "sort-id", - "value": "IA-05" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "rel": "reference", - "text": "[IR 7539]" - }, - { - "href": "#a49f67fc-827c-40e6-9a37-2b1cbe8142fd", - "rel": "reference", - "text": "[IR 7817]" - }, - { - "href": "#972c10bd-aedf-485f-b0db-f46a402127e2", - "rel": "reference", - "text": "[IR 7849]" - }, - { - "href": "#197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "rel": "reference", - "text": "[IR 7870]" - }, - { - "href": "#24738ee6-b3f3-4e37-825b-58775846bdbc", - "rel": "reference", - "text": "[IR 8040]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ia-9", - "rel": "related", - "text": "IA-9" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - } - ], - "parts": [ - { - "id": "ia-5_smt", - "name": "statement", - "prose": "Manage system authenticators by:", - "parts": [ - { - "id": "ia-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" - }, - { - "id": "ia-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" - }, - { - "id": "ia-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" - }, - { - "id": "ia-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" - }, - { - "id": "ia-5_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;" - }, - { - "id": "ia-5_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Changing default authenticators prior to first use;" - }, - { - "id": "ia-5_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Changing or refreshing authenticators {{ ia-5_prm_1 }};" - }, - { - "id": "ia-5_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "h." - } - ], - "prose": "Protecting authenticator content from unauthorized disclosure and modification;" - }, - { - "id": "ia-5_smt.i", - "name": "item", - "properties": [ - { - "name": "label", - "value": "i." - } - ], - "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" - }, - { - "id": "ia-5_smt.j", - "name": "item", - "properties": [ - { - "name": "label", - "value": "j." - } - ], - "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." - } - ] - }, - { - "id": "ia-5_gdn", - "name": "guidance", - "prose": "Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." - } - ], - "controls": [ - { - "id": "ia-5.1", - "class": "SP800-53-enhancement", - "title": "Password-based Authentication", - "parameters": [ - { - "id": "ia-5.1_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ia-5.1_prm_2", - "label": "organization-defined composition and complexity rules" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-5(1)" - }, - { - "name": "sort-id", - "value": "IA-05(01)" - } - ], - "links": [ - { - "href": "#ia-6", - "rel": "related", - "text": "IA-6" - } - ], - "parts": [ - { - "id": "ia-5.1_smt", - "name": "statement", - "prose": "For password-based authentication:", - "parts": [ - { - "id": "ia-5.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ ia-5.1_prm_1 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" - }, - { - "id": "ia-5.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords;" - }, - { - "id": "ia-5.1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Transmit only cryptographically-protected passwords;" - }, - { - "id": "ia-5.1_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(d)" - } - ], - "prose": "Store passwords using an approved hash algorithm and salt, preferably using a keyed hash;" - }, - { - "id": "ia-5.1_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(e)" - } - ], - "prose": "Require immediate selection of a new password upon account recovery;" - }, - { - "id": "ia-5.1_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(f)" - } - ], - "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" - }, - { - "id": "ia-5.1_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(g)" - } - ], - "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" - }, - { - "id": "ia-5.1_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(h)" - } - ], - "prose": "Enforce the following composition and complexity rules: {{ ia-5.1_prm_2 }}." - } - ] - }, - { - "id": "ia-5.1_gdn", - "name": "guidance", - "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof." - } - ] - }, - { - "id": "ia-5.2", - "class": "SP800-53-enhancement", - "title": "Implement a local cache of revocation data to support path discovery and validation.", - "properties": [ - { - "name": "label", - "value": "IA-5(2)" - }, - { - "name": "sort-id", - "value": "IA-05(02)" - } - ], - "links": [ - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#sc-17", - "rel": "related", - "text": "SC-17" - } - ], - "parts": [ - { - "id": "ia-5.2_smt", - "name": "statement", - "prose": "Discussion: Public key cryptography is a valid authentication mechanism for individuals and machines or devices. When PKI is implemented, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation supports system availability in situations where organizations are unable to access revocation information via the network." - }, - { - "id": "ia-5.2_gdn", - "name": "guidance" - } - ] - }, - { - "id": "ia-5.6", - "class": "SP800-53-enhancement", - "title": "Protection of Authenticators", - "properties": [ - { - "name": "label", - "value": "IA-5(6)" - }, - { - "name": "sort-id", - "value": "IA-05(06)" - } - ], - "links": [ - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - } - ], - "parts": [ - { - "id": "ia-5.6_smt", - "name": "statement", - "prose": "Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access." - }, - { - "id": "ia-5.6_gdn", - "name": "guidance", - "prose": "For systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process." - } - ] - } - ] - }, - { - "id": "ia-6", - "class": "SP800-53", - "title": "Authenticator Feedback", - "properties": [ - { - "name": "label", - "value": "IA-6" - }, - { - "name": "sort-id", - "value": "IA-06" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - } - ], - "parts": [ - { - "id": "ia-6_smt", - "name": "statement", - "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." - }, - { - "id": "ia-6_gdn", - "name": "guidance", - "prose": "Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it." - } - ] - }, - { - "id": "ia-7", - "class": "SP800-53", - "title": "Cryptographic Module Authentication", - "properties": [ - { - "name": "label", - "value": "IA-7" - }, - { - "name": "sort-id", - "value": "IA-07" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "ia-7_smt", - "name": "statement", - "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." - }, - { - "id": "ia-7_gdn", - "name": "guidance", - "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." - } - ] - }, - { - "id": "ia-8", - "class": "SP800-53", - "title": "Identification and Authentication (non-organizational Users)", - "properties": [ - { - "name": "label", - "value": "IA-8" - }, - { - "name": "sort-id", - "value": "IA-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#bb55e71a-e059-4263-8dd8-bc96fd3f063d", - "rel": "reference", - "text": "[SP 800-79-2]" - }, - { - "href": "#ad7d575f-b5fe-489b-8d48-36a93d964a5f", - "rel": "reference", - "text": "[SP 800-116]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-10", - "rel": "related", - "text": "IA-10" - }, - { - "href": "#ia-11", - "rel": "related", - "text": "IA-11" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - } - ], - "parts": [ - { - "id": "ia-8_smt", - "name": "statement", - "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." - }, - { - "id": "ia-8_gdn", - "name": "guidance", - "prose": "Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." - } - ], - "controls": [ - { - "id": "ia-8.1", - "class": "SP800-53-enhancement", - "title": "Acceptance of PIV Credentials from Other Agencies", - "properties": [ - { - "name": "label", - "value": "IA-8(1)" - }, - { - "name": "sort-id", - "value": "IA-08(01)" - } - ], - "links": [ - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - } - ], - "parts": [ - { - "id": "ia-8.1_smt", - "name": "statement", - "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." - }, - { - "id": "ia-8.1_gdn", - "name": "guidance", - "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2]." - } - ] - }, - { - "id": "ia-8.2", - "class": "SP800-53-enhancement", - "title": "Acceptance of External Credentials", - "properties": [ - { - "name": "label", - "value": "IA-8(2)" - }, - { - "name": "sort-id", - "value": "IA-08(02)" - } - ], - "parts": [ - { - "id": "ia-8.2_smt", - "name": "statement", - "prose": "Accept only external credentials that are NIST-compliant." - }, - { - "id": "ia-8.2_gdn", - "name": "guidance", - "prose": "Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels." - } - ] - }, - { - "id": "ia-8.4", - "class": "SP800-53-enhancement", - "title": "Use of Nist-issued Profiles", - "properties": [ - { - "name": "label", - "value": "IA-8(4)" - }, - { - "name": "sort-id", - "value": "IA-08(04)" - } - ], - "parts": [ - { - "id": "ia-8.4_smt", - "name": "statement", - "prose": "Conform to NIST-issued profiles for identity management." - }, - { - "id": "ia-8.4_gdn", - "name": "guidance", - "prose": "Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols." - } - ] - } - ] - }, - { - "id": "ia-11", - "class": "SP800-53", - "title": "Re-authentication", - "parameters": [ - { - "id": "ia-11_prm_1", - "label": "organization-defined circumstances or situations requiring re-authentication" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-11" - }, - { - "name": "sort-id", - "value": "IA-11" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-11", - "rel": "related", - "text": "AC-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - } - ], - "parts": [ - { - "id": "ia-11_smt", - "name": "statement", - "prose": "Require users to re-authenticate when {{ ia-11_prm_1 }}." - }, - { - "id": "ia-11_gdn", - "name": "guidance", - "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically." - } - ] - }, - { - "id": "ia-12", - "class": "SP800-53", - "title": "Identity Proofing", - "properties": [ - { - "name": "label", - "value": "IA-12" - }, - { - "name": "sort-id", - "value": "IA-12" - } - ], - "links": [ - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#3c50fa31-7f4d-4d30-91d7-27ee87cd5f75", - "rel": "reference", - "text": "[SP 800-63A]" - }, - { - "href": "#bb55e71a-e059-4263-8dd8-bc96fd3f063d", - "rel": "reference", - "text": "[SP 800-79-2]" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-6", - "rel": "related", - "text": "IA-6" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - } - ], - "parts": [ - { - "id": "ia-12_smt", - "name": "statement", - "parts": [ - { - "id": "ia-12_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;" - }, - { - "id": "ia-12_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Resolve user identities to a unique individual; and" - }, - { - "id": "ia-12_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Collect, validate, and verify identity evidence." - } - ] - }, - { - "id": "ia-12_gdn", - "name": "guidance", - "prose": "Identity proofing is the process of collecting, validating, and verifying user’s identity information for the purposes of issuing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3] and [SP 800-63A]." - } - ], - "controls": [ - { - "id": "ia-12.2", - "class": "SP800-53-enhancement", - "title": "Identity Evidence", - "properties": [ - { - "name": "label", - "value": "IA-12(2)" - }, - { - "name": "sort-id", - "value": "IA-12(02)" - } - ], - "parts": [ - { - "id": "ia-12.2_smt", - "name": "statement", - "prose": "Require evidence of individual identification be presented to the registration authority." - }, - { - "id": "ia-12.2_gdn", - "name": "guidance", - "prose": "Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risk to the systems, roles, and privileges associated with the user’s account." - } - ] - }, - { - "id": "ia-12.3", - "class": "SP800-53-enhancement", - "title": "Identity Evidence Validation and Verification", - "parameters": [ - { - "id": "ia-12.3_prm_1", - "label": "organizational defined methods of validation and verification" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-12(3)" - }, - { - "name": "sort-id", - "value": "IA-12(03)" - } - ], - "parts": [ - { - "id": "ia-12.3_smt", - "name": "statement", - "prose": "Require that the presented identity evidence be validated and verified through {{ ia-12.3_prm_1 }}." - }, - { - "id": "ia-12.3_gdn", - "name": "guidance", - "prose": "Validating and verifying identity evidence increases the assurance that accounts, identifiers, and authenticators are being issued to the correct user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an actual person or individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risk to the systems, roles, and privileges associated with the users account" - } - ] - }, - { - "id": "ia-12.5", - "class": "SP800-53-enhancement", - "title": "Address Confirmation", - "parameters": [ - { - "id": "ia-12.5_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "IA-12(5)" - }, - { - "name": "sort-id", - "value": "IA-12(05)" - } - ], - "links": [ - { - "href": "#ia-12", - "rel": "related", - "text": "IA-12" - } - ], - "parts": [ - { - "id": "ia-12.5_smt", - "name": "statement", - "prose": "Require that a {{ ia-12.5_prm_1 }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record." - }, - { - "id": "ia-12.5_gdn", - "name": "guidance", - "prose": "To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to increase assurance that the individual associated with an address of record is the same person that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts are obtained from records and not self-asserted by the user. The address can include a physical or a digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses." - } - ] - } - ] - } - ] - }, - { - "id": "ir", - "class": "family", - "title": "Incident Response", - "controls": [ - { - "id": "ir-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ir-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ir-1_prm_2" - }, - { - "id": "ir-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ir-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ir-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-1" - }, - { - "name": "sort-id", - "value": "IR-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "rel": "reference", - "text": "[SP 800-83]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ir-1_smt", - "name": "statement", - "parts": [ - { - "id": "ir-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ir-1_prm_1 }}:", - "parts": [ - { - "id": "ir-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ir-1_prm_2 }} incident response policy that:", - "parts": [ - { - "id": "ir-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ir-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ir-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" - } - ] - }, - { - "id": "ir-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" - }, - { - "id": "ir-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current incident response:", - "parts": [ - { - "id": "ir-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ir-1_prm_4 }}; and" - }, - { - "id": "ir-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ir-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ir-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ir-2", - "class": "SP800-53", - "title": "Incident Response Training", - "parameters": [ - { - "id": "ir-2_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ir-2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-2" - }, - { - "name": "sort-id", - "value": "IR-02" - } - ], - "links": [ - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - } - ], - "parts": [ - { - "id": "ir-2_smt", - "name": "statement", - "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", - "parts": [ - { - "id": "ir-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Within {{ ir-2_prm_1 }} of assuming an incident response role or responsibility or acquiring system access;" - }, - { - "id": "ir-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "When required by system changes; and" - }, - { - "id": "ir-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "\n {{ ir-2_prm_2 }} thereafter." - } - ] - }, - { - "id": "ir-2_gdn", - "name": "guidance", - "prose": "Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3." - } - ] - }, - { - "id": "ir-3", - "class": "SP800-53", - "title": "Incident Response Testing", - "parameters": [ - { - "id": "ir-3_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ir-3_prm_2", - "label": "organization-defined tests" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-3" - }, - { - "name": "sort-id", - "value": "IR-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#20bf433b-074c-47a0-8fca-cd591772ccd6", - "rel": "reference", - "text": "[SP 800-84]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - } - ], - "parts": [ - { - "id": "ir-3_smt", - "name": "statement", - "prose": "Test the effectiveness of the incident response capability for the system {{ ir-3_prm_1 }} using the following tests: {{ ir-3_prm_2 }}." - }, - { - "id": "ir-3_gdn", - "name": "guidance", - "prose": "Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes." - } - ], - "controls": [ - { - "id": "ir-3.2", - "class": "SP800-53-enhancement", - "title": "Coordination with Related Plans", - "properties": [ - { - "name": "label", - "value": "IR-3(2)" - }, - { - "name": "sort-id", - "value": "IR-03(02)" - } - ], - "parts": [ - { - "id": "ir-3.2_smt", - "name": "statement", - "prose": "Coordinate incident response testing with organizational elements responsible for related plans." - }, - { - "id": "ir-3.2_gdn", - "name": "guidance", - "prose": "Organizational plans related to incident response testing include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Contingency Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans." - } - ] - } - ] - }, - { - "id": "ir-4", - "class": "SP800-53", - "title": "Incident Handling", - "properties": [ - { - "name": "label", - "value": "IR-4" - }, - { - "name": "sort-id", - "value": "IR-04" - } - ], - "links": [ - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#35dfd59f-eef2-4f71-bdb5-6d878267456a", - "rel": "reference", - "text": "[SP 800-86]" - }, - { - "href": "#1e2c475a-84ae-4c60-b420-8fb2ea552b71", - "rel": "reference", - "text": "[SP 800-101]" - }, - { - "href": "#ad3e8f21-07c6-4968-b002-00b64dfa70ae", - "rel": "reference", - "text": "[SP 800-150]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#08f518f7-f9b9-4bee-8986-860214f46b16", - "rel": "reference", - "text": "[SP 800-184]" - }, - { - "href": "#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "rel": "reference", - "text": "[IR 7559]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-10", - "rel": "related", - "text": "IR-10" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "ir-4_smt", - "name": "statement", - "parts": [ - { - "id": "ir-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" - }, - { - "id": "ir-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Coordinate incident handling activities with contingency planning activities;" - }, - { - "id": "ir-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" - }, - { - "id": "ir-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." - } - ] - }, - { - "id": "ir-4_gdn", - "name": "guidance", - "prose": "Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk." - } - ], - "controls": [ - { - "id": "ir-4.1", - "class": "SP800-53-enhancement", - "title": "Automated Incident Handling Processes", - "parameters": [ - { - "id": "ir-4.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-4(1)" - }, - { - "name": "sort-id", - "value": "IR-04(01)" - } - ], - "parts": [ - { - "id": "ir-4.1_smt", - "name": "statement", - "prose": "Support the incident handling process using {{ ir-4.1_prm_1 }}." - }, - { - "id": "ir-4.1_gdn", - "name": "guidance", - "prose": "Automated mechanisms supporting incident handling processes include online incident management systems; and tools that support the collection of live response data, full network packet capture, and forensic analysis." - } - ] - } - ] - }, - { - "id": "ir-5", - "class": "SP800-53", - "title": "Incident Monitoring", - "properties": [ - { - "name": "label", - "value": "IR-5" - }, - { - "name": "sort-id", - "value": "IR-05" - } - ], - "links": [ - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "ir-5_smt", - "name": "statement", - "prose": "Track and document security, privacy, and supply chain incidents." - }, - { - "id": "ir-5_gdn", - "name": "guidance", - "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports." - } - ] - }, - { - "id": "ir-6", - "class": "SP800-53", - "title": "Incident Reporting", - "parameters": [ - { - "id": "ir-6_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ir-6_prm_2", - "label": "organization-defined authorities" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-6" - }, - { - "name": "sort-id", - "value": "IR-06" - } - ], - "links": [ - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - } - ], - "parts": [ - { - "id": "ir-6_smt", - "name": "statement", - "parts": [ - { - "id": "ir-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and" - }, - { - "id": "ir-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}." - } - ] - }, - { - "id": "ir-6_gdn", - "name": "guidance", - "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ], - "controls": [ - { - "id": "ir-6.1", - "class": "SP800-53-enhancement", - "title": "Automated Reporting", - "parameters": [ - { - "id": "ir-6.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-6(1)" - }, - { - "name": "sort-id", - "value": "IR-06(01)" - } - ], - "links": [ - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - } - ], - "parts": [ - { - "id": "ir-6.1_smt", - "name": "statement", - "prose": "Report incidents using {{ ir-6.1_prm_1 }}." - }, - { - "id": "ir-6.1_gdn", - "name": "guidance", - "prose": "Reporting recipients are as specified in IR-6b. Automated reporting mechanisms include email, posting on web sites, and automated incident response tools and programs." - } - ] - }, - { - "id": "ir-6.3", - "class": "SP800-53-enhancement", - "title": "Supply Chain Coordination", - "properties": [ - { - "name": "label", - "value": "IR-6(3)" - }, - { - "name": "sort-id", - "value": "IR-06(03)" - } - ], - "links": [ - { - "href": "#sr-8", - "rel": "related", - "text": "SR-8" - } - ], - "parts": [ - { - "id": "ir-6.3_smt", - "name": "statement", - "prose": "Provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident." - }, - { - "id": "ir-6.3_gdn", - "name": "guidance", - "prose": "Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents including the ability to improve processes or to identify the root cause of an incident." - } - ] - } - ] - }, - { - "id": "ir-7", - "class": "SP800-53", - "title": "Incident Response Assistance", - "properties": [ - { - "name": "label", - "value": "IR-7" - }, - { - "name": "sort-id", - "value": "IR-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "rel": "reference", - "text": "[IR 7559]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pm-26", - "rel": "related", - "text": "PM-26" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "ir-7_smt", - "name": "statement", - "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents." - }, - { - "id": "ir-7_gdn", - "name": "guidance", - "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." - } - ], - "controls": [ - { - "id": "ir-7.1", - "class": "SP800-53-enhancement", - "title": "Automation Support for Availability of Information and Support", - "parameters": [ - { - "id": "ir-7.1_prm_1", - "label": "organization-defined automated mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-7(1)" - }, - { - "name": "sort-id", - "value": "IR-07(01)" - } - ], - "parts": [ - { - "id": "ir-7.1_smt", - "name": "statement", - "prose": "Increase the availability of incident response information and support using {{ ir-7.1_prm_1 }}." - }, - { - "id": "ir-7.1_gdn", - "name": "guidance", - "prose": "Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support." - } - ] - } - ] - }, - { - "id": "ir-8", - "class": "SP800-53", - "title": "Incident Response Plan", - "parameters": [ - { - "id": "ir-8_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ir-8_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "ir-8_prm_3", - "label": "organization-defined entities, personnel, or roles" - }, - { - "id": "ir-8_prm_4", - "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - }, - { - "id": "ir-8_prm_5", - "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-8" - }, - { - "name": "sort-id", - "value": "IR-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#389fe193-866e-46b1-bf1d-38904b56aa7b", - "rel": "reference", - "text": "[OMB M-17-12]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-8", - "rel": "related", - "text": "SR-8" - } - ], - "parts": [ - { - "id": "ir-8_smt", - "name": "statement", - "parts": [ - { - "id": "ir-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop an incident response plan that:", - "parts": [ - { - "id": "ir-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Provides the organization with a roadmap for implementing its incident response capability;" - }, - { - "id": "ir-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Describes the structure and organization of the incident response capability;" - }, - { - "id": "ir-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" - }, - { - "id": "ir-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" - }, - { - "id": "ir-8_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Defines reportable incidents;" - }, - { - "id": "ir-8_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Provides metrics for measuring the incident response capability within the organization;" - }, - { - "id": "ir-8_smt.a.7", - "name": "item", - "properties": [ - { - "name": "label", - "value": "7." - } - ], - "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" - }, - { - "id": "ir-8_smt.a.8", - "name": "item", - "properties": [ - { - "name": "label", - "value": "8." - } - ], - "prose": "Is reviewed and approved by {{ ir-8_prm_1 }}\n {{ ir-8_prm_2 }}; and" - }, - { - "id": "ir-8_smt.a.9", - "name": "item", - "properties": [ - { - "name": "label", - "value": "9." - } - ], - "prose": "Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}." - } - ] - }, - { - "id": "ir-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute copies of the incident response plan to {{ ir-8_prm_4 }};" - }, - { - "id": "ir-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" - }, - { - "id": "ir-8_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Communicate incident response plan changes to {{ ir-8_prm_5 }}; and" - }, - { - "id": "ir-8_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Protect the incident response plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "ir-8_gdn", - "name": "guidance", - "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." - } - ] - } - ] - }, - { - "id": "ma", - "class": "family", - "title": "Maintenance", - "controls": [ - { - "id": "ma-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ma-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ma-1_prm_2" - }, - { - "id": "ma-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ma-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ma-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-1" - }, - { - "name": "sort-id", - "value": "MA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ma-1_smt", - "name": "statement", - "parts": [ - { - "id": "ma-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ma-1_prm_1 }}:", - "parts": [ - { - "id": "ma-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ma-1_prm_2 }} maintenance policy that:", - "parts": [ - { - "id": "ma-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ma-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ma-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" - } - ] - }, - { - "id": "ma-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ma-1_prm_3 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" - }, - { - "id": "ma-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current maintenance:", - "parts": [ - { - "id": "ma-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ma-1_prm_4 }}; and" - }, - { - "id": "ma-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ma-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ma-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ma-2", - "class": "SP800-53", - "title": "Controlled Maintenance", - "parameters": [ - { - "id": "ma-2_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ma-2_prm_2", - "label": "organization-defined information" - }, - { - "id": "ma-2_prm_3", - "label": "organization-defined information" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-2" - }, - { - "name": "sort-id", - "value": "MA-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "ma-2_smt", - "name": "statement", - "parts": [ - { - "id": "ma-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" - }, - { - "id": "ma-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" - }, - { - "id": "ma-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Require that {{ ma-2_prm_1 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" - }, - { - "id": "ma-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ ma-2_prm_2 }};" - }, - { - "id": "ma-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" - }, - { - "id": "ma-2_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Include the following information in organizational maintenance records: {{ ma-2_prm_3 }}." - } - ] - }, - { - "id": "ma-2_gdn", - "name": "guidance", - "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems." - } - ] - }, - { - "id": "ma-3", - "class": "SP800-53", - "title": "Maintenance Tools", - "parameters": [ - { - "id": "ma-3_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-3" - }, - { - "name": "sort-id", - "value": "MA-03" - } - ], - "links": [ - { - "href": "#fed6a3b5-2b74-499f-9172-46671f7c24c8", - "rel": "reference", - "text": "[SP 800-88]" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - } - ], - "parts": [ - { - "id": "ma-3_smt", - "name": "statement", - "parts": [ - { - "id": "ma-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Approve, control, and monitor the use of system maintenance tools; and" - }, - { - "id": "ma-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review previously approved system maintenance tools {{ ma-3_prm_1 }}." - } - ] - }, - { - "id": "ma-3_gdn", - "name": "guidance", - "prose": "Approving, controlling, monitoring, and reviewing maintenance tools are intended to address security-related issues associated with maintenance tools that are not within system boundaries but are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for approval of maintenance tools and how that approval is documented. Periodic review of maintenance tools facilitates withdrawal of the approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items. Such tools can be vehicles for transporting malicious code, intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support system maintenance and are a part of the system, including the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch, are not addressed by maintenance tools." - } - ], - "controls": [ - { - "id": "ma-3.1", - "class": "SP800-53-enhancement", - "title": "Inspect Tools", - "properties": [ - { - "name": "label", - "value": "MA-3(1)" - }, - { - "name": "sort-id", - "value": "MA-03(01)" - } - ], - "links": [ - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "ma-3.1_smt", - "name": "statement", - "prose": "Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications." - }, - { - "id": "ma-3.1_gdn", - "name": "guidance", - "prose": "Maintenance tools can be brought into a facility directly by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling." - } - ] - }, - { - "id": "ma-3.2", - "class": "SP800-53-enhancement", - "title": "Inspect Media", - "properties": [ - { - "name": "label", - "value": "MA-3(2)" - }, - { - "name": "sort-id", - "value": "MA-03(02)" - } - ], - "links": [ - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - } - ], - "parts": [ - { - "id": "ma-3.2_smt", - "name": "statement", - "prose": "Check media containing diagnostic and test programs for malicious code before the media are used in the system." - }, - { - "id": "ma-3.2_gdn", - "name": "guidance", - "prose": "If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures." - } - ] - }, - { - "id": "ma-3.3", - "class": "SP800-53-enhancement", - "title": "Prevent Unauthorized Removal", - "parameters": [ - { - "id": "ma-3.3_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-3(3)" - }, - { - "name": "sort-id", - "value": "MA-03(03)" - } - ], - "links": [ - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - } - ], - "parts": [ - { - "id": "ma-3.3_smt", - "name": "statement", - "prose": "Prevent the removal of maintenance equipment containing organizational information by:", - "parts": [ - { - "id": "ma-3.3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Verifying that there is no organizational information contained on the equipment;" - }, - { - "id": "ma-3.3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Sanitizing or destroying the equipment;" - }, - { - "id": "ma-3.3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Retaining the equipment within the facility; or" - }, - { - "id": "ma-3.3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(d)" - } - ], - "prose": "Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly authorizing removal of the equipment from the facility." - } - ] - }, - { - "id": "ma-3.3_gdn", - "name": "guidance", - "prose": "Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards." - } - ] - } - ] - }, - { - "id": "ma-4", - "class": "SP800-53", - "title": "Nonlocal Maintenance", - "properties": [ - { - "name": "label", - "value": "MA-4" - }, - { - "name": "sort-id", - "value": "MA-04" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#bbc7085f-b383-444e-af74-722a55cccc0f", - "rel": "reference", - "text": "[FIPS 197]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#fed6a3b5-2b74-499f-9172-46671f7c24c8", - "rel": "reference", - "text": "[SP 800-88]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-10", - "rel": "related", - "text": "SC-10" - } - ], - "parts": [ - { - "id": "ma-4_smt", - "name": "statement", - "parts": [ - { - "id": "ma-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" - }, - { - "id": "ma-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" - }, - { - "id": "ma-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;" - }, - { - "id": "ma-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" - }, - { - "id": "ma-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Terminate session and network connections when nonlocal maintenance is completed." - } - ] - }, - { - "id": "ma-4_gdn", - "name": "guidance", - "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls." - } - ] - }, - { - "id": "ma-5", - "class": "SP800-53", - "title": "Maintenance Personnel", - "properties": [ - { - "name": "label", - "value": "MA-5" - }, - { - "name": "sort-id", - "value": "MA-05" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "ma-5_smt", - "name": "statement", - "parts": [ - { - "id": "ma-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" - }, - { - "id": "ma-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" - }, - { - "id": "ma-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." - } - ] - }, - { - "id": "ma-5_gdn", - "name": "guidance", - "prose": "Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods." - } - ] - }, - { - "id": "ma-6", - "class": "SP800-53", - "title": "Timely Maintenance", - "parameters": [ - { - "id": "ma-6_prm_1", - "label": "organization-defined system components" - }, - { - "id": "ma-6_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "MA-6" - }, - { - "name": "sort-id", - "value": "MA-06" - } - ], - "links": [ - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#si-13", - "rel": "related", - "text": "SI-13" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "ma-6_smt", - "name": "statement", - "prose": "Obtain maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure." - }, - { - "id": "ma-6_gdn", - "name": "guidance", - "prose": "Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place." - } - ] - } - ] - }, - { - "id": "mp", - "class": "family", - "title": "Media Protection", - "controls": [ - { - "id": "mp-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "mp-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "mp-1_prm_2" - }, - { - "id": "mp-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "mp-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "mp-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-1" - }, - { - "name": "sort-id", - "value": "MP-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "mp-1_smt", - "name": "statement", - "parts": [ - { - "id": "mp-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ mp-1_prm_1 }}:", - "parts": [ - { - "id": "mp-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ mp-1_prm_2 }} media protection policy that:", - "parts": [ - { - "id": "mp-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "mp-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "mp-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" - } - ] - }, - { - "id": "mp-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" - }, - { - "id": "mp-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current media protection:", - "parts": [ - { - "id": "mp-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ mp-1_prm_4 }}; and" - }, - { - "id": "mp-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ mp-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "mp-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "mp-2", - "class": "SP800-53", - "title": "Media Access", - "parameters": [ - { - "id": "mp-2_prm_1", - "label": "organization-defined types of digital and/or non-digital media" - }, - { - "id": "mp-2_prm_2", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-2" - }, - { - "name": "sort-id", - "value": "MP-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#1b14b50f-7154-4226-958c-7dfff8276755", - "rel": "reference", - "text": "[SP 800-111]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "mp-2_smt", - "name": "statement", - "prose": "Restrict access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}." - }, - { - "id": "mp-2_gdn", - "name": "guidance", - "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media." - } - ] - }, - { - "id": "mp-3", - "class": "SP800-53", - "title": "Media Marking", - "parameters": [ - { - "id": "mp-3_prm_1", - "label": "organization-defined types of system media" - }, - { - "id": "mp-3_prm_2", - "label": "organization-defined controlled areas" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-3" - }, - { - "name": "sort-id", - "value": "MP-03" - } - ], - "links": [ - { - "href": "#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc", - "rel": "reference", - "text": "[32 CFR 2002]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pe-22", - "rel": "related", - "text": "PE-22" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "mp-3_smt", - "name": "statement", - "parts": [ - { - "id": "mp-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and" - }, - { - "id": "mp-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Exempt {{ mp-3_prm_1 }} from marking if the media remain within {{ mp-3_prm_2 }}." - } - ] - }, - { - "id": "mp-3_gdn", - "name": "guidance", - "prose": "Security marking refers to the application or use of human-readable security attributes. Security labeling refers to the application or use of security attributes regarding internal data structures within systems. System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002]. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." - } - ] - }, - { - "id": "mp-4", - "class": "SP800-53", - "title": "Media Storage", - "parameters": [ - { - "id": "mp-4_prm_1", - "label": "organization-defined types of digital and/or non-digital media" - }, - { - "id": "mp-4_prm_2", - "label": "organization-defined controlled areas" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-4" - }, - { - "name": "sort-id", - "value": "MP-04" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#77dc1838-3664-4faa-bc6e-4e2a16e52f35", - "rel": "reference", - "text": "[SP 800-56A]" - }, - { - "href": "#f417e4ec-cadb-47a8-a363-6006b32c28ad", - "rel": "reference", - "text": "[SP 800-56B]" - }, - { - "href": "#7c3ba335-62bd-4f03-888f-960790409b11", - "rel": "reference", - "text": "[SP 800-56C]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#1b14b50f-7154-4226-958c-7dfff8276755", - "rel": "reference", - "text": "[SP 800-111]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "mp-4_smt", - "name": "statement", - "parts": [ - { - "id": "mp-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Physically control and securely store {{ mp-4_prm_1 }} within {{ mp-4_prm_2 }}; and" - }, - { - "id": "mp-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures." - } - ] - }, - { - "id": "mp-4_gdn", - "name": "guidance", - "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet; or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. For media containing information determined to be in the public domain, to be publicly releasable, or to have limited adverse impact on organizations, operations, or individuals if accessed by other than authorized personnel, fewer controls may be needed. In these situations, physical access controls provide adequate protection." - } - ] - }, - { - "id": "mp-5", - "class": "SP800-53", - "title": "Media Transport", - "parameters": [ - { - "id": "mp-5_prm_1", - "label": "organization-defined types of system media" - }, - { - "id": "mp-5_prm_2", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-5" - }, - { - "name": "sort-id", - "value": "MP-05" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#mp-3", - "rel": "related", - "text": "MP-3" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - } - ], - "parts": [ - { - "id": "mp-5_smt", - "name": "statement", - "parts": [ - { - "id": "mp-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Protect and control {{ mp-5_prm_1 }} during transport outside of controlled areas using {{ mp-5_prm_2 }};" - }, - { - "id": "mp-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Maintain accountability for system media during transport outside of controlled areas;" - }, - { - "id": "mp-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document activities associated with the transport of system media; and" - }, - { - "id": "mp-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Restrict the activities associated with the transport of system media to authorized personnel." - } - ] - }, - { - "id": "mp-5_gdn", - "name": "guidance", - "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state and magnetic), compact disks, and digital video disks. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel, and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records." - } - ] - }, - { - "id": "mp-6", - "class": "SP800-53", - "title": "Media Sanitization", - "parameters": [ - { - "id": "mp-6_prm_1", - "label": "organization-defined system media" - }, - { - "id": "mp-6_prm_2", - "label": "organization-defined sanitization techniques and procedures" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-6" - }, - { - "name": "sort-id", - "value": "MP-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#fed6a3b5-2b74-499f-9172-46671f7c24c8", - "rel": "reference", - "text": "[SP 800-88]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#a52271dc-11b5-423a-8b6f-14867bd94259", - "rel": "reference", - "text": "[NSA MEDIA]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - }, - { - "href": "#si-19", - "rel": "related", - "text": "SI-19" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "mp-6_smt", - "name": "statement", - "parts": [ - { - "id": "mp-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and" - }, - { - "id": "mp-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." - } - ] - }, - { - "id": "mp-6_gdn", - "name": "guidance", - "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information." - } - ] - }, - { - "id": "mp-7", - "class": "SP800-53", - "title": "Media Use", - "parameters": [ - { - "id": "mp-7_prm_1" - }, - { - "id": "mp-7_prm_2", - "label": "organization-defined types of system media" - }, - { - "id": "mp-7_prm_3", - "label": "organization-defined systems or system components" - }, - { - "id": "mp-7_prm_4", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-7" - }, - { - "name": "sort-id", - "value": "MP-07" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#1b14b50f-7154-4226-958c-7dfff8276755", - "rel": "reference", - "text": "[SP 800-111]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#sc-41", - "rel": "related", - "text": "SC-41" - } - ], - "parts": [ - { - "id": "mp-7_smt", - "name": "statement", - "parts": [ - { - "id": "mp-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "\n {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}; and" - }, - { - "id": "mp-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." - } - ] - }, - { - "id": "mp-7_gdn", - "name": "guidance", - "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." - } - ] - } - ] - }, - { - "id": "pe", - "class": "family", - "title": "Physical and Environmental Protection", - "controls": [ - { - "id": "pe-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "pe-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pe-1_prm_2" - }, - { - "id": "pe-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "pe-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "pe-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-1" - }, - { - "name": "sort-id", - "value": "PE-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pe-1_smt", - "name": "statement", - "parts": [ - { - "id": "pe-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ pe-1_prm_1 }}:", - "parts": [ - { - "id": "pe-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ pe-1_prm_2 }} physical and environmental protection policy that:", - "parts": [ - { - "id": "pe-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "pe-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "pe-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" - } - ] - }, - { - "id": "pe-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ pe-1_prm_3 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" - }, - { - "id": "pe-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current physical and environmental protection:", - "parts": [ - { - "id": "pe-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ pe-1_prm_4 }}; and" - }, - { - "id": "pe-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ pe-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "pe-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "pe-2", - "class": "SP800-53", - "title": "Physical Access Authorizations", - "parameters": [ - { - "id": "pe-2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-2" - }, - { - "name": "sort-id", - "value": "PE-02" - } - ], - "links": [ - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#pe-5", - "rel": "related", - "text": "PE-5" - }, - { - "href": "#pe-8", - "rel": "related", - "text": "PE-8" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - } - ], - "parts": [ - { - "id": "pe-2_smt", - "name": "statement", - "parts": [ - { - "id": "pe-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" - }, - { - "id": "pe-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Issue authorization credentials for facility access;" - }, - { - "id": "pe-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review the access list detailing authorized facility access by individuals {{ pe-2_prm_1 }}; and" - }, - { - "id": "pe-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Remove individuals from the facility access list when access is no longer required." - } - ] - }, - { - "id": "pe-2_gdn", - "name": "guidance", - "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible." - } - ] - }, - { - "id": "pe-3", - "class": "SP800-53", - "title": "Physical Access Control", - "parameters": [ - { - "id": "pe-3_prm_1", - "label": "organization-defined entry and exit points to the facility where the system resides" - }, - { - "id": "pe-3_prm_2" - }, - { - "id": "pe-3_prm_3", - "depends-on": "pe-3_prm_2", - "label": "organization-defined physical access control systems or devices" - }, - { - "id": "pe-3_prm_4", - "label": "organization-defined entry or exit points" - }, - { - "id": "pe-3_prm_5", - "label": "organization-defined controls" - }, - { - "id": "pe-3_prm_6", - "label": "organization-defined circumstances requiring visitor escorts and monitoring" - }, - { - "id": "pe-3_prm_7", - "label": "organization-defined physical access devices" - }, - { - "id": "pe-3_prm_8", - "label": "organization-defined frequency" - }, - { - "id": "pe-3_prm_9", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-3" - }, - { - "name": "sort-id", - "value": "PE-03" - } - ], - "links": [ - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#ad7d575f-b5fe-489b-8d48-36a93d964a5f", - "rel": "reference", - "text": "[SP 800-116]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#pe-5", - "rel": "related", - "text": "PE-5" - }, - { - "href": "#pe-8", - "rel": "related", - "text": "PE-8" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - } - ], - "parts": [ - { - "id": "pe-3_smt", - "name": "statement", - "parts": [ - { - "id": "pe-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Enforce physical access authorizations at {{ pe-3_prm_1 }} by:", - "parts": [ - { - "id": "pe-3_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Verifying individual access authorizations before granting access to the facility; and" - }, - { - "id": "pe-3_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Controlling ingress and egress to the facility using {{ pe-3_prm_2 }};" - } - ] - }, - { - "id": "pe-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Maintain physical access audit logs for {{ pe-3_prm_4 }};" - }, - { - "id": "pe-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ pe-3_prm_5 }};" - }, - { - "id": "pe-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Escort visitors and monitor visitor activity {{ pe-3_prm_6 }};" - }, - { - "id": "pe-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Secure keys, combinations, and other physical access devices;" - }, - { - "id": "pe-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Inventory {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }}; and" - }, - { - "id": "pe-3_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Change combinations and keys {{ pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." - } - ] - }, - { - "id": "pe-3_gdn", - "name": "guidance", - "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." - } - ] - }, - { - "id": "pe-4", - "class": "SP800-53", - "title": "Access Control for Transmission", - "parameters": [ - { - "id": "pe-4_prm_1", - "label": "organization-defined system distribution and transmission lines" - }, - { - "id": "pe-4_prm_2", - "label": "organization-defined security controls" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-4" - }, - { - "name": "sort-id", - "value": "PE-04" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-5", - "rel": "related", - "text": "PE-5" - }, - { - "href": "#pe-9", - "rel": "related", - "text": "PE-9" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - } - ], - "parts": [ - { - "id": "pe-4_smt", - "name": "statement", - "prose": "Control physical access to {{ pe-4_prm_1 }} within organizational facilities using {{ pe-4_prm_2 }}." - }, - { - "id": "pe-4_gdn", - "name": "guidance", - "prose": "Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors." - } - ] - }, - { - "id": "pe-5", - "class": "SP800-53", - "title": "Access Control for Output Devices", - "parameters": [ - { - "id": "pe-5_prm_1", - "label": "organization-defined output devices" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-5" - }, - { - "name": "sort-id", - "value": "PE-05" - } - ], - "links": [ - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#pe-18", - "rel": "related", - "text": "PE-18" - } - ], - "parts": [ - { - "id": "pe-5_smt", - "name": "statement", - "prose": "Control physical access to output from {{ pe-5_prm_1 }} to prevent unauthorized individuals from obtaining the output." - }, - { - "id": "pe-5_gdn", - "name": "guidance", - "prose": "Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only; placing output devices in locations that can be monitored by personnel; installing monitor or screen filters; and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers." - } - ] - }, - { - "id": "pe-6", - "class": "SP800-53", - "title": "Monitoring Physical Access", - "parameters": [ - { - "id": "pe-6_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "pe-6_prm_2", - "label": "organization-defined events or potential indications of events" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-6" - }, - { - "name": "sort-id", - "value": "PE-06" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - } - ], - "parts": [ - { - "id": "pe-6_smt", - "name": "statement", - "parts": [ - { - "id": "pe-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" - }, - { - "id": "pe-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review physical access logs {{ pe-6_prm_1 }} and upon occurrence of {{ pe-6_prm_2 }}; and" - }, - { - "id": "pe-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." - } - ] - }, - { - "id": "pe-6_gdn", - "name": "guidance", - "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses." - } - ], - "controls": [ - { - "id": "pe-6.1", - "class": "SP800-53-enhancement", - "title": "Intrusion Alarms and Surveillance Equipment", - "properties": [ - { - "name": "label", - "value": "PE-6(1)" - }, - { - "name": "sort-id", - "value": "PE-06(01)" - } - ], - "parts": [ - { - "id": "pe-6.1_smt", - "name": "statement", - "prose": "Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment." - }, - { - "id": "pe-6.1_gdn", - "name": "guidance", - "prose": "Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards, triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, for example, motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility." - } - ] - } - ] - }, - { - "id": "pe-8", - "class": "SP800-53", - "title": "Visitor Access Records", - "parameters": [ - { - "id": "pe-8_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "pe-8_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "pe-8_prm_3", - "label": "organization-defined personnel" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-8" - }, - { - "name": "sort-id", - "value": "PE-08" - } - ], - "links": [ - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - } - ], - "parts": [ - { - "id": "pe-8_smt", - "name": "statement", - "parts": [ - { - "id": "pe-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Maintain visitor access records to the facility where the system resides for {{ pe-8_prm_1 }};" - }, - { - "id": "pe-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review visitor access records {{ pe-8_prm_2 }}; and" - }, - { - "id": "pe-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Report anomalies in visitor access records to {{ pe-8_prm_3 }}." - } - ] - }, - { - "id": "pe-8_gdn", - "name": "guidance", - "prose": "Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas." - } - ] - }, - { - "id": "pe-9", - "class": "SP800-53", - "title": "Power Equipment and Cabling", - "properties": [ - { - "name": "label", - "value": "PE-9" - }, - { - "name": "sort-id", - "value": "PE-09" - } - ], - "links": [ - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - } - ], - "parts": [ - { - "id": "pe-9_smt", - "name": "statement", - "prose": "Protect power equipment and power cabling for the system from damage and destruction." - }, - { - "id": "pe-9_gdn", - "name": "guidance", - "prose": "Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. Power equipment and cabling includes generators and power cabling outside of buildings; internal cabling and uninterruptable power sources in offices or data centers; and power sources for self-contained components such as satellites, vehicles, and other deployable systems." - } - ] - }, - { - "id": "pe-10", - "class": "SP800-53", - "title": "Emergency Shutoff", - "parameters": [ - { - "id": "pe-10_prm_1", - "label": "organization-defined system or individual system components" - }, - { - "id": "pe-10_prm_2", - "label": "organization-defined location by system or system component" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-10" - }, - { - "name": "sort-id", - "value": "PE-10" - } - ], - "links": [ - { - "href": "#pe-15", - "rel": "related", - "text": "PE-15" - } - ], - "parts": [ - { - "id": "pe-10_smt", - "name": "statement", - "parts": [ - { - "id": "pe-10_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide the capability of shutting off power to {{ pe-10_prm_1 }} in emergency situations;" - }, - { - "id": "pe-10_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Place emergency shutoff switches or devices in {{ pe-10_prm_2 }} to facilitate access for authorized personnel; and" - }, - { - "id": "pe-10_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Protect emergency power shutoff capability from unauthorized activation." - } - ] - }, - { - "id": "pe-10_gdn", - "name": "guidance", - "prose": "Emergency power shutoff applies primarily to organizational facilities containing concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery." - } - ] - }, - { - "id": "pe-11", - "class": "SP800-53", - "title": "Emergency Power", - "parameters": [ - { - "id": "pe-11_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-11" - }, - { - "name": "sort-id", - "value": "PE-11" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - } - ], - "parts": [ - { - "id": "pe-11_smt", - "name": "statement", - "prose": "Provide an uninterruptible power supply to facilitate {{ pe-11_prm_1 }} in the event of a primary power source loss." - }, - { - "id": "pe-11_gdn", - "name": "guidance", - "prose": "An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of most UPS is relatively short but provides sufficient time to start a standby power source such as a backup generator or properly shut down the system." - } - ] - }, - { - "id": "pe-12", - "class": "SP800-53", - "title": "Emergency Lighting", - "properties": [ - { - "name": "label", - "value": "PE-12" - }, - { - "name": "sort-id", - "value": "PE-12" - } - ], - "links": [ - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - } - ], - "parts": [ - { - "id": "pe-12_smt", - "name": "statement", - "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." - }, - { - "id": "pe-12_gdn", - "name": "guidance", - "prose": "The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites." - } - ] - }, - { - "id": "pe-13", - "class": "SP800-53", - "title": "Fire Protection", - "properties": [ - { - "name": "label", - "value": "PE-13" - }, - { - "name": "sort-id", - "value": "PE-13" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - } - ], - "parts": [ - { - "id": "pe-13_smt", - "name": "statement", - "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." - }, - { - "id": "pe-13_gdn", - "name": "guidance", - "prose": "The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors." - } - ], - "controls": [ - { - "id": "pe-13.1", - "class": "SP800-53-enhancement", - "title": "Detection Systems – Automatic Activation and Notification", - "parameters": [ - { - "id": "pe-13.1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pe-13.1_prm_2", - "label": "organization-defined emergency responders" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-13(1)" - }, - { - "name": "sort-id", - "value": "PE-13(01)" - } - ], - "parts": [ - { - "id": "pe-13.1_smt", - "name": "statement", - "prose": "Employ fire detection systems that activate automatically and notify {{ pe-13.1_prm_1 }} and {{ pe-13.1_prm_2 }} in the event of a fire." - }, - { - "id": "pe-13.1_gdn", - "name": "guidance", - "prose": "Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances, for example, to enter to facilities where access is restricted due to the classification or impact level of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire." - } - ] - } - ] - }, - { - "id": "pe-14", - "class": "SP800-53", - "title": "Environmental Controls", - "parameters": [ - { - "id": "pe-14_prm_1" - }, - { - "id": "pe-14_prm_2", - "depends-on": "pe-14_prm_1", - "label": "organization-defined environmental control" - }, - { - "id": "pe-14_prm_3", - "label": "organization-defined acceptable levels" - }, - { - "id": "pe-14_prm_4", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-14" - }, - { - "name": "sort-id", - "value": "PE-14" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#pe-21", - "rel": "related", - "text": "PE-21" - } - ], - "parts": [ - { - "id": "pe-14_smt", - "name": "statement", - "parts": [ - { - "id": "pe-14_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Maintain {{ pe-14_prm_1 }} levels within the facility where the system resides at {{ pe-14_prm_3 }}; and" - }, - { - "id": "pe-14_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Monitor environmental control levels {{ pe-14_prm_4 }}." - } - ] - }, - { - "id": "pe-14_gdn", - "name": "guidance", - "prose": "The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure." - } - ] - }, - { - "id": "pe-15", - "class": "SP800-53", - "title": "Water Damage Protection", - "properties": [ - { - "name": "label", - "value": "PE-15" - }, - { - "name": "sort-id", - "value": "PE-15" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pe-10", - "rel": "related", - "text": "PE-10" - } - ], - "parts": [ - { - "id": "pe-15_smt", - "name": "statement", - "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." - }, - { - "id": "pe-15_gdn", - "name": "guidance", - "prose": "The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations." - } - ] - }, - { - "id": "pe-16", - "class": "SP800-53", - "title": "Delivery and Removal", - "parameters": [ - { - "id": "pe-16_prm_1", - "label": "organization-defined types of system components" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-16" - }, - { - "name": "sort-id", - "value": "PE-16" - } - ], - "links": [ - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - } - ], - "parts": [ - { - "id": "pe-16_smt", - "name": "statement", - "parts": [ - { - "id": "pe-16_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Authorize and control {{ pe-16_prm_1 }} entering and exiting the facility; and" - }, - { - "id": "pe-16_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Maintain records of the system components." - } - ] - }, - { - "id": "pe-16_gdn", - "name": "guidance", - "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." - } - ] - }, - { - "id": "pe-17", - "class": "SP800-53", - "title": "Alternate Work Site", - "parameters": [ - { - "id": "pe-17_prm_1", - "label": "organization-defined alternate work sites" - }, - { - "id": "pe-17_prm_2", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "PE-17" - }, - { - "name": "sort-id", - "value": "PE-17" - } - ], - "links": [ - { - "href": "#7768c184-088d-4ee8-a316-f9286b52df7f", - "rel": "reference", - "text": "[SP 800-46]" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - } - ], - "parts": [ - { - "id": "pe-17_smt", - "name": "statement", - "parts": [ - { - "id": "pe-17_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Determine and document the {{ pe-17_prm_1 }} allowed for use by employees;" - }, - { - "id": "pe-17_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ the following controls at alternate work sites: {{ pe-17_prm_2 }};" - }, - { - "id": "pe-17_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Assess the effectiveness of controls at alternate work sites; and" - }, - { - "id": "pe-17_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Provide a means for employees to communicate with information security and privacy personnel in case of incidents." - } - ] - }, - { - "id": "pe-17_gdn", - "name": "guidance", - "prose": "Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations." - } - ] - } - ] - }, - { - "id": "pl", - "class": "family", - "title": "Planning", - "controls": [ - { - "id": "pl-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "pl-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pl-1_prm_2" - }, - { - "id": "pl-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "pl-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "pl-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-1" - }, - { - "name": "sort-id", - "value": "PL-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pl-1_smt", - "name": "statement", - "parts": [ - { - "id": "pl-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ pl-1_prm_1 }}:", - "parts": [ - { - "id": "pl-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ pl-1_prm_2 }} planning policy that:", - "parts": [ - { - "id": "pl-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "pl-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "pl-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" - } - ] - }, - { - "id": "pl-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" - }, - { - "id": "pl-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current planning:", - "parts": [ - { - "id": "pl-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ pl-1_prm_4 }}; and" - }, - { - "id": "pl-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ pl-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "pl-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "pl-2", - "class": "SP800-53", - "title": "System Security and Privacy Plans", - "parameters": [ - { - "id": "pl-2_prm_1", - "label": "organization-defined individuals or groups" - }, - { - "id": "pl-2_prm_2", - "label": "organization-defined personnel or roles" - }, - { - "id": "pl-2_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-2" - }, - { - "name": "sort-id", - "value": "PL-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pl-7", - "rel": "related", - "text": "PL-7" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-22", - "rel": "related", - "text": "SA-22" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "pl-2_smt", - "name": "statement", - "parts": [ - { - "id": "pl-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop security and privacy plans for the system that:", - "parts": [ - { - "id": "pl-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are consistent with the organization’s enterprise architecture;" - }, - { - "id": "pl-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Explicitly define the constituent system components;" - }, - { - "id": "pl-2_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Describe the operational context of the system in terms of missions and business processes;" - }, - { - "id": "pl-2_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Provide the security categorization of the system, including supporting rationale;" - }, - { - "id": "pl-2_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Describe any specific threats to the system that are of concern to the organization;" - }, - { - "id": "pl-2_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" - }, - { - "id": "pl-2_smt.a.7", - "name": "item", - "properties": [ - { - "name": "label", - "value": "7." - } - ], - "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" - }, - { - "id": "pl-2_smt.a.8", - "name": "item", - "properties": [ - { - "name": "label", - "value": "8." - } - ], - "prose": "Provide an overview of the security and privacy requirements for the system;" - }, - { - "id": "pl-2_smt.a.9", - "name": "item", - "properties": [ - { - "name": "label", - "value": "9." - } - ], - "prose": "Identify any relevant control baselines or overlays, if applicable;" - }, - { - "id": "pl-2_smt.a.10", - "name": "item", - "properties": [ - { - "name": "label", - "value": "10." - } - ], - "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" - }, - { - "id": "pl-2_smt.a.11", - "name": "item", - "properties": [ - { - "name": "label", - "value": "11." - } - ], - "prose": "Include risk determinations for security and privacy architecture and design decisions;" - }, - { - "id": "pl-2_smt.a.12", - "name": "item", - "properties": [ - { - "name": "label", - "value": "12." - } - ], - "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and" - }, - { - "id": "pl-2_smt.a.13", - "name": "item", - "properties": [ - { - "name": "label", - "value": "13." - } - ], - "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." - } - ] - }, - { - "id": "pl-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }};" - }, - { - "id": "pl-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review the plans {{ pl-2_prm_3 }};" - }, - { - "id": "pl-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" - }, - { - "id": "pl-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Protect the plans from unauthorized disclosure and modification." - } - ] - }, - { - "id": "pl-2_gdn", - "name": "guidance", - "prose": "System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation.\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate." - } - ] - }, - { - "id": "pl-4", - "class": "SP800-53", - "title": "Rules of Behavior", - "parameters": [ - { - "id": "pl-4_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "pl-4_prm_2" - }, - { - "id": "pl-4_prm_3", - "depends-on": "pl-4_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-4" - }, - { - "name": "sort-id", - "value": "PL-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ac-9", - "rel": "related", - "text": "AC-9" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pl-4_smt", - "name": "statement", - "parts": [ - { - "id": "pl-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" - }, - { - "id": "pl-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" - }, - { - "id": "pl-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the rules of behavior {{ pl-4_prm_1 }}; and" - }, - { - "id": "pl-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}." - } - ] - }, - { - "id": "pl-4_gdn", - "name": "guidance", - "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons." - } - ], - "controls": [ - { - "id": "pl-4.1", - "class": "SP800-53-enhancement", - "title": "Social Media and External Site/application Usage Restrictions", - "properties": [ - { - "name": "label", - "value": "PL-4(1)" - }, - { - "name": "sort-id", - "value": "PL-04(01)" - } - ], - "links": [ - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - } - ], - "parts": [ - { - "id": "pl-4.1_smt", - "name": "statement", - "prose": "Include in the rules of behavior, restrictions on:", - "parts": [ - { - "id": "pl-4.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Use of social media, social networking sites, and external sites/applications;" - }, - { - "id": "pl-4.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Posting organizational information on public websites; and" - }, - { - "id": "pl-4.1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications." - } - ] - }, - { - "id": "pl-4.1_gdn", - "name": "guidance", - "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information." - } - ] - } - ] - }, - { - "id": "pl-8", - "class": "SP800-53", - "title": "Security and Privacy Architectures", - "parameters": [ - { - "id": "pl-8_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-8" - }, - { - "name": "sort-id", - "value": "PL-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-7", - "rel": "related", - "text": "PL-7" - }, - { - "href": "#pl-9", - "rel": "related", - "text": "PL-9" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - } - ], - "parts": [ - { - "id": "pl-8_smt", - "name": "statement", - "parts": [ - { - "id": "pl-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop security and privacy architectures for the system that:", - "parts": [ - { - "id": "pl-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" - }, - { - "id": "pl-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" - }, - { - "id": "pl-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" - }, - { - "id": "pl-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Describe any assumptions about, and dependencies on, external systems and services;" - } - ] - }, - { - "id": "pl-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the architectures {{ pl-8_prm_1 }} to reflect changes in the enterprise architecture; and" - }, - { - "id": "pl-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions." - } - ] - }, - { - "id": "pl-8_gdn", - "name": "guidance", - "prose": "The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs.\n[SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented.\nPL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures." - } - ] - }, - { - "id": "pl-10", - "class": "SP800-53", - "title": "Baseline Selection", - "properties": [ - { - "name": "label", - "value": "PL-10" - }, - { - "name": "sort-id", - "value": "PL-10" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#31f3c9de-c57c-4281-929b-f9951f9640f1", - "rel": "reference", - "text": "[SP 800-53B]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ee96f130-3f91-46ed-a4d8-57e5f220a623", - "rel": "reference", - "text": "[CNSSI 1253]" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "pl-10_smt", - "name": "statement", - "prose": "Select a control baseline for the system." - }, - { - "id": "pl-10_gdn", - "name": "guidance", - "prose": "Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments." - } - ] - }, - { - "id": "pl-11", - "class": "SP800-53", - "title": "Baseline Tailoring", - "properties": [ - { - "name": "label", - "value": "PL-11" - }, - { - "name": "sort-id", - "value": "PL-11" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#31f3c9de-c57c-4281-929b-f9951f9640f1", - "rel": "reference", - "text": "[SP 800-53B]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ee96f130-3f91-46ed-a4d8-57e5f220a623", - "rel": "reference", - "text": "[CNSSI 1253]" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "pl-11_smt", - "name": "statement", - "prose": "Tailor the selected control baseline by applying specified tailoring actions." - }, - { - "id": "pl-11_gdn", - "name": "guidance", - "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities." - } - ] - } - ] - }, - { - "id": "pm", - "class": "family", - "title": "Program Management", - "controls": [ - { - "id": "pm-1", - "class": "SP800-53", - "title": "Information Security Program Plan", - "parameters": [ - { - "id": "pm-1_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-1" - }, - { - "name": "sort-id", - "value": "PM-01" - } - ], - "links": [ - { - "href": "#14958422-54f6-471f-a345-802dca594dd8", - "rel": "reference", - "text": "[FISMA]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "pm-1_smt", - "name": "statement", - "parts": [ - { - "id": "pm-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and disseminate an organization-wide information security program plan that:", - "parts": [ - { - "id": "pm-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;" - }, - { - "id": "pm-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;" - }, - { - "id": "pm-1_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Reflects the coordination among organizational entities responsible for information security; and" - }, - { - "id": "pm-1_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;" - } - ] - }, - { - "id": "pm-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review the organization-wide information security program plan {{ pm-1_prm_1 }};" - }, - { - "id": "pm-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and" - }, - { - "id": "pm-1_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect the information security program plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "pm-1_gdn", - "name": "guidance", - "prose": "An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents.\nInformation security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls." - } - ] - }, - { - "id": "pm-2", - "class": "SP800-53", - "title": "Information Security Program Leadership Role", - "properties": [ - { - "name": "label", - "value": "PM-2" - }, - { - "name": "sort-id", - "value": "PM-02" - } - ], - "links": [ - { - "href": "#ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3", - "rel": "reference", - "text": "[OMB M-17-25]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - } - ], - "parts": [ - { - "id": "pm-2_smt", - "name": "statement", - "prose": "Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program." - }, - { - "id": "pm-2_gdn", - "name": "guidance", - "prose": "The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer." - } - ] - }, - { - "id": "pm-3", - "class": "SP800-53", - "title": "Information Security and Privacy Resources", - "properties": [ - { - "name": "label", - "value": "PM-3" - }, - { - "name": "sort-id", - "value": "PM-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - } - ], - "parts": [ - { - "id": "pm-3_smt", - "name": "statement", - "parts": [ - { - "id": "pm-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;" - }, - { - "id": "pm-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and" - }, - { - "id": "pm-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Make available for expenditure, the planned information security and privacy resources." - } - ] - }, - { - "id": "pm-3_gdn", - "name": "guidance", - "prose": "Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process." - } - ] - }, - { - "id": "pm-4", - "class": "SP800-53", - "title": "Plan of Action and Milestones Process", - "properties": [ - { - "name": "label", - "value": "PM-4" - }, - { - "name": "sort-id", - "value": "PM-04" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-3", - "rel": "related", - "text": "PM-3" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pm-4_smt", - "name": "statement", - "parts": [ - { - "id": "pm-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:", - "parts": [ - { - "id": "pm-4_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are developed and maintained;" - }, - { - "id": "pm-4_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and" - }, - { - "id": "pm-4_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Are reported in accordance with established reporting requirements." - } - ] - }, - { - "id": "pm-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." - } - ] - }, - { - "id": "pm-4_gdn", - "name": "guidance", - "prose": "The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5." - } - ] - }, - { - "id": "pm-5", - "class": "SP800-53", - "title": "System Inventory", - "parameters": [ - { - "id": "pm-5_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-5" - }, - { - "name": "sort-id", - "value": "PM-05" - } - ], - "links": [ - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - } - ], - "parts": [ - { - "id": "pm-5_smt", - "name": "statement", - "prose": "Develop and update {{ pm-5_prm_1 }} an inventory of organizational systems." - }, - { - "id": "pm-5_gdn", - "name": "guidance", - "prose": "[OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8." - } - ], - "controls": [ - { - "id": "pm-5.1", - "class": "SP800-53-enhancement", - "title": "Inventory of Personally Identifiable Information", - "parameters": [ - { - "id": "pm-5.1_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-5(1)" - }, - { - "name": "sort-id", - "value": "PM-05(01)" - } - ], - "links": [ - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-12", - "rel": "related", - "text": "CM-12" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pm-5.1_smt", - "name": "statement", - "prose": "Establish, maintain, and update {{ pm-5.1_prm_1 }} an inventory of all systems, applications, and projects that process personally identifiable information." - }, - { - "id": "pm-5.1_gdn", - "name": "guidance", - "prose": "An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein." - } - ] - } - ] - }, - { - "id": "pm-6", - "class": "SP800-53", - "title": "Measures of Performance", - "properties": [ - { - "name": "label", - "value": "PM-6" - }, - { - "name": "sort-id", - "value": "PM-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#8ba0d54e-fa16-4f5d-baa1-763ec3e33e26", - "rel": "reference", - "text": "[SP 800-55]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - } - ], - "parts": [ - { - "id": "pm-6_smt", - "name": "statement", - "prose": "Develop, monitor, and report on the results of information security and privacy measures of performance." - }, - { - "id": "pm-6_gdn", - "name": "guidance", - "prose": "Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program." - } - ] - }, - { - "id": "pm-7", - "class": "SP800-53", - "title": "Enterprise Architecture", - "properties": [ - { - "name": "label", - "value": "PM-7" - }, - { - "name": "sort-id", - "value": "PM-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - } - ], - "parts": [ - { - "id": "pm-7_smt", - "name": "statement", - "prose": "Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation." - }, - { - "id": "pm-7_gdn", - "name": "guidance", - "prose": "The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines." - } - ], - "controls": [ - { - "id": "pm-7.1", - "class": "SP800-53-enhancement", - "title": "Offloading", - "parameters": [ - { - "id": "pm-7.1_prm_1", - "label": "organization-defined non-essential functions or services" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-7(1)" - }, - { - "name": "sort-id", - "value": "PM-07(01)" - } - ], - "links": [ - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "pm-7.1_smt", - "name": "statement", - "prose": "Offload {{ pm-7.1_prm_1 }} to other systems, system components, or an external provider." - }, - { - "id": "pm-7.1_gdn", - "name": "guidance", - "prose": "Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services." - } - ] - } - ] - }, - { - "id": "pm-8", - "class": "SP800-53", - "title": "Critical Infrastructure Plan", - "properties": [ - { - "name": "label", - "value": "PM-8" - }, - { - "name": "sort-id", - "value": "PM-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#cde25174-38e0-4a00-8919-8ee3674b8088", - "rel": "reference", - "text": "[HSPD 7]" - }, - { - "href": "#24b7b1ec-6430-41de-9353-29fdb1b488fc", - "rel": "reference", - "text": "[DHS NIPP]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#pe-18", - "rel": "related", - "text": "PE-18" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pm-8_smt", - "name": "statement", - "prose": "Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan." - }, - { - "id": "pm-8_gdn", - "name": "guidance", - "prose": "Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." - } - ] - }, - { - "id": "pm-9", - "class": "SP800-53", - "title": "Risk Management Strategy", - "parameters": [ - { - "id": "pm-9_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-9" - }, - { - "name": "sort-id", - "value": "PM-09" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#at-1", - "rel": "related", - "text": "AT-1" - }, - { - "href": "#ca-1", - "rel": "related", - "text": "CA-1" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cp-1", - "rel": "related", - "text": "CP-1" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ma-1", - "rel": "related", - "text": "MA-1" - }, - { - "href": "#mp-1", - "rel": "related", - "text": "MP-1" - }, - { - "href": "#pe-1", - "rel": "related", - "text": "PE-1" - }, - { - "href": "#pl-1", - "rel": "related", - "text": "PL-1" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-2", - "rel": "related", - "text": "PM-2" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#ps-1", - "rel": "related", - "text": "PS-1" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-1", - "rel": "related", - "text": "SA-1" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sc-1", - "rel": "related", - "text": "SC-1" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-1", - "rel": "related", - "text": "SI-1" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "pm-9_smt", - "name": "statement", - "parts": [ - { - "id": "pm-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develops a comprehensive strategy to manage:", - "parts": [ - { - "id": "pm-9_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and" - }, - { - "id": "pm-9_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Privacy risk to individuals resulting from the authorized processing of personally identifiable information;" - } - ] - }, - { - "id": "pm-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the risk management strategy consistently across the organization; and" - }, - { - "id": "pm-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes." - } - ] - }, - { - "id": "pm-9_gdn", - "name": "guidance", - "prose": "An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive." - } - ] - }, - { - "id": "pm-10", - "class": "SP800-53", - "title": "Authorization Process", - "properties": [ - { - "name": "label", - "value": "PM-10" - }, - { - "name": "sort-id", - "value": "PM-10" - } - ], - "links": [ - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - } - ], - "parts": [ - { - "id": "pm-10_smt", - "name": "statement", - "parts": [ - { - "id": "pm-10_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;" - }, - { - "id": "pm-10_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and" - }, - { - "id": "pm-10_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Integrate the authorization processes into an organization-wide risk management program." - } - ] - }, - { - "id": "pm-10_gdn", - "name": "guidance", - "prose": "Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation." - } - ] - }, - { - "id": "pm-11", - "class": "SP800-53", - "title": "Mission and Business Process Definition", - "parameters": [ - { - "id": "pm-11_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-11" - }, - { - "name": "sort-id", - "value": "PM-11" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - } - ], - "parts": [ - { - "id": "pm-11_smt", - "name": "statement", - "parts": [ - { - "id": "pm-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and" - }, - { - "id": "pm-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and" - }, - { - "id": "pm-11_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and revise the mission and business processes {{ pm-11_prm_1 }}." - } - ] - }, - { - "id": "pm-11_gdn", - "name": "guidance", - "prose": "Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures." - } - ] - }, - { - "id": "pm-12", - "class": "SP800-53", - "title": "Insider Threat Program", - "properties": [ - { - "name": "label", - "value": "PM-12" - }, - { - "name": "sort-id", - "value": "PM-12" - } - ], - "links": [ - { - "href": "#2b5e12fb-633f-49e6-8aff-81d75bf53545", - "rel": "reference", - "text": "[EO 13587]" - }, - { - "href": "#286d42a1-efbe-49a2-9ce1-4c9bf68feb3b", - "rel": "reference", - "text": "[ODNI NITP]" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-16", - "rel": "related", - "text": "PM-16" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - } - ], - "parts": [ - { - "id": "pm-12_smt", - "name": "statement", - "prose": "Implement an insider threat program that includes a cross-discipline insider threat incident handling team." - }, - { - "id": "pm-12_gdn", - "name": "guidance", - "prose": "Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture.\nInsider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ] - }, - { - "id": "pm-13", - "class": "SP800-53", - "title": "Security and Privacy Workforce", - "properties": [ - { - "name": "label", - "value": "PM-13" - }, - { - "name": "sort-id", - "value": "PM-13" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#f4c3f657-de83-47ae-9aec-e144de8268d1", - "rel": "reference", - "text": "[SP 800-181]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - } - ], - "parts": [ - { - "id": "pm-13_smt", - "name": "statement", - "prose": "Establish a security and privacy workforce development and improvement program." - }, - { - "id": "pm-13_gdn", - "name": "guidance", - "prose": "Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals." - } - ] - }, - { - "id": "pm-14", - "class": "SP800-53", - "title": "Testing, Training, and Monitoring", - "properties": [ - { - "name": "label", - "value": "PM-14" - }, - { - "name": "sort-id", - "value": "PM-14" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "pm-14_smt", - "name": "statement", - "parts": [ - { - "id": "pm-14_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:", - "parts": [ - { - "id": "pm-14_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are developed and maintained; and" - }, - { - "id": "pm-14_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Continue to be executed; and" - } - ] - }, - { - "id": "pm-14_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." - } - ] - }, - { - "id": "pm-14_gdn", - "name": "guidance", - "prose": "This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments." - } - ] - }, - { - "id": "pm-15", - "class": "SP800-53", - "title": "Security and Privacy Groups and Associations", - "properties": [ - { - "name": "label", - "value": "PM-15" - }, - { - "name": "sort-id", - "value": "PM-15" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#si-5", - "rel": "related", - "text": "SI-5" - } - ], - "parts": [ - { - "id": "pm-15_smt", - "name": "statement", - "prose": "Establish and institutionalize contact with selected groups and associations within the security and privacy communities:", - "parts": [ - { - "id": "pm-15_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "To facilitate ongoing security and privacy education and training for organizational personnel;" - }, - { - "id": "pm-15_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "To maintain currency with recommended security and privacy practices, techniques, and technologies; and" - }, - { - "id": "pm-15_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "To share current security and privacy information, including threats, vulnerabilities, and incidents." - } - ] - }, - { - "id": "pm-15_gdn", - "name": "guidance", - "prose": "Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." - } - ] - }, - { - "id": "pm-16", - "class": "SP800-53", - "title": "Threat Awareness Program", - "properties": [ - { - "name": "label", - "value": "PM-16" - }, - { - "name": "sort-id", - "value": "PM-16" - } - ], - "links": [ - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - } - ], - "parts": [ - { - "id": "pm-16_smt", - "name": "statement", - "prose": "Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence." - }, - { - "id": "pm-16_gdn", - "name": "guidance", - "prose": "Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared." - } - ], - "controls": [ - { - "id": "pm-16.1", - "class": "SP800-53-enhancement", - "title": "Automated Means for Sharing Threat Intelligence", - "properties": [ - { - "name": "label", - "value": "PM-16(1)" - }, - { - "name": "sort-id", - "value": "PM-16(01)" - } - ], - "parts": [ - { - "id": "pm-16.1_smt", - "name": "statement", - "prose": "Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information." - }, - { - "id": "pm-16.1_gdn", - "name": "guidance", - "prose": "To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures." - } - ] - } - ] - }, - { - "id": "pm-17", - "class": "SP800-53", - "title": "Protecting Controlled Unclassified Information on External Systems", - "parameters": [ - { - "id": "pm-17_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-17" - }, - { - "name": "sort-id", - "value": "PM-17" - } - ], - "links": [ - { - "href": "#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc", - "rel": "reference", - "text": "[32 CFR 2002]" - }, - { - "href": "#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "rel": "reference", - "text": "[SP 800-171]" - }, - { - "href": "#dd87fdf0-840d-4392-9de4-220b2327e340", - "rel": "reference", - "text": "[NARA CUI]" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - } - ], - "parts": [ - { - "id": "pm-17_smt", - "name": "statement", - "parts": [ - { - "id": "pm-17_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards." - }, - { - "id": "pm-17_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update the policy and procedures {{ pm-17_prm_1 }}." - } - ] - }, - { - "id": "pm-17_gdn", - "name": "guidance", - "prose": "Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes." - } - ] - }, - { - "id": "pm-18", - "class": "SP800-53", - "title": "Privacy Program Plan", - "properties": [ - { - "name": "label", - "value": "PM-18" - }, - { - "name": "sort-id", - "value": "PM-18" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - } - ], - "parts": [ - { - "id": "pm-18_smt", - "name": "statement", - "parts": [ - { - "id": "pm-18_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:", - "parts": [ - { - "id": "pm-18_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;" - }, - { - "id": "pm-18_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;" - }, - { - "id": "pm-18_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;" - }, - { - "id": "pm-18_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;" - }, - { - "id": "pm-18_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Reflects coordination among organizational entities responsible for the different aspects of privacy; and" - }, - { - "id": "pm-18_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and" - } - ] - }, - { - "id": "pm-18_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments." - } - ] - }, - { - "id": "pm-18_gdn", - "name": "guidance", - "prose": "A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls." - } - ] - }, - { - "id": "pm-19", - "class": "SP800-53", - "title": "Privacy Program Leadership Role", - "properties": [ - { - "name": "label", - "value": "PM-19" - }, - { - "name": "sort-id", - "value": "PM-19" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#pm-20", - "rel": "related", - "text": "PM-20" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - } - ], - "parts": [ - { - "id": "pm-19_smt", - "name": "statement", - "prose": "Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program." - }, - { - "id": "pm-19_gdn", - "name": "guidance", - "prose": "The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24)." - } - ] - }, - { - "id": "pm-20", - "class": "SP800-53", - "title": "Dissemination of Privacy Program Information", - "properties": [ - { - "name": "label", - "value": "PM-20" - }, - { - "name": "sort-id", - "value": "PM-20" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#f7d3617a-9a4f-4f1a-a688-845081b70390", - "rel": "reference", - "text": "[OMB M-17-06]" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#pt-7", - "rel": "related", - "text": "PT-7" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - } - ], - "parts": [ - { - "id": "pm-20_smt", - "name": "statement", - "prose": "Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:", - "parts": [ - { - "id": "pm-20_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;" - }, - { - "id": "pm-20_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Ensures that organizational privacy practices and reports are publicly available; and" - }, - { - "id": "pm-20_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices." - } - ] - }, - { - "id": "pm-20_gdn", - "name": "guidance", - "prose": "Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications." - } - ] - }, - { - "id": "pm-21", - "class": "SP800-53", - "title": "Accounting of Disclosures", - "properties": [ - { - "name": "label", - "value": "PM-21" - }, - { - "name": "sort-id", - "value": "PM-21" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - } - ], - "parts": [ - { - "id": "pm-21_smt", - "name": "statement", - "parts": [ - { - "id": "pm-21_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:", - "parts": [ - { - "id": "pm-21_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Date, nature, and purpose of each disclosure; and" - }, - { - "id": "pm-21_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Name and address, or other contact information of the person or organization to which the disclosure was made;" - } - ] - }, - { - "id": "pm-21_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and" - }, - { - "id": "pm-21_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request." - } - ] - }, - { - "id": "pm-21_gdn", - "name": "guidance", - "prose": "The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions." - } - ] - }, - { - "id": "pm-22", - "class": "SP800-53", - "title": "Personally Identifiable Information Quality Management", - "properties": [ - { - "name": "label", - "value": "PM-22" - }, - { - "name": "sort-id", - "value": "PM-22" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#eadef75e-7e4d-4554-b818-44946c1dde0e", - "rel": "reference", - "text": "[SP 800-188]" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pm-22_smt", - "name": "statement", - "prose": "Develop and document policies and procedures for:", - "parts": [ - { - "id": "pm-22_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;" - }, - { - "id": "pm-22_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Correcting or deleting inaccurate or outdated personally identifiable information;" - }, - { - "id": "pm-22_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and" - }, - { - "id": "pm-22_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Appeals of adverse decisions on correction or deletion requests." - } - ] - }, - { - "id": "pm-22_gdn", - "name": "guidance", - "prose": "Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem." - } - ] - }, - { - "id": "pm-23", - "class": "SP800-53", - "title": "Data Governance Body", - "parameters": [ - { - "id": "pm-23_prm_1", - "label": "organization-defined roles" - }, - { - "id": "pm-23_prm_2", - "label": "organization-defined responsibilities" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-23" - }, - { - "name": "sort-id", - "value": "PM-23" - } - ], - "links": [ - { - "href": "#43facb7b-0afb-480f-8191-34790d5b444b", - "rel": "reference", - "text": "[EVIDACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#d843e915-eeb6-4bbe-8cab-ccc802088703", - "rel": "reference", - "text": "[OMB M-19-23]" - }, - { - "href": "#eadef75e-7e4d-4554-b818-44946c1dde0e", - "rel": "reference", - "text": "[SP 800-188]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-19", - "rel": "related", - "text": "SI-19" - } - ], - "parts": [ - { - "id": "pm-23_smt", - "name": "statement", - "prose": "Establish a Data Governance Body consisting of {{ pm-23_prm_1 }} with {{ pm-23_prm_2 }}." - }, - { - "id": "pm-23_gdn", - "name": "guidance", - "prose": "A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23]." - } - ] - }, - { - "id": "pm-24", - "class": "SP800-53", - "title": "Data Integrity Board", - "properties": [ - { - "name": "label", - "value": "PM-24" - }, - { - "name": "sort-id", - "value": "PM-24" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - } - ], - "parts": [ - { - "id": "pm-24_smt", - "name": "statement", - "prose": "Establish a Data Integrity Board to:", - "parts": [ - { - "id": "pm-24_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Review proposals to conduct or participate in a matching program; and" - }, - { - "id": "pm-24_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Conduct an annual review of all matching programs in which the agency has participated." - } - ] - }, - { - "id": "pm-24_gdn", - "name": "guidance", - "prose": "A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy." - } - ] - }, - { - "id": "pm-25", - "class": "SP800-53", - "title": "Minimization of Pii Used in Testing, Training, and Research", - "parameters": [ - { - "id": "pm-25_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-25" - }, - { - "name": "sort-id", - "value": "PM-25" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - } - ], - "parts": [ - { - "id": "pm-25_smt", - "name": "statement", - "parts": [ - { - "id": "pm-25_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;" - }, - { - "id": "pm-25_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;" - }, - { - "id": "pm-25_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and" - }, - { - "id": "pm-25_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review and update policies and procedures {{ pm-25_prm_1 }}." - } - ] - }, - { - "id": "pm-25_gdn", - "name": "guidance", - "prose": "The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2)." - } - ] - }, - { - "id": "pm-26", - "class": "SP800-53", - "title": "Complaint Management", - "parameters": [ - { - "id": "pm-26_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "pm-26_prm_2", - "label": "organization-defined time-period" - }, - { - "id": "pm-26_prm_3", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-26" - }, - { - "name": "sort-id", - "value": "PM-26" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pm-26_smt", - "name": "statement", - "prose": "Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:", - "parts": [ - { - "id": "pm-26_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Mechanisms that are easy to use and readily accessible by the public;" - }, - { - "id": "pm-26_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "All information necessary for successfully filing complaints;" - }, - { - "id": "pm-26_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }};" - }, - { - "id": "pm-26_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and" - }, - { - "id": "pm-26_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}." - } - ] - }, - { - "id": "pm-26_gdn", - "name": "guidance", - "prose": "Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information." - } - ] - }, - { - "id": "pm-27", - "class": "SP800-53", - "title": "Privacy Reporting", - "parameters": [ - { - "id": "pm-27_prm_1", - "label": "organization-defined privacy reports" - }, - { - "id": "pm-27_prm_2", - "label": "organization-defined officials" - }, - { - "id": "pm-27_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-27" - }, - { - "name": "sort-id", - "value": "PM-27" - } - ], - "links": [ - { - "href": "#14958422-54f6-471f-a345-802dca594dd8", - "rel": "reference", - "text": "[FISMA]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - } - ], - "parts": [ - { - "id": "pm-27_smt", - "name": "statement", - "parts": [ - { - "id": "pm-27_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop {{ pm-27_prm_1 }} and disseminate to:", - "parts": [ - { - "id": "pm-27_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and" - }, - { - "id": "pm-27_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "\n {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and" - } - ] - }, - { - "id": "pm-27_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update privacy reports {{ pm-27_prm_3 }}." - } - ] - }, - { - "id": "pm-27_gdn", - "name": "guidance", - "prose": "Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements." - } - ] - }, - { - "id": "pm-28", - "class": "SP800-53", - "title": "Risk Framing", - "parameters": [ - { - "id": "pm-28_prm_1", - "label": "organization-defined personnel" - }, - { - "id": "pm-28_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-28" - }, - { - "name": "sort-id", - "value": "PM-28" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - } - ], - "parts": [ - { - "id": "pm-28_smt", - "name": "statement", - "parts": [ - { - "id": "pm-28_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify and document:", - "parts": [ - { - "id": "pm-28_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Assumptions affecting risk assessments, risk responses, and risk monitoring;" - }, - { - "id": "pm-28_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Constraints affecting risk assessments, risk responses, and risk monitoring;" - }, - { - "id": "pm-28_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Priorities and trade-offs considered by the organization for managing risk; and" - }, - { - "id": "pm-28_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Organizational risk tolerance; and" - } - ] - }, - { - "id": "pm-28_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute the results of risk framing activities to {{ pm-28_prm_1 }};" - }, - { - "id": "pm-28_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update risk framing considerations {{ pm-28_prm_2 }}." - } - ] - }, - { - "id": "pm-28_gdn", - "name": "guidance", - "prose": "Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management." - } - ] - }, - { - "id": "pm-29", - "class": "SP800-53", - "title": "Risk Management Program Leadership Roles", - "properties": [ - { - "name": "label", - "value": "PM-29" - }, - { - "name": "sort-id", - "value": "PM-29" - } - ], - "links": [ - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#pm-2", - "rel": "related", - "text": "PM-2" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - } - ], - "parts": [ - { - "id": "pm-29_smt", - "name": "statement", - "parts": [ - { - "id": "pm-29_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and" - }, - { - "id": "pm-29_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization." - } - ] - }, - { - "id": "pm-29_gdn", - "name": "guidance", - "prose": "The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities." - } - ] - }, - { - "id": "pm-30", - "class": "SP800-53", - "title": "Supply Chain Risk Management Strategy", - "parameters": [ - { - "id": "pm-30_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-30" - }, - { - "name": "sort-id", - "value": "PM-30" - } - ], - "links": [ - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-7", - "rel": "related", - "text": "SR-7" - }, - { - "href": "#sr-8", - "rel": "related", - "text": "SR-8" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "pm-30_smt", - "name": "statement", - "parts": [ - { - "id": "pm-30_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;" - }, - { - "id": "pm-30_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the supply chain risk management strategy consistently across the organization; and" - }, - { - "id": "pm-30_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the supply chain risk management strategy on {{ pm-30_prm_1 }} or as required, to address organizational changes." - } - ] - }, - { - "id": "pm-30_gdn", - "name": "guidance", - "prose": "An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level." - } - ] - }, - { - "id": "pm-31", - "class": "SP800-53", - "title": "Continuous Monitoring Strategy", - "parameters": [ - { - "id": "pm-31_prm_1", - "label": "organization-defined metrics" - }, - { - "id": "pm-31_prm_2", - "label": "organization-defined frequencies" - }, - { - "id": "pm-31_prm_3", - "label": "organization-defined frequencies" - }, - { - "id": "pm-31_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "pm-31_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-31" - }, - { - "name": "sort-id", - "value": "PM-31" - } - ], - "links": [ - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pe-14", - "rel": "related", - "text": "PE-14" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-6", - "rel": "related", - "text": "PM-6" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "pm-31_smt", - "name": "statement", - "prose": "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:", - "parts": [ - { - "id": "pm-31_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }};" - }, - { - "id": "pm-31_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness;" - }, - { - "id": "pm-31_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;" - }, - { - "id": "pm-31_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Correlation and analysis of information generated by control assessments and monitoring;" - }, - { - "id": "pm-31_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" - }, - { - "id": "pm-31_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }}\n {{ pm-31_prm_5 }}." - } - ] - }, - { - "id": "pm-31_gdn", - "name": "guidance", - "prose": "Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4." - } - ] - }, - { - "id": "pm-32", - "class": "SP800-53", - "title": "Purposing", - "parameters": [ - { - "id": "pm-32_prm_1", - "label": "organization-defined systems or systems components" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-32" - }, - { - "name": "sort-id", - "value": "PM-32" - } - ], - "links": [ - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - } - ], - "parts": [ - { - "id": "pm-32_smt", - "name": "statement", - "prose": "Analyze {{ pm-32_prm_1 }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose." - }, - { - "id": "pm-32_gdn", - "name": "guidance", - "prose": "Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures." - } - ] - } - ] - }, - { - "id": "ps", - "class": "family", - "title": "Personnel Security", - "controls": [ - { - "id": "ps-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ps-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-1_prm_2" - }, - { - "id": "ps-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ps-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ps-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-1" - }, - { - "name": "sort-id", - "value": "PS-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ps-1_smt", - "name": "statement", - "parts": [ - { - "id": "ps-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ps-1_prm_1 }}:", - "parts": [ - { - "id": "ps-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ps-1_prm_2 }} personnel security policy that:", - "parts": [ - { - "id": "ps-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ps-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ps-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" - } - ] - }, - { - "id": "ps-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ps-1_prm_3 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" - }, - { - "id": "ps-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current personnel security:", - "parts": [ - { - "id": "ps-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ps-1_prm_4 }}; and" - }, - { - "id": "ps-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ps-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ps-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ps-2", - "class": "SP800-53", - "title": "Position Risk Designation", - "parameters": [ - { - "id": "ps-2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-2" - }, - { - "name": "sort-id", - "value": "PS-02" - } - ], - "links": [ - { - "href": "#2383ccfd-d8a0-4e3a-bf40-21288ae1e07a", - "rel": "reference", - "text": "[5 CFR 731]" - }, - { - "href": "#ac-5", - "rel": "related", - "text": "AC-5" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ps-2_smt", - "name": "statement", - "parts": [ - { - "id": "ps-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Assign a risk designation to all organizational positions;" - }, - { - "id": "ps-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establish screening criteria for individuals filling those positions; and" - }, - { - "id": "ps-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update position risk designations {{ ps-2_prm_1 }}." - } - ] - }, - { - "id": "ps-2_gdn", - "name": "guidance", - "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." - } - ] - }, - { - "id": "ps-3", - "class": "SP800-53", - "title": "Personnel Screening", - "parameters": [ - { - "id": "ps-3_prm_1", - "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-3" - }, - { - "name": "sort-id", - "value": "PS-03" - } - ], - "links": [ - { - "href": "#52a8b0c6-0c6b-424b-928d-41c50ba87838", - "rel": "reference", - "text": "[EO 13526]" - }, - { - "href": "#2b5e12fb-633f-49e6-8aff-81d75bf53545", - "rel": "reference", - "text": "[EO 13587]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "rel": "reference", - "text": "[SP 800-76-2]" - }, - { - "href": "#013e098f-0680-4856-a130-b768c69dab9c", - "rel": "reference", - "text": "[SP 800-78-4]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - } - ], - "parts": [ - { - "id": "ps-3_smt", - "name": "statement", - "parts": [ - { - "id": "ps-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Screen individuals prior to authorizing access to the system; and" - }, - { - "id": "ps-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Rescreen individuals in accordance with {{ ps-3_prm_1 }}." - } - ] - }, - { - "id": "ps-3_gdn", - "name": "guidance", - "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." - } - ] - }, - { - "id": "ps-4", - "class": "SP800-53", - "title": "Personnel Termination", - "parameters": [ - { - "id": "ps-4_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ps-4_prm_2", - "label": "organization-defined information security topics" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-4" - }, - { - "name": "sort-id", - "value": "PS-04" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - } - ], - "parts": [ - { - "id": "ps-4_smt", - "name": "statement", - "prose": "Upon termination of individual employment:", - "parts": [ - { - "id": "ps-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Disable system access within {{ ps-4_prm_1 }};" - }, - { - "id": "ps-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" - }, - { - "id": "ps-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Conduct exit interviews that include a discussion of {{ ps-4_prm_2 }};" - }, - { - "id": "ps-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Retrieve all security-related organizational system-related property; and" - }, - { - "id": "ps-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." - } - ] - }, - { - "id": "ps-4_gdn", - "name": "guidance", - "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified." - } - ] - }, - { - "id": "ps-5", - "class": "SP800-53", - "title": "Personnel Transfer", - "parameters": [ - { - "id": "ps-5_prm_1", - "label": "organization-defined transfer or reassignment actions" - }, - { - "id": "ps-5_prm_2", - "label": "organization-defined time-period following the formal transfer action" - }, - { - "id": "ps-5_prm_3", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-5_prm_4", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-5" - }, - { - "name": "sort-id", - "value": "PS-05" - } - ], - "links": [ - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - } - ], - "parts": [ - { - "id": "ps-5_smt", - "name": "statement", - "parts": [ - { - "id": "ps-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" - }, - { - "id": "ps-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Initiate {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};" - }, - { - "id": "ps-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" - }, - { - "id": "ps-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Notify {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}." - } - ] - }, - { - "id": "ps-5_gdn", - "name": "guidance", - "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." - } - ] - }, - { - "id": "ps-6", - "class": "SP800-53", - "title": "Access Agreements", - "parameters": [ - { - "id": "ps-6_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ps-6_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-6" - }, - { - "name": "sort-id", - "value": "PS-06" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#pe-2", - "rel": "related", - "text": "PE-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ps-6_smt", - "name": "statement", - "parts": [ - { - "id": "ps-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and document access agreements for organizational systems;" - }, - { - "id": "ps-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the access agreements {{ ps-6_prm_1 }}; and" - }, - { - "id": "ps-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Verify that individuals requiring access to organizational information and systems:", - "parts": [ - { - "id": "ps-6_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Sign appropriate access agreements prior to being granted access; and" - }, - { - "id": "ps-6_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ ps-6_prm_2 }}." - } - ] - } - ] - }, - { - "id": "ps-6_gdn", - "name": "guidance", - "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." - } - ] - }, - { - "id": "ps-7", - "class": "SP800-53", - "title": "External Personnel Security", - "parameters": [ - { - "id": "ps-7_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-7_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-7" - }, - { - "name": "sort-id", - "value": "PS-07" - } - ], - "links": [ - { - "href": "#ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "rel": "reference", - "text": "[SP 800-35]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-3", - "rel": "related", - "text": "PS-3" - }, - { - "href": "#ps-4", - "rel": "related", - "text": "PS-4" - }, - { - "href": "#ps-5", - "rel": "related", - "text": "PS-5" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - } - ], - "parts": [ - { - "id": "ps-7_smt", - "name": "statement", - "parts": [ - { - "id": "ps-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" - }, - { - "id": "ps-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" - }, - { - "id": "ps-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document personnel security requirements;" - }, - { - "id": "ps-7_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Require external providers to notify {{ ps-7_prm_1 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ ps-7_prm_2 }}; and" - }, - { - "id": "ps-7_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Monitor provider compliance with personnel security requirements." - } - ] - }, - { - "id": "ps-7_gdn", - "name": "guidance", - "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated." - } - ] - }, - { - "id": "ps-8", - "class": "SP800-53", - "title": "Personnel Sanctions", - "parameters": [ - { - "id": "ps-8_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ps-8_prm_2", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PS-8" - }, - { - "name": "sort-id", - "value": "PS-08" - } - ], - "links": [ - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#at-1", - "rel": "related", - "text": "AT-1" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#ca-1", - "rel": "related", - "text": "CA-1" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cp-1", - "rel": "related", - "text": "CP-1" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ma-1", - "rel": "related", - "text": "MA-1" - }, - { - "href": "#mp-1", - "rel": "related", - "text": "MP-1" - }, - { - "href": "#pe-1", - "rel": "related", - "text": "PE-1" - }, - { - "href": "#pl-1", - "rel": "related", - "text": "PL-1" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#ps-1", - "rel": "related", - "text": "PS-1" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#sa-1", - "rel": "related", - "text": "SA-1" - }, - { - "href": "#sc-1", - "rel": "related", - "text": "SC-1" - }, - { - "href": "#si-1", - "rel": "related", - "text": "SI-1" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - } - ], - "parts": [ - { - "id": "ps-8_smt", - "name": "statement", - "parts": [ - { - "id": "ps-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" - }, - { - "id": "ps-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Notify {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." - } - ] - }, - { - "id": "ps-8_gdn", - "name": "guidance", - "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." - } - ] - } - ] - }, - { - "id": "ra", - "class": "family", - "title": "Risk Assessment", - "controls": [ - { - "id": "ra-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ra-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ra-1_prm_2" - }, - { - "id": "ra-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ra-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ra-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-1" - }, - { - "name": "sort-id", - "value": "RA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ra-1_smt", - "name": "statement", - "parts": [ - { - "id": "ra-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ra-1_prm_1 }}:", - "parts": [ - { - "id": "ra-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ra-1_prm_2 }} risk assessment policy that:", - "parts": [ - { - "id": "ra-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ra-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ra-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" - } - ] - }, - { - "id": "ra-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" - }, - { - "id": "ra-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current risk assessment:", - "parts": [ - { - "id": "ra-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ra-1_prm_4 }}; and" - }, - { - "id": "ra-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ra-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ra-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ra-2", - "class": "SP800-53", - "title": "Security Categorization", - "properties": [ - { - "name": "label", - "value": "RA-2" - }, - { - "name": "sort-id", - "value": "RA-02" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ra-2_smt", - "name": "statement", - "parts": [ - { - "id": "ra-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Categorize the system and information it processes, stores, and transmits;" - }, - { - "id": "ra-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" - }, - { - "id": "ra-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." - } - ] - }, - { - "id": "ra-2_gdn", - "name": "guidance", - "prose": "Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals.\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts.\nSecurity categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant." - } - ] - }, - { - "id": "ra-3", - "class": "SP800-53", - "title": "Risk Assessment", - "parameters": [ - { - "id": "ra-3_prm_1" - }, - { - "id": "ra-3_prm_2", - "depends-on": "ra-3_prm_1", - "label": "organization-defined document" - }, - { - "id": "ra-3_prm_3", - "label": "organization-defined frequency" - }, - { - "id": "ra-3_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "ra-3_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-3" - }, - { - "name": "sort-id", - "value": "RA-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-18", - "rel": "related", - "text": "PE-18" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ra-3_smt", - "name": "statement", - "parts": [ - { - "id": "ra-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Conduct a risk assessment, including:", - "parts": [ - { - "id": "ra-3_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" - }, - { - "id": "ra-3_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" - } - ] - }, - { - "id": "ra-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" - }, - { - "id": "ra-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document risk assessment results in {{ ra-3_prm_1 }};" - }, - { - "id": "ra-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review risk assessment results {{ ra-3_prm_3 }};" - }, - { - "id": "ra-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Disseminate risk assessment results to {{ ra-3_prm_4 }}; and" - }, - { - "id": "ra-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." - } - ] - }, - { - "id": "ra-3_gdn", - "name": "guidance", - "prose": "Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities.\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\nIn addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." - } - ], - "controls": [ - { - "id": "ra-3.1", - "class": "SP800-53-enhancement", - "title": "Supply Chain Risk Assessment", - "parameters": [ - { - "id": "ra-3.1_prm_1", - "label": "organization-defined systems, system components, and system services" - }, - { - "id": "ra-3.1_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-3(1)" - }, - { - "name": "sort-id", - "value": "RA-03(01)" - } - ], - "links": [ - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#pm-17", - "rel": "related", - "text": "PM-17" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "ra-3.1_smt", - "name": "statement", - "parts": [ - { - "id": "ra-3.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Assess supply chain risks associated with {{ ra-3.1_prm_1 }}; and" - }, - { - "id": "ra-3.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Update the supply chain risk assessment {{ ra-3.1_prm_2 }}, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." - } - ] - }, - { - "id": "ra-3.1_gdn", - "name": "guidance", - "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." - } - ] - } - ] - }, - { - "id": "ra-5", - "class": "SP800-53", - "title": "Vulnerability Monitoring and Scanning", - "parameters": [ - { - "id": "ra-5_prm_1", - "label": "organization-defined frequency and/or randomly in accordance with organization-defined process" - }, - { - "id": "ra-5_prm_2", - "label": "organization-defined response times" - }, - { - "id": "ra-5_prm_3", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-5" - }, - { - "name": "sort-id", - "value": "RA-05" - } - ], - "links": [ - { - "href": "#1126ec09-2b27-4a21-80b2-fef70b31c49d", - "rel": "reference", - "text": "[SP 800-40]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f", - "rel": "reference", - "text": "[SP 800-126]" - }, - { - "href": "#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c", - "rel": "reference", - "text": "[IR 7788]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "ra-5_smt", - "name": "statement", - "parts": [ - { - "id": "ra-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" - }, - { - "id": "ra-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", - "parts": [ - { - "id": "ra-5_smt.b.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Enumerating platforms, software flaws, and improper configurations;" - }, - { - "id": "ra-5_smt.b.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Formatting checklists and test procedures; and" - }, - { - "id": "ra-5_smt.b.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Measuring vulnerability impact;" - } - ] - }, - { - "id": "ra-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" - }, - { - "id": "ra-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Remediate legitimate vulnerabilities {{ ra-5_prm_2 }} in accordance with an organizational assessment of risk;" - }, - { - "id": "ra-5_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ ra-5_prm_3 }} to help eliminate similar vulnerabilities in other systems; and" - }, - { - "id": "ra-5_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." - } - ] - }, - { - "id": "ra-5_gdn", - "name": "guidance", - "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\nVulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\nOrganizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." - } - ], - "controls": [ - { - "id": "ra-5.2", - "class": "SP800-53-enhancement", - "title": "Update System Vulnerabilities", - "parameters": [ - { - "id": "ra-5.2_prm_1" - }, - { - "id": "ra-5.2_prm_2", - "depends-on": "ra-5.2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-5(2)" - }, - { - "name": "sort-id", - "value": "RA-05(02)" - } - ], - "links": [ - { - "href": "#si-5", - "rel": "related", - "text": "SI-5" - } - ], - "parts": [ - { - "id": "ra-5.2_smt", - "name": "statement", - "prose": "Update the system vulnerabilities to be scanned {{ ra-5.2_prm_1 }}." - }, - { - "id": "ra-5.2_gdn", - "name": "guidance", - "prose": "Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." - } - ] - }, - { - "id": "ra-5.5", - "class": "SP800-53-enhancement", - "title": "Privileged Access", - "parameters": [ - { - "id": "ra-5.5_prm_1", - "label": "organization-defined system components" - }, - { - "id": "ra-5.5_prm_2", - "label": "organization-defined vulnerability scanning activities" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-5(5)" - }, - { - "name": "sort-id", - "value": "RA-05(05)" - } - ], - "parts": [ - { - "id": "ra-5.5_smt", - "name": "statement", - "prose": "Implement privileged access authorization to {{ ra-5.5_prm_1 }} for {{ ra-5.5_prm_2 }}." - }, - { - "id": "ra-5.5_gdn", - "name": "guidance", - "prose": "In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning." - } - ] - } - ] - }, - { - "id": "ra-7", - "class": "SP800-53", - "title": "Risk Response", - "properties": [ - { - "name": "label", - "value": "RA-7" - }, - { - "name": "sort-id", - "value": "RA-07" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "ra-7_smt", - "name": "statement", - "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." - }, - { - "id": "ra-7_gdn", - "name": "guidance", - "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." - } - ] - }, - { - "id": "ra-9", - "class": "SP800-53", - "title": "Criticality Analysis", - "parameters": [ - { - "id": "ra-9_prm_1", - "label": "organization-defined systems, system components, or system services" - }, - { - "id": "ra-9_prm_2", - "label": "organization-defined decision points in the system development life cycle" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-9" - }, - { - "name": "sort-id", - "value": "RA-09" - } - ], - "links": [ - { - "href": "#7a93e915-fd58-4147-be12-e48044c367e6", - "rel": "reference", - "text": "[IR 8179]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-20", - "rel": "related", - "text": "SA-20" - } - ], - "parts": [ - { - "id": "ra-9_smt", - "name": "statement", - "prose": "Identify critical system components and functions by performing a criticality analysis for {{ ra-9_prm_1 }} at {{ ra-9_prm_2 }}." - }, - { - "id": "ra-9_gdn", - "name": "guidance", - "prose": "Not all system components, functions, or services necessarily require significant protections. Criticality analysis is a key tenet of, for example, supply chain risk management, and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders regulations, directives, policies, and standards; system functionality requirements; system and component interfaces; and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system; decomposition into the specific functions to perform those missions; and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system containing the components and functions. Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, for example, by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2." - } - ] - } - ] - }, - { - "id": "sa", - "class": "family", - "title": "System and Services Acquisition", - "controls": [ - { - "id": "sa-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "sa-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "sa-1_prm_2" - }, - { - "id": "sa-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "sa-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "sa-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-1" - }, - { - "name": "sort-id", - "value": "SA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "sa-1_smt", - "name": "statement", - "parts": [ - { - "id": "sa-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ sa-1_prm_1 }}:", - "parts": [ - { - "id": "sa-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ sa-1_prm_2 }} system and services acquisition policy that:", - "parts": [ - { - "id": "sa-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "sa-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "sa-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" - } - ] - }, - { - "id": "sa-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" - }, - { - "id": "sa-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current system and services acquisition:", - "parts": [ - { - "id": "sa-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ sa-1_prm_4 }}; and" - }, - { - "id": "sa-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ sa-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "sa-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "sa-2", - "class": "SP800-53", - "title": "Allocation of Resources", - "properties": [ - { - "name": "label", - "value": "SA-2" - }, - { - "name": "sort-id", - "value": "SA-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#pl-7", - "rel": "related", - "text": "PL-7" - }, - { - "href": "#pm-3", - "rel": "related", - "text": "PM-3" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-2_smt", - "name": "statement", - "parts": [ - { - "id": "sa-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" - }, - { - "id": "sa-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" - }, - { - "id": "sa-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." - } - ] - }, - { - "id": "sa-2_gdn", - "name": "guidance", - "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle." - } - ] - }, - { - "id": "sa-3", - "class": "SP800-53", - "title": "System Development Life Cycle", - "parameters": [ - { - "id": "sa-3_prm_1", - "label": "organization-defined system development life cycle" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-3" - }, - { - "name": "sort-id", - "value": "SA-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "rel": "reference", - "text": "[SP 800-171]" - }, - { - "href": "#aad55f03-8ece-4b21-b09c-9ef65b5a9f55", - "rel": "reference", - "text": "[SP 800-171B]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-22", - "rel": "related", - "text": "SA-22" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - } - ], - "parts": [ - { - "id": "sa-3_smt", - "name": "statement", - "parts": [ - { - "id": "sa-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Acquire, develop, and manage the system using {{ sa-3_prm_1 }} that incorporates information security and privacy considerations;" - }, - { - "id": "sa-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" - }, - { - "id": "sa-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Identify individuals having information security and privacy roles and responsibilities; and" - }, - { - "id": "sa-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." - } - ] - }, - { - "id": "sa-3_gdn", - "name": "guidance", - "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle." - } - ] - }, - { - "id": "sa-4", - "class": "SP800-53", - "title": "Acquisition Process", - "parameters": [ - { - "id": "sa-4_prm_1" - }, - { - "id": "sa-4_prm_2", - "depends-on": "sa-4_prm_1", - "label": "organization-defined contract language" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-4" - }, - { - "name": "sort-id", - "value": "SA-04" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#6ddb507b-6ddb-4e15-a8d4-0854e704446e", - "rel": "reference", - "text": "[ISO 15408-1]" - }, - { - "href": "#18abb755-c10f-407d-b0ef-4f99e5ec4a49", - "rel": "reference", - "text": "[ISO 15408-2]" - }, - { - "href": "#2ce3a8bf-7f8b-4249-bd16-808231415b14", - "rel": "reference", - "text": "[ISO 15408-3]" - }, - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "rel": "reference", - "text": "[SP 800-35]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "rel": "reference", - "text": "[IR 7539]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#daf69edb-a0ef-4447-9880-8c4bf553181f", - "rel": "reference", - "text": "[IR 7676]" - }, - { - "href": "#197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "rel": "reference", - "text": "[IR 7870]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#5dac2312-1d0d-416f-aebb-400fa9775b74", - "rel": "reference", - "text": "[NIAP CCEVS]" - }, - { - "href": "#634dec27-df88-4c30-b1a4-b57cdfd24f20", - "rel": "reference", - "text": "[NSA CSFC]" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-4_smt", - "name": "statement", - "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service:", - "parts": [ - { - "id": "sa-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Security and privacy functional requirements;" - }, - { - "id": "sa-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Strength of mechanism requirements;" - }, - { - "id": "sa-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Security and privacy assurance requirements;" - }, - { - "id": "sa-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Controls needed to satisfy the security and privacy requirements." - }, - { - "id": "sa-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Security and privacy documentation requirements;" - }, - { - "id": "sa-4_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Requirements for protecting security and privacy documentation;" - }, - { - "id": "sa-4_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Description of the system development environment and environment in which the system is intended to operate;" - }, - { - "id": "sa-4_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "h." - } - ], - "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" - }, - { - "id": "sa-4_smt.i", - "name": "item", - "properties": [ - { - "name": "label", - "value": "i." - } - ], - "prose": "Acceptance criteria." - } - ] - }, - { - "id": "sa-4_gdn", - "name": "guidance", - "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle.\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement." - } - ], - "controls": [ - { - "id": "sa-4.1", - "class": "SP800-53-enhancement", - "title": "Functional Properties of Controls", - "properties": [ - { - "name": "label", - "value": "SA-4(1)" - }, - { - "name": "sort-id", - "value": "SA-04(01)" - } - ], - "parts": [ - { - "id": "sa-4.1_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented." - }, - { - "id": "sa-4.1_gdn", - "name": "guidance", - "prose": "Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls." - } - ] - }, - { - "id": "sa-4.2", - "class": "SP800-53-enhancement", - "title": "Design and Implementation Information for Controls", - "parameters": [ - { - "id": "sa-4.2_prm_1" - }, - { - "id": "sa-4.2_prm_2", - "depends-on": "sa-4.2_prm_1", - "label": "organization-defined design and implementation information" - }, - { - "id": "sa-4.2_prm_3", - "label": "organization-defined level of detail" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-4(2)" - }, - { - "name": "sort-id", - "value": "SA-04(02)" - } - ], - "parts": [ - { - "id": "sa-4.2_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}." - }, - { - "id": "sa-4.2_gdn", - "name": "guidance", - "prose": "Organizations may require different levels of detail in the documentation for the design and implementation for controls in organizational systems, system components, or system services based on mission and business requirements; requirements for resiliency and trustworthiness; and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system." - } - ] - }, - { - "id": "sa-4.9", - "class": "SP800-53-enhancement", - "title": "Functions, Ports, Protocols, and Services in Use", - "properties": [ - { - "name": "label", - "value": "SA-4(9)" - }, - { - "name": "sort-id", - "value": "SA-04(09)" - } - ], - "links": [ - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - } - ], - "parts": [ - { - "id": "sa-4.9_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use." - }, - { - "id": "sa-4.9_gdn", - "name": "guidance", - "prose": "The identification of functions, ports, protocols, and services early in the system development life cycle, for example, during the initial requirements definition and design stages, allows organizations to influence the design of the system, system component, or system service. This early involvement in the system life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or when requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources." - } - ] - }, - { - "id": "sa-4.10", - "class": "SP800-53-enhancement", - "title": "Use of Approved PIV Products", - "properties": [ - { - "name": "label", - "value": "SA-4(10)" - }, - { - "name": "sort-id", - "value": "SA-04(10)" - } - ], - "links": [ - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - } - ], - "parts": [ - { - "id": "sa-4.10_smt", - "name": "statement", - "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." - }, - { - "id": "sa-4.10_gdn", - "name": "guidance", - "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations." - } - ] - } - ] - }, - { - "id": "sa-5", - "class": "SP800-53", - "title": "System Documentation", - "parameters": [ - { - "id": "sa-5_prm_1", - "label": "organization-defined actions" - }, - { - "id": "sa-5_prm_2", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-5" - }, - { - "name": "sort-id", - "value": "SA-05" - } - ], - "links": [ - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - } - ], - "parts": [ - { - "id": "sa-5_smt", - "name": "statement", - "parts": [ - { - "id": "sa-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Obtain administrator documentation for the system, system component, or system service that describes:", - "parts": [ - { - "id": "sa-5_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Secure configuration, installation, and operation of the system, component, or service;" - }, - { - "id": "sa-5_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" - }, - { - "id": "sa-5_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" - } - ] - }, - { - "id": "sa-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Obtain user documentation for the system, system component, or system service that describes:", - "parts": [ - { - "id": "sa-5_smt.b.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" - }, - { - "id": "sa-5_smt.b.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" - }, - { - "id": "sa-5_smt.b.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" - } - ] - }, - { - "id": "sa-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes {{ sa-5_prm_1 }} in response;" - }, - { - "id": "sa-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect documentation as required, in accordance with the organizational risk management strategy; and" - }, - { - "id": "sa-5_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Distribute documentation to {{ sa-5_prm_2 }}." - } - ] - }, - { - "id": "sa-5_gdn", - "name": "guidance", - "prose": "System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." - } - ] - }, - { - "id": "sa-8", - "class": "SP800-53", - "title": "Security and Privacy Engineering Principles", - "parameters": [ - { - "id": "sa-8_prm_1", - "label": "organization-defined systems security and privacy engineering principles" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-8" - }, - { - "name": "sort-id", - "value": "SA-08" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-20", - "rel": "related", - "text": "SA-20" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-32", - "rel": "related", - "text": "SC-32" - }, - { - "href": "#sc-39", - "rel": "related", - "text": "SC-39" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-8_smt", - "name": "statement", - "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ sa-8_prm_1 }}." - }, - { - "id": "sa-8_gdn", - "name": "guidance", - "prose": "Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\nThe application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design." - } - ] - }, - { - "id": "sa-9", - "class": "SP800-53", - "title": "External System Services", - "parameters": [ - { - "id": "sa-9_prm_1", - "label": "organization-defined controls" - }, - { - "id": "sa-9_prm_2", - "label": "organization-defined processes, methods, and techniques" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-9" - }, - { - "name": "sort-id", - "value": "SA-09" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "rel": "reference", - "text": "[SP 800-35]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-9_smt", - "name": "statement", - "parts": [ - { - "id": "sa-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }};" - }, - { - "id": "sa-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" - }, - { - "id": "sa-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}." - } - ] - }, - { - "id": "sa-9_gdn", - "name": "guidance", - "prose": "External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." - } - ], - "controls": [ - { - "id": "sa-9.2", - "class": "SP800-53-enhancement", - "title": "Identification of Functions, Ports, Protocols, and Services", - "parameters": [ - { - "id": "sa-9.2_prm_1", - "label": "organization-defined external system services" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-9(2)" - }, - { - "name": "sort-id", - "value": "SA-09(02)" - } - ], - "links": [ - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - } - ], - "parts": [ - { - "id": "sa-9.2_smt", - "name": "statement", - "prose": "Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ sa-9.2_prm_1 }}." - }, - { - "id": "sa-9.2_gdn", - "name": "guidance", - "prose": "Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols." - } - ] - } - ] - }, - { - "id": "sa-10", - "class": "SP800-53", - "title": "Developer Configuration Management", - "parameters": [ - { - "id": "sa-10_prm_1" - }, - { - "id": "sa-10_prm_2", - "label": "organization-defined configuration items under configuration management" - }, - { - "id": "sa-10_prm_3", - "label": "organization-defined personnel" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-10" - }, - { - "name": "sort-id", - "value": "SA-10" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - } - ], - "parts": [ - { - "id": "sa-10_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to:", - "parts": [ - { - "id": "sa-10_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Perform configuration management during system, component, or service {{ sa-10_prm_1 }};" - }, - { - "id": "sa-10_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }};" - }, - { - "id": "sa-10_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Implement only organization-approved changes to the system, component, or service;" - }, - { - "id": "sa-10_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and" - }, - { - "id": "sa-10_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Track security flaws and flaw resolution within the system, component, or service and report findings to {{ sa-10_prm_3 }}." - } - ] - }, - { - "id": "sa-10_gdn", - "name": "guidance", - "prose": "Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting from unauthorized modification or destruction, the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes.\nThe configuration items that are placed under configuration management include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle." - } - ] - }, - { - "id": "sa-11", - "class": "SP800-53", - "title": "Developer Testing and Evaluation", - "parameters": [ - { - "id": "sa-11_prm_1" - }, - { - "id": "sa-11_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "sa-11_prm_3", - "label": "organization-defined depth and coverage" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-11" - }, - { - "name": "sort-id", - "value": "SA-11" - } - ], - "links": [ - { - "href": "#2ce3a8bf-7f8b-4249-bd16-808231415b14", - "rel": "reference", - "text": "[ISO 15408-3]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#fd0f14f5-8910-45c4-b60a-0c8936e00daa", - "rel": "reference", - "text": "[SP 800-154]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-7", - "rel": "related", - "text": "SR-7" - } - ], - "parts": [ - { - "id": "sa-11_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:", - "parts": [ - { - "id": "sa-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and implement a plan for ongoing security and privacy assessments;" - }, - { - "id": "sa-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Perform {{ sa-11_prm_1 }} testing/evaluation {{ sa-11_prm_2 }} at {{ sa-11_prm_3 }};" - }, - { - "id": "sa-11_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;" - }, - { - "id": "sa-11_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Implement a verifiable flaw remediation process; and" - }, - { - "id": "sa-11_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Correct flaws identified during testing and evaluation." - } - ] - }, - { - "id": "sa-11_gdn", - "name": "guidance", - "prose": "Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation." - } - ] - }, - { - "id": "sa-15", - "class": "SP800-53", - "title": "Development Process, Standards, and Tools", - "parameters": [ - { - "id": "sa-15_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "sa-15_prm_2", - "label": "organization-defined security and privacy requirements" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-15" - }, - { - "name": "sort-id", - "value": "SA-15" - } - ], - "links": [ - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#7a93e915-fd58-4147-be12-e48044c367e6", - "rel": "reference", - "text": "[IR 8179]" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - } - ], - "parts": [ - { - "id": "sa-15_smt", - "name": "statement", - "parts": [ - { - "id": "sa-15_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Require the developer of the system, system component, or system service to follow a documented development process that:", - "parts": [ - { - "id": "sa-15_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Explicitly addresses security and privacy requirements;" - }, - { - "id": "sa-15_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Identifies the standards and tools used in the development process;" - }, - { - "id": "sa-15_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Documents the specific tool options and tool configurations used in the development process; and" - }, - { - "id": "sa-15_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and" - } - ] - }, - { - "id": "sa-15_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review the development process, standards, tools, tool options, and tool configurations {{ sa-15_prm_1 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ sa-15_prm_2 }}." - } - ] - }, - { - "id": "sa-15_gdn", - "name": "guidance", - "prose": "Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes." - } - ], - "controls": [ - { - "id": "sa-15.3", - "class": "SP800-53-enhancement", - "title": "Criticality Analysis", - "parameters": [ - { - "id": "sa-15.3_prm_1", - "label": "organization-defined decision points in the system development life cycle" - }, - { - "id": "sa-15.3_prm_2", - "label": "organization-defined breadth and depth of criticality analysis" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-15(3)" - }, - { - "name": "sort-id", - "value": "SA-15(03)" - } - ], - "links": [ - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - } - ], - "parts": [ - { - "id": "sa-15.3_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service to perform a criticality analysis:", - "parts": [ - { - "id": "sa-15.3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "At the following decision points in the system development life cycle: {{ sa-15.3_prm_1 }}; and" - }, - { - "id": "sa-15.3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "At the following level of rigor: {{ sa-15.3_prm_2 }}." - } - ] - }, - { - "id": "sa-15.3_gdn", - "name": "guidance", - "prose": "Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, and source code and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses." - } - ] - } - ] - }, - { - "id": "sa-22", - "class": "SP800-53", - "title": "Unsupported System Components", - "parameters": [ - { - "id": "sa-22_prm_1" - }, - { - "id": "sa-22_prm_2", - "depends-on": "sa-22_prm_1", - "label": "organization-defined support from external providers" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-22" - }, - { - "name": "sort-id", - "value": "SA-22" - } - ], - "links": [ - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - } - ], - "parts": [ - { - "id": "sa-22_smt", - "name": "statement", - "parts": [ - { - "id": "sa-22_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" - }, - { - "id": "sa-22_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ sa-22_prm_1 }}." - } - ] - }, - { - "id": "sa-22_gdn", - "name": "guidance", - "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors." - } - ] - } - ] - }, - { - "id": "sc", - "class": "family", - "title": "System and Communications Protection", - "controls": [ - { - "id": "sc-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "sc-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "sc-1_prm_2" - }, - { - "id": "sc-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "sc-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "sc-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-1" - }, - { - "name": "sort-id", - "value": "SC-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "sc-1_smt", - "name": "statement", - "parts": [ - { - "id": "sc-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ sc-1_prm_1 }}:", - "parts": [ - { - "id": "sc-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ sc-1_prm_2 }} system and communications protection policy that:", - "parts": [ - { - "id": "sc-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "sc-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "sc-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" - } - ] - }, - { - "id": "sc-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ sc-1_prm_3 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" - }, - { - "id": "sc-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current system and communications protection:", - "parts": [ - { - "id": "sc-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ sc-1_prm_4 }}; and" - }, - { - "id": "sc-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ sc-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "sc-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "sc-2", - "class": "SP800-53", - "title": "Separation of System and User Functionality", - "properties": [ - { - "name": "label", - "value": "SC-2" - }, - { - "name": "sort-id", - "value": "SC-02" - } - ], - "links": [ - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-22", - "rel": "related", - "text": "SC-22" - }, - { - "href": "#sc-32", - "rel": "related", - "text": "SC-32" - }, - { - "href": "#sc-39", - "rel": "related", - "text": "SC-39" - } - ], - "parts": [ - { - "id": "sc-2_smt", - "name": "statement", - "prose": "Separate user functionality, including user interface services, from system management functionality." - }, - { - "id": "sc-2_gdn", - "name": "guidance", - "prose": "System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations implement separation of system management functions from user functions, for example, by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18)." - } - ] - }, - { - "id": "sc-4", - "class": "SP800-53", - "title": "Information in Shared System Resources", - "properties": [ - { - "name": "label", - "value": "SC-4" - }, - { - "name": "sort-id", - "value": "SC-04" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "sc-4_smt", - "name": "statement", - "prose": "Prevent unauthorized and unintended information transfer via shared system resources." - }, - { - "id": "sc-4_gdn", - "name": "guidance", - "prose": "Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This control also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. This control does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles." - } - ] - }, - { - "id": "sc-5", - "class": "SP800-53", - "title": "Denial of Service Protection", - "parameters": [ - { - "id": "sc-5_prm_1" - }, - { - "id": "sc-5_prm_2", - "label": "organization-defined types of denial of service events" - }, - { - "id": "sc-5_prm_3", - "label": "organization-defined controls by type of denial of service event" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-5" - }, - { - "name": "sort-id", - "value": "SC-05" - } - ], - "links": [ - { - "href": "#3862cd94-ff25-4631-9a9a-b92c21a0a923", - "rel": "reference", - "text": "[SP 800-189]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#sc-6", - "rel": "related", - "text": "SC-6" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - } - ], - "parts": [ - { - "id": "sc-5_smt", - "name": "statement", - "parts": [ - { - "id": "sc-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "\n {{ sc-5_prm_1 }} the effects of the following types of denial of service events: {{ sc-5_prm_2 }}; and" - }, - { - "id": "sc-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ the following controls to achieve the denial of service objective: {{ sc-5_prm_3 }}." - } - ] - }, - { - "id": "sc-5_gdn", - "name": "guidance", - "prose": "Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events." - } - ] - }, - { - "id": "sc-7", - "class": "SP800-53", - "title": "Boundary Protection", - "parameters": [ - { - "id": "sc-7_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-7" - }, - { - "name": "sort-id", - "value": "SC-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#db7877cf-1013-4fb1-b943-ca9361d16370", - "rel": "reference", - "text": "[SP 800-41]" - }, - { - "href": "#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "rel": "reference", - "text": "[SP 800-77]" - }, - { - "href": "#3862cd94-ff25-4631-9a9a-b92c21a0a923", - "rel": "reference", - "text": "[SP 800-189]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-10", - "rel": "related", - "text": "CM-10" - }, - { - "href": "#cp-8", - "rel": "related", - "text": "CP-8" - }, - { - "href": "#cp-10", - "rel": "related", - "text": "CP-10" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-32", - "rel": "related", - "text": "SC-32" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - } - ], - "parts": [ - { - "id": "sc-7_smt", - "name": "statement", - "parts": [ - { - "id": "sc-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system;" - }, - { - "id": "sc-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks; and" - }, - { - "id": "sc-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." - } - ] - }, - { - "id": "sc-7_gdn", - "name": "guidance", - "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions." - } - ], - "controls": [ - { - "id": "sc-7.3", - "class": "SP800-53-enhancement", - "title": "Access Points", - "properties": [ - { - "name": "label", - "value": "SC-7(3)" - }, - { - "name": "sort-id", - "value": "SC-07(03)" - } - ], - "parts": [ - { - "id": "sc-7.3_smt", - "name": "statement", - "prose": "Limit the number of external network connections to the system." - }, - { - "id": "sc-7.3_gdn", - "name": "guidance", - "prose": "Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline requiring limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system." - } - ] - }, - { - "id": "sc-7.4", - "class": "SP800-53-enhancement", - "title": "External Telecommunications Services", - "parameters": [ - { - "id": "sc-7.4_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-7(4)" - }, - { - "name": "sort-id", - "value": "SC-07(04)" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - } - ], - "parts": [ - { - "id": "sc-7.4_smt", - "name": "statement", - "parts": [ - { - "id": "sc-7.4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Implement a managed interface for each external telecommunication service;" - }, - { - "id": "sc-7.4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Establish a traffic flow policy for each managed interface;" - }, - { - "id": "sc-7.4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Protect the confidentiality and integrity of the information being transmitted across each interface;" - }, - { - "id": "sc-7.4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(d)" - } - ], - "prose": "Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;" - }, - { - "id": "sc-7.4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(e)" - } - ], - "prose": "Review exceptions to the traffic flow policy {{ sc-7.4_prm_1 }} and remove exceptions that are no longer supported by an explicit mission or business need;" - }, - { - "id": "sc-7.4_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(f)" - } - ], - "prose": "Prevent unauthorized exchange of control plane traffic with external networks;" - }, - { - "id": "sc-7.4_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(g)" - } - ], - "prose": "Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and" - }, - { - "id": "sc-7.4_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(h)" - } - ], - "prose": "Filter unauthorized control plane traffic from external networks." - } - ] - }, - { - "id": "sc-7.4_gdn", - "name": "guidance", - "prose": "External commercial telecommunications services may provide data or voice communications services. Examples of control plane traffic include routing, domain name system (DNS), and management. Unauthorized control plane traffic can occur for example, through a technique known as “spoofing.”" - } - ] - }, - { - "id": "sc-7.5", - "class": "SP800-53-enhancement", - "title": "Deny by Default — Allow by Exception", - "parameters": [ - { - "id": "sc-7.5_prm_1" - }, - { - "id": "sc-7.5_prm_2", - "depends-on": "sc-7.5_prm_1", - "label": "organization-defined systems" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-7(5)" - }, - { - "name": "sort-id", - "value": "SC-07(05)" - } - ], - "parts": [ - { - "id": "sc-7.5_smt", - "name": "statement", - "prose": "Deny network communications traffic by default and allow network communications traffic by exception {{ sc-7.5_prm_1 }}." - }, - { - "id": "sc-7.5_gdn", - "name": "guidance", - "prose": "Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system." - } - ] - }, - { - "id": "sc-7.7", - "class": "SP800-53-enhancement", - "title": "Prevent Split Tunneling for Remote Devices", - "properties": [ - { - "name": "label", - "value": "SC-7(7)" - }, - { - "name": "sort-id", - "value": "SC-07(07)" - } - ], - "parts": [ - { - "id": "sc-7.7_smt", - "name": "statement", - "prose": "Prevent a remote device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks." - }, - { - "id": "sc-7.7_gdn", - "name": "guidance", - "prose": "Prevention of split tunneling is implemented in remote devices through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being configurable by users. Prevention of split tunneling is implemented within the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information." - } - ] - }, - { - "id": "sc-7.8", - "class": "SP800-53-enhancement", - "title": "Route Traffic to Authenticated Proxy Servers", - "parameters": [ - { - "id": "sc-7.8_prm_1", - "label": "organization-defined internal communications traffic" - }, - { - "id": "sc-7.8_prm_2", - "label": "organization-defined external networks" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-7(8)" - }, - { - "name": "sort-id", - "value": "SC-07(08)" - } - ], - "links": [ - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - } - ], - "parts": [ - { - "id": "sc-7.8_smt", - "name": "statement", - "prose": "Route {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed interfaces." - }, - { - "id": "sc-7.8_gdn", - "name": "guidance", - "prose": "External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers can support logging of Transmission Control Protocol sessions and blocking specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for “man-in-the-middle” attacks (depending on the implementation)." - } - ] - } - ] - }, - { - "id": "sc-8", - "class": "SP800-53", - "title": "Transmission Confidentiality and Integrity", - "parameters": [ - { - "id": "sc-8_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-8" - }, - { - "name": "sort-id", - "value": "SC-08" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#bbc7085f-b383-444e-af74-722a55cccc0f", - "rel": "reference", - "text": "[FIPS 197]" - }, - { - "href": "#286604ec-e383-4c1d-bd8c-d88f88e54a0f", - "rel": "reference", - "text": "[SP 800-52]" - }, - { - "href": "#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "rel": "reference", - "text": "[SP 800-77]" - }, - { - "href": "#93d44344-59f9-4669-845d-6cc2a5852621", - "rel": "reference", - "text": "[SP 800-81-2]" - }, - { - "href": "#36132a58-56fd-4980-9f6c-c010d3faf52b", - "rel": "reference", - "text": "[SP 800-113]" - }, - { - "href": "#64e044e4-b2a9-490f-a079-1106407c812f", - "rel": "reference", - "text": "[SP 800-177]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ia-9", - "rel": "related", - "text": "IA-9" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-4", - "rel": "related", - "text": "PE-4" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-16", - "rel": "related", - "text": "SC-16" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - } - ], - "parts": [ - { - "id": "sc-8_smt", - "name": "statement", - "prose": "Protect the {{ sc-8_prm_1 }} of transmitted information." - }, - { - "id": "sc-8_gdn", - "name": "guidance", - "prose": "Protecting the confidentiality and integrity of transmitted information applies to internal and external networks, and any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical means or by logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a term for wireline or fiber-optics telecommunication system that includes terminals and adequate acoustical, electrical, electromagnetic, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\nOrganizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services, may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunication service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls." - } - ], - "controls": [ - { - "id": "sc-8.1", - "class": "SP800-53-enhancement", - "title": "Cryptographic Protection", - "parameters": [ - { - "id": "sc-8.1_prm_1" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-8(1)" - }, - { - "name": "sort-id", - "value": "SC-08(01)" - } - ], - "links": [ - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - } - ], - "parts": [ - { - "id": "sc-8.1_smt", - "name": "statement", - "prose": "Implement cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission." - }, - { - "id": "sc-8.1_gdn", - "name": "guidance", - "prose": "Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have application in digital signatures, checksums, and message authentication codes. SC-13 is used to specify the specific protocols, algorithms, and algorithm parameters to be implemented on each transmission path." - } - ] - } - ] - }, - { - "id": "sc-10", - "class": "SP800-53", - "title": "Network Disconnect", - "parameters": [ - { - "id": "sc-10_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-10" - }, - { - "name": "sort-id", - "value": "SC-10" - } - ], - "links": [ - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - } - ], - "parts": [ - { - "id": "sc-10_smt", - "name": "statement", - "prose": "Terminate the network connection associated with a communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity." - }, - { - "id": "sc-10_gdn", - "name": "guidance", - "prose": "Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time-periods by type of network access or for specific network accesses." - } - ] - }, - { - "id": "sc-12", - "class": "SP800-53", - "title": "Cryptographic Key Establishment and Management", - "parameters": [ - { - "id": "sc-12_prm_1", - "label": "organization-defined requirements for key generation, distribution, storage, access, and destruction" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-12" - }, - { - "name": "sort-id", - "value": "SC-12" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#77dc1838-3664-4faa-bc6e-4e2a16e52f35", - "rel": "reference", - "text": "[SP 800-56A]" - }, - { - "href": "#f417e4ec-cadb-47a8-a363-6006b32c28ad", - "rel": "reference", - "text": "[SP 800-56B]" - }, - { - "href": "#7c3ba335-62bd-4f03-888f-960790409b11", - "rel": "reference", - "text": "[SP 800-56C]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#f437b52f-7f26-42aa-8e8f-999e7d67b2fe", - "rel": "reference", - "text": "[IR 7956]" - }, - { - "href": "#30213e10-2aca-47b3-8cdb-61303e0959f5", - "rel": "reference", - "text": "[IR 7966]" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-11", - "rel": "related", - "text": "SC-11" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-17", - "rel": "related", - "text": "SC-17" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "sc-12_smt", - "name": "statement", - "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ sc-12_prm_1 }}." - }, - { - "id": "sc-12_gdn", - "name": "guidance", - "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." - } - ] - }, - { - "id": "sc-13", - "class": "SP800-53", - "title": "Cryptographic Protection", - "parameters": [ - { - "id": "sc-13_prm_1", - "label": "organization-defined cryptographic uses" - }, - { - "id": "sc-13_prm_2", - "label": "organization-defined types of cryptography for each specified cryptographic use" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-13" - }, - { - "name": "sort-id", - "value": "SC-13" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ia-7", - "rel": "related", - "text": "IA-7" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-40", - "rel": "related", - "text": "SC-40" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "sc-13_smt", - "name": "statement", - "parts": [ - { - "id": "sc-13_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Determine the {{ sc-13_prm_1 }}; and" - }, - { - "id": "sc-13_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ sc-13_prm_2 }}." - } - ] - }, - { - "id": "sc-13_gdn", - "name": "guidance", - "prose": "Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ] - }, - { - "id": "sc-15", - "class": "SP800-53", - "title": "Collaborative Computing Devices and Applications", - "parameters": [ - { - "id": "sc-15_prm_1", - "label": "organization-defined exceptions where remote activation is to be allowed" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-15" - }, - { - "name": "sort-id", - "value": "SC-15" - } - ], - "links": [ - { - "href": "#ac-21", - "rel": "related", - "text": "AC-21" - }, - { - "href": "#sc-42", - "rel": "related", - "text": "SC-42" - } - ], - "parts": [ - { - "id": "sc-15_smt", - "name": "statement", - "parts": [ - { - "id": "sc-15_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ sc-15_prm_1 }}; and" - }, - { - "id": "sc-15_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Provide an explicit indication of use to users physically present at the devices." - } - ] - }, - { - "id": "sc-15_gdn", - "name": "guidance", - "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated." - } - ] - }, - { - "id": "sc-17", - "class": "SP800-53", - "title": "Public Key Infrastructure Certificates", - "parameters": [ - { - "id": "sc-17_prm_1", - "label": "organization-defined certificate policy" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-17" - }, - { - "name": "sort-id", - "value": "SC-17" - } - ], - "links": [ - { - "href": "#b7140427-d4c4-467a-97a1-5ca9f7c6584a", - "rel": "reference", - "text": "[SP 800-32]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - } - ], - "parts": [ - { - "id": "sc-17_smt", - "name": "statement", - "parts": [ - { - "id": "sc-17_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Issue public key certificates under an {{ sc-17_prm_1 }} or obtain public key certificates from an approved service provider; and" - }, - { - "id": "sc-17_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Include only approved trust anchors in trust stores or certificate stores managed by the organization." - } - ] - }, - { - "id": "sc-17_gdn", - "name": "guidance", - "prose": "This control addresses certificates with visibility external to organizational systems and certificates related to internal operations of systems, for example, application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates." - } - ] - }, - { - "id": "sc-18", - "class": "SP800-53", - "title": "Mobile Code", - "properties": [ - { - "name": "label", - "value": "SC-18" - }, - { - "name": "sort-id", - "value": "SC-18" - } - ], - "links": [ - { - "href": "#8e334d74-fc06-47a9-bbb1-804fdfae0e44", - "rel": "reference", - "text": "[SP 800-28]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - } - ], - "parts": [ - { - "id": "sc-18_smt", - "name": "statement", - "parts": [ - { - "id": "sc-18_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Define acceptable and unacceptable mobile code and mobile code technologies; and" - }, - { - "id": "sc-18_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Authorize, monitor, and control the use of mobile code within the system." - } - ] - }, - { - "id": "sc-18_gdn", - "name": "guidance", - "prose": "Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java, JavaScript, Flash animations, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source." - } - ] - }, - { - "id": "sc-20", - "class": "SP800-53", - "title": "Secure Name/address Resolution Service (authoritative Source)", - "properties": [ - { - "name": "label", - "value": "SC-20" - }, - { - "name": "sort-id", - "value": "SC-20" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#93d44344-59f9-4669-845d-6cc2a5852621", - "rel": "reference", - "text": "[SP 800-81-2]" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-21", - "rel": "related", - "text": "SC-21" - }, - { - "href": "#sc-22", - "rel": "related", - "text": "SC-22" - } - ], - "parts": [ - { - "id": "sc-20_smt", - "name": "statement", - "parts": [ - { - "id": "sc-20_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" - }, - { - "id": "sc-20_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." - } - ] - }, - { - "id": "sc-20_gdn", - "name": "guidance", - "prose": "This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." - } - ] - }, - { - "id": "sc-21", - "class": "SP800-53", - "title": "Secure Name/address Resolution Service (recursive or Caching Resolver)", - "properties": [ - { - "name": "label", - "value": "SC-21" - }, - { - "name": "sort-id", - "value": "SC-21" - } - ], - "links": [ - { - "href": "#93d44344-59f9-4669-845d-6cc2a5852621", - "rel": "reference", - "text": "[SP 800-81-2]" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-22", - "rel": "related", - "text": "SC-22" - } - ], - "parts": [ - { - "id": "sc-21_smt", - "name": "statement", - "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources." - }, - { - "id": "sc-21_gdn", - "name": "guidance", - "prose": "Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." - } - ] - }, - { - "id": "sc-22", - "class": "SP800-53", - "title": "Architecture and Provisioning for Name/address Resolution Service", - "properties": [ - { - "name": "label", - "value": "SC-22" - }, - { - "name": "sort-id", - "value": "SC-22" - } - ], - "links": [ - { - "href": "#93d44344-59f9-4669-845d-6cc2a5852621", - "rel": "reference", - "text": "[SP 800-81-2]" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-20", - "rel": "related", - "text": "SC-20" - }, - { - "href": "#sc-21", - "rel": "related", - "text": "SC-21" - }, - { - "href": "#sc-24", - "rel": "related", - "text": "SC-24" - } - ], - "parts": [ - { - "id": "sc-22_smt", - "name": "statement", - "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." - }, - { - "id": "sc-22_gdn", - "name": "guidance", - "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists." - } - ] - }, - { - "id": "sc-23", - "class": "SP800-53", - "title": "Session Authenticity", - "properties": [ - { - "name": "label", - "value": "SC-23" - }, - { - "name": "sort-id", - "value": "SC-23" - } - ], - "links": [ - { - "href": "#286604ec-e383-4c1d-bd8c-d88f88e54a0f", - "rel": "reference", - "text": "[SP 800-52]" - }, - { - "href": "#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "rel": "reference", - "text": "[SP 800-77]" - }, - { - "href": "#1d91d984-0cb6-4f96-a01d-c39a3eee7d43", - "rel": "reference", - "text": "[SP 800-95]" - }, - { - "href": "#36132a58-56fd-4980-9f6c-c010d3faf52b", - "rel": "reference", - "text": "[SP 800-113]" - }, - { - "href": "#au-10", - "rel": "related", - "text": "AU-10" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-10", - "rel": "related", - "text": "SC-10" - }, - { - "href": "#sc-11", - "rel": "related", - "text": "SC-11" - } - ], - "parts": [ - { - "id": "sc-23_smt", - "name": "statement", - "prose": "Protect the authenticity of communications sessions." - }, - { - "id": "sc-23_gdn", - "name": "guidance", - "prose": "Protecting session authenticity addresses communications protection at the session, level; not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of information transmitted. Authenticity protection includes protecting against man-in-the-middle attacks and session hijacking, and the insertion of false information into sessions." - } - ] - }, - { - "id": "sc-28", - "class": "SP800-53", - "title": "Protection of Information at Rest", - "parameters": [ - { - "id": "sc-28_prm_1" - }, - { - "id": "sc-28_prm_2", - "label": "organization-defined information at rest" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-28" - }, - { - "name": "sort-id", - "value": "SC-28" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#77dc1838-3664-4faa-bc6e-4e2a16e52f35", - "rel": "reference", - "text": "[SP 800-56A]" - }, - { - "href": "#f417e4ec-cadb-47a8-a363-6006b32c28ad", - "rel": "reference", - "text": "[SP 800-56B]" - }, - { - "href": "#7c3ba335-62bd-4f03-888f-960790409b11", - "rel": "reference", - "text": "[SP 800-56C]" - }, - { - "href": "#770f9bdc-4023-48ef-8206-c65397f061ea", - "rel": "reference", - "text": "[SP 800-57-1]" - }, - { - "href": "#69644a9e-438a-47c3-bac9-cf28b5baf848", - "rel": "reference", - "text": "[SP 800-57-2]" - }, - { - "href": "#9933c883-e8f3-4a83-9a9a-d1e058038080", - "rel": "reference", - "text": "[SP 800-57-3]" - }, - { - "href": "#1b14b50f-7154-4226-958c-7dfff8276755", - "rel": "reference", - "text": "[SP 800-111]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cp-9", - "rel": "related", - "text": "CP-9" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-34", - "rel": "related", - "text": "SC-34" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-16", - "rel": "related", - "text": "SI-16" - } - ], - "parts": [ - { - "id": "sc-28_smt", - "name": "statement", - "prose": "Protect the {{ sc-28_prm_1 }} of the following information at rest: {{ sc-28_prm_2 }}." - }, - { - "id": "sc-28_gdn", - "name": "guidance", - "prose": "Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information requiring protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure off-line storage in lieu of online storage." - } - ], - "controls": [ - { - "id": "sc-28.1", - "class": "SP800-53-enhancement", - "title": "Cryptographic Protection", - "parameters": [ - { - "id": "sc-28.1_prm_1", - "label": "organization-defined system components or media" - }, - { - "id": "sc-28.1_prm_2", - "label": "organization-defined information" - } - ], - "properties": [ - { - "name": "label", - "value": "SC-28(1)" - }, - { - "name": "sort-id", - "value": "SC-28(01)" - } - ], - "links": [ - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - } - ], - "parts": [ - { - "id": "sc-28.1_smt", - "name": "statement", - "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ sc-28.1_prm_1 }}: {{ sc-28.1_prm_2 }}." - }, - { - "id": "sc-28.1_gdn", - "name": "guidance", - "prose": "Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. Organizations using cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13)." - } - ] - } - ] - }, - { - "id": "sc-39", - "class": "SP800-53", - "title": "Process Isolation", - "properties": [ - { - "name": "label", - "value": "SC-39" - }, - { - "name": "sort-id", - "value": "SC-39" - } - ], - "links": [ - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-25", - "rel": "related", - "text": "AC-25" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-2", - "rel": "related", - "text": "SC-2" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - }, - { - "href": "#si-16", - "rel": "related", - "text": "SI-16" - } - ], - "parts": [ - { - "id": "sc-39_smt", - "name": "statement", - "prose": "Maintain a separate execution domain for each executing system process." - }, - { - "id": "sc-39_gdn", - "name": "guidance", - "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." - } - ] - } - ] - }, - { - "id": "si", - "class": "family", - "title": "System and Information Integrity", - "controls": [ - { - "id": "si-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "si-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-1_prm_2" - }, - { - "id": "si-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "si-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "si-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-1" - }, - { - "name": "sort-id", - "value": "SI-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "si-1_smt", - "name": "statement", - "parts": [ - { - "id": "si-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ si-1_prm_1 }}:", - "parts": [ - { - "id": "si-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ si-1_prm_2 }} system and information integrity policy that:", - "parts": [ - { - "id": "si-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "si-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "si-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" - } - ] - }, - { - "id": "si-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" - }, - { - "id": "si-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current system and information integrity:", - "parts": [ - { - "id": "si-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ si-1_prm_4 }}; and" - }, - { - "id": "si-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ si-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "si-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "si-2", - "class": "SP800-53", - "title": "Flaw Remediation", - "parameters": [ - { - "id": "si-2_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-2" - }, - { - "name": "sort-id", - "value": "SI-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#1126ec09-2b27-4a21-80b2-fef70b31c49d", - "rel": "reference", - "text": "[SP 800-40]" - }, - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c", - "rel": "reference", - "text": "[IR 7788]" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-5", - "rel": "related", - "text": "SI-5" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-11", - "rel": "related", - "text": "SI-11" - } - ], - "parts": [ - { - "id": "si-2_smt", - "name": "statement", - "parts": [ - { - "id": "si-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify, report, and correct system flaws;" - }, - { - "id": "si-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" - }, - { - "id": "si-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Install security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and" - }, - { - "id": "si-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Incorporate flaw remediation into the organizational configuration management process." - } - ] - }, - { - "id": "si-2_gdn", - "name": "guidance", - "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\nOrganization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." - } - ], - "controls": [ - { - "id": "si-2.2", - "class": "SP800-53-enhancement", - "title": "Automated Flaw Remediation Status", - "parameters": [ - { - "id": "si-2.2_prm_1", - "label": "organization-defined automated mechanisms" - }, - { - "id": "si-2.2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-2(2)" - }, - { - "name": "sort-id", - "value": "SI-02(02)" - } - ], - "links": [ - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "si-2.2_smt", - "name": "statement", - "prose": "Determine if system components have applicable security-relevant software and firmware updates installed using {{ si-2.2_prm_1 }}\n {{ si-2.2_prm_2 }}." - }, - { - "id": "si-2.2_gdn", - "name": "guidance", - "prose": "Automated mechanisms can track and determine the status of known flaws for system components." - } - ] - } - ] - }, - { - "id": "si-3", - "class": "SP800-53", - "title": "Malicious Code Protection", - "parameters": [ - { - "id": "si-3_prm_1" - }, - { - "id": "si-3_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "si-3_prm_3" - }, - { - "id": "si-3_prm_4" - }, - { - "id": "si-3_prm_5", - "depends-on": "si-3_prm_4", - "label": "organization-defined action" - }, - { - "id": "si-3_prm_6", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-3" - }, - { - "name": "sort-id", - "value": "SI-03" - } - ], - "links": [ - { - "href": "#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "rel": "reference", - "text": "[SP 800-83]" - }, - { - "href": "#c972a85c-fa75-4596-be25-a338dc7e4e46", - "rel": "reference", - "text": "[SP 800-125B]" - }, - { - "href": "#64e044e4-b2a9-490f-a079-1106407c812f", - "rel": "reference", - "text": "[SP 800-177]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-23", - "rel": "related", - "text": "SC-23" - }, - { - "href": "#sc-26", - "rel": "related", - "text": "SC-26" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-44", - "rel": "related", - "text": "SC-44" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-8", - "rel": "related", - "text": "SI-8" - }, - { - "href": "#si-15", - "rel": "related", - "text": "SI-15" - } - ], - "parts": [ - { - "id": "si-3_smt", - "name": "statement", - "parts": [ - { - "id": "si-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement {{ si-3_prm_1 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" - }, - { - "id": "si-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" - }, - { - "id": "si-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Configure malicious code protection mechanisms to:", - "parts": [ - { - "id": "si-3_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Perform periodic scans of the system {{ si-3_prm_2 }} and real-time scans of files from external sources at {{ si-3_prm_3 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" - }, - { - "id": "si-3_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "\n {{ si-3_prm_4 }}; and send alert to {{ si-3_prm_6 }} in response to malicious code detection." - } - ] - }, - { - "id": "si-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." - } - ] - }, - { - "id": "si-3_gdn", - "name": "guidance", - "prose": "System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions.\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files." - } - ], - "controls": [ - { - "id": "si-3.1", - "class": "SP800-53-enhancement", - "title": "Central Management", - "properties": [ - { - "name": "label", - "value": "SI-3(1)" - }, - { - "name": "sort-id", - "value": "SI-03(01)" - } - ], - "links": [ - { - "href": "#pl-9", - "rel": "related", - "text": "PL-9" - } - ], - "parts": [ - { - "id": "si-3.1_smt", - "name": "statement", - "prose": "Centrally manage malicious code protection mechanisms." - }, - { - "id": "si-3.1_gdn", - "name": "guidance", - "prose": "Central management addresses the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw and malicious code protection controls." - } - ] - } - ] - }, - { - "id": "si-4", - "class": "SP800-53", - "title": "System Monitoring", - "parameters": [ - { - "id": "si-4_prm_1", - "label": "organization-defined monitoring objectives" - }, - { - "id": "si-4_prm_2", - "label": "organization-defined techniques and methods" - }, - { - "id": "si-4_prm_3", - "label": "organization-defined system monitoring information" - }, - { - "id": "si-4_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-4_prm_5" - }, - { - "id": "si-4_prm_6", - "depends-on": "si-4_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-4" - }, - { - "name": "sort-id", - "value": "SI-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "rel": "reference", - "text": "[SP 800-83]" - }, - { - "href": "#02d8ec60-6197-43f8-9f47-18732127963e", - "rel": "reference", - "text": "[SP 800-92]" - }, - { - "href": "#41e2e2c6-2260-4258-85c8-09db17c43103", - "rel": "reference", - "text": "[SP 800-94]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-10", - "rel": "related", - "text": "IA-10" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-26", - "rel": "related", - "text": "SC-26" - }, - { - "href": "#sc-31", - "rel": "related", - "text": "SC-31" - }, - { - "href": "#sc-35", - "rel": "related", - "text": "SC-35" - }, - { - "href": "#sc-36", - "rel": "related", - "text": "SC-36" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-6", - "rel": "related", - "text": "SI-6" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - } - ], - "parts": [ - { - "id": "si-4_smt", - "name": "statement", - "parts": [ - { - "id": "si-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Monitor the system to detect:", - "parts": [ - { - "id": "si-4_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ si-4_prm_1 }}; and" - }, - { - "id": "si-4_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Unauthorized local, network, and remote connections;" - } - ] - }, - { - "id": "si-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ si-4_prm_2 }};" - }, - { - "id": "si-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", - "parts": [ - { - "id": "si-4_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Strategically within the system to collect organization-determined essential information; and" - }, - { - "id": "si-4_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" - } - ] - }, - { - "id": "si-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;" - }, - { - "id": "si-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" - }, - { - "id": "si-4_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Obtain legal opinion regarding system monitoring activities; and" - }, - { - "id": "si-4_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Provide {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n {{ si-4_prm_5 }}." - } - ] - }, - { - "id": "si-4_gdn", - "name": "guidance", - "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\nDepending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ], - "controls": [ - { - "id": "si-4.2", - "class": "SP800-53-enhancement", - "title": "Automated Tools and Mechanisms for Real-time Analysis", - "properties": [ - { - "name": "label", - "value": "SI-4(2)" - }, - { - "name": "sort-id", - "value": "SI-04(02)" - } - ], - "links": [ - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-25", - "rel": "related", - "text": "PM-25" - } - ], - "parts": [ - { - "id": "si-4.2_smt", - "name": "statement", - "prose": "Employ automated tools and mechanisms to support near real-time analysis of events." - }, - { - "id": "si-4.2_gdn", - "name": "guidance", - "prose": "Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or Security Information and Event Management technologies that provide real time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." - } - ] - }, - { - "id": "si-4.4", - "class": "SP800-53-enhancement", - "title": "Inbound and Outbound Communications Traffic", - "parameters": [ - { - "id": "si-4.4_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-4(4)" - }, - { - "name": "sort-id", - "value": "SI-04(04)" - } - ], - "parts": [ - { - "id": "si-4.4_smt", - "name": "statement", - "prose": "Monitor inbound and outbound communications traffic {{ si-4.4_prm_1 }} for unusual or unauthorized activities or conditions." - }, - { - "id": "si-4.4_gdn", - "name": "guidance", - "prose": "Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code within organizational systems or propagating among system components; the unauthorized exporting of information; or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components." - } - ] - }, - { - "id": "si-4.5", - "class": "SP800-53-enhancement", - "title": "System-generated Alerts", - "parameters": [ - { - "id": "si-4.5_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-4.5_prm_2", - "label": "organization-defined compromise indicators" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-4(5)" - }, - { - "name": "sort-id", - "value": "SI-04(05)" - } - ], - "links": [ - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - } - ], - "parts": [ - { - "id": "si-4.5_smt", - "name": "statement", - "prose": "Alert {{ si-4.5_prm_1 }} when the following system-generated indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}." - }, - { - "id": "si-4.5_gdn", - "name": "guidance", - "prose": "Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. This control enhancement addresses the security alerts generated by the system. Alternatively, alerts generated by organizations in SI-4(12) focus on information sources external to the system such as suspicious activity reports and reports on potential insider threats." - } - ] - } - ] - }, - { - "id": "si-5", - "class": "SP800-53", - "title": "Security Alerts, Advisories, and Directives", - "parameters": [ - { - "id": "si-5_prm_1", - "label": "organization-defined external organizations" - }, - { - "id": "si-5_prm_2" - }, - { - "id": "si-5_prm_3", - "depends-on": "si-5_prm_2", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-5_prm_4", - "depends-on": "si-5_prm_2", - "label": "organization-defined elements within the organization" - }, - { - "id": "si-5_prm_5", - "depends-on": "si-5_prm_2", - "label": "organization-defined external organizations" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-5" - }, - { - "name": "sort-id", - "value": "SI-05" - } - ], - "links": [ - { - "href": "#1126ec09-2b27-4a21-80b2-fef70b31c49d", - "rel": "reference", - "text": "[SP 800-40]" - }, - { - "href": "#pm-15", - "rel": "related", - "text": "PM-15" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - } - ], - "parts": [ - { - "id": "si-5_smt", - "name": "statement", - "parts": [ - { - "id": "si-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Receive system security alerts, advisories, and directives from {{ si-5_prm_1 }} on an ongoing basis;" - }, - { - "id": "si-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" - }, - { - "id": "si-5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Disseminate security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and" - }, - { - "id": "si-5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." - } - ] - }, - { - "id": "si-5_gdn", - "name": "guidance", - "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." - } - ] - }, - { - "id": "si-7", - "class": "SP800-53", - "title": "Software, Firmware, and Information Integrity", - "parameters": [ - { - "id": "si-7_prm_1", - "label": "organization-defined software, firmware, and information" - }, - { - "id": "si-7_prm_2", - "label": "organization-defined actions" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-7" - }, - { - "name": "sort-id", - "value": "SI-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#e9224c9b-4fa5-40b7-bfbb-02bff7712d92", - "rel": "reference", - "text": "[SP 800-147]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-7", - "rel": "related", - "text": "CM-7" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sc-8", - "rel": "related", - "text": "SC-8" - }, - { - "href": "#sc-12", - "rel": "related", - "text": "SC-12" - }, - { - "href": "#sc-13", - "rel": "related", - "text": "SC-13" - }, - { - "href": "#sc-28", - "rel": "related", - "text": "SC-28" - }, - { - "href": "#sc-37", - "rel": "related", - "text": "SC-37" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "si-7_smt", - "name": "statement", - "parts": [ - { - "id": "si-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ si-7_prm_1 }}; and" - }, - { - "id": "si-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ si-7_prm_2 }}." - } - ] - }, - { - "id": "si-7_gdn", - "name": "guidance", - "prose": "Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes the Basic Input Output System (BIOS). Information includes personally identifiable information and metadata containing security and privacy attributes associated with information. Integrity-checking mechanisms, including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools can automatically monitor the integrity of systems and hosted applications." - } - ], - "controls": [ - { - "id": "si-7.1", - "class": "SP800-53-enhancement", - "title": "Integrity Checks", - "parameters": [ - { - "id": "si-7.1_prm_1", - "label": "organization-defined software, firmware, and information" - }, - { - "id": "si-7.1_prm_2" - }, - { - "id": "si-7.1_prm_3", - "depends-on": "si-7.1_prm_2", - "label": "organization-defined transitional states or security-relevant events" - }, - { - "id": "si-7.1_prm_4", - "depends-on": "si-7.1_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-7(1)" - }, - { - "name": "sort-id", - "value": "SI-07(01)" - } - ], - "parts": [ - { - "id": "si-7.1_smt", - "name": "statement", - "prose": "Perform an integrity check of {{ si-7.1_prm_1 }}\n {{ si-7.1_prm_2 }}." - }, - { - "id": "si-7.1_gdn", - "name": "guidance", - "prose": "Security-relevant events include the identification of a new threat to which organizational systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort." - } - ] - }, - { - "id": "si-7.7", - "class": "SP800-53-enhancement", - "title": "Integration of Detection and Response", - "parameters": [ - { - "id": "si-7.7_prm_1", - "label": "organization-defined security-relevant changes to the system" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-7(7)" - }, - { - "name": "sort-id", - "value": "SI-07(07)" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "si-7.7_smt", - "name": "statement", - "prose": "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ si-7.7_prm_1 }}." - }, - { - "id": "si-7.7_gdn", - "name": "guidance", - "prose": "This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended time-period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or unauthorized elevation of system privileges." - } - ] - } - ] - }, - { - "id": "si-8", - "class": "SP800-53", - "title": "Spam Protection", - "properties": [ - { - "name": "label", - "value": "SI-8" - }, - { - "name": "sort-id", - "value": "SI-08" - } - ], - "links": [ - { - "href": "#23b0a203-c020-47dd-b86c-9f8c35ecaa4e", - "rel": "reference", - "text": "[SP 800-45]" - }, - { - "href": "#64e044e4-b2a9-490f-a079-1106407c812f", - "rel": "reference", - "text": "[SP 800-177]" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "si-8_smt", - "name": "statement", - "parts": [ - { - "id": "si-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and" - }, - { - "id": "si-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures." - } - ] - }, - { - "id": "si-8_gdn", - "name": "guidance", - "prose": "System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions." - } - ], - "controls": [ - { - "id": "si-8.1", - "class": "SP800-53-enhancement", - "title": "Central Management", - "properties": [ - { - "name": "label", - "value": "SI-8(1)" - }, - { - "name": "sort-id", - "value": "SI-08(01)" - } - ], - "links": [ - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "si-8.1_smt", - "name": "statement", - "prose": "Centrally manage spam protection mechanisms." - }, - { - "id": "si-8.1_gdn", - "name": "guidance", - "prose": "Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection controls." - } - ] - }, - { - "id": "si-8.2", - "class": "SP800-53-enhancement", - "title": "Automatic Updates", - "parameters": [ - { - "id": "si-8.2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-8(2)" - }, - { - "name": "sort-id", - "value": "SI-08(02)" - } - ], - "parts": [ - { - "id": "si-8.2_smt", - "name": "statement", - "prose": "Automatically update spam protection mechanisms {{ si-8.2_prm_1 }}." - }, - { - "id": "si-8.2_gdn", - "name": "guidance", - "prose": "Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capability." - } - ] - } - ] - }, - { - "id": "si-10", - "class": "SP800-53", - "title": "Information Input Validation", - "parameters": [ - { - "id": "si-10_prm_1", - "label": "organization-defined information inputs to the system" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-10" - }, - { - "name": "sort-id", - "value": "SI-10" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - } - ], - "parts": [ - { - "id": "si-10_smt", - "name": "statement", - "prose": "Check the validity of the following information inputs: {{ si-10_prm_1 }}." - }, - { - "id": "si-10_gdn", - "name": "guidance", - "prose": "Checking the valid syntax and semantics of system inputs, including character set, length, numerical range, and acceptable values, verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks." - } - ] - }, - { - "id": "si-11", - "class": "SP800-53", - "title": "Error Handling", - "parameters": [ - { - "id": "si-11_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-11" - }, - { - "name": "sort-id", - "value": "SI-11" - } - ], - "links": [ - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#sc-31", - "rel": "related", - "text": "SC-31" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - } - ], - "parts": [ - { - "id": "si-11_smt", - "name": "statement", - "parts": [ - { - "id": "si-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and" - }, - { - "id": "si-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Reveal error messages only to {{ si-11_prm_1 }}." - } - ] - }, - { - "id": "si-11_gdn", - "name": "guidance", - "prose": "Organizations consider the structure and the content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information." - } - ] - }, - { - "id": "si-12", - "class": "SP800-53", - "title": "Information Management and Retention", - "properties": [ - { - "name": "label", - "value": "SI-12" - }, - { - "name": "sort-id", - "value": "SI-12" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#at-1", - "rel": "related", - "text": "AT-1" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#ca-1", - "rel": "related", - "text": "CA-1" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cp-1", - "rel": "related", - "text": "CP-1" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ma-1", - "rel": "related", - "text": "MA-1" - }, - { - "href": "#mp-1", - "rel": "related", - "text": "MP-1" - }, - { - "href": "#pe-1", - "rel": "related", - "text": "PE-1" - }, - { - "href": "#pl-1", - "rel": "related", - "text": "PL-1" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#ps-1", - "rel": "related", - "text": "PS-1" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#sa-1", - "rel": "related", - "text": "SA-1" - }, - { - "href": "#sc-1", - "rel": "related", - "text": "SC-1" - }, - { - "href": "#si-1", - "rel": "related", - "text": "SI-1" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-3", - "rel": "related", - "text": "MP-3" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - } - ], - "parts": [ - { - "id": "si-12_smt", - "name": "statement", - "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." - }, - { - "id": "si-12_gdn", - "name": "guidance", - "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel." - } - ] - }, - { - "id": "si-16", - "class": "SP800-53", - "title": "Memory Protection", - "parameters": [ - { - "id": "si-16_prm_1", - "label": "organization-defined controls" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-16" - }, - { - "name": "sort-id", - "value": "SI-16" - } - ], - "links": [ - { - "href": "#ac-25", - "rel": "related", - "text": "AC-25" - }, - { - "href": "#sc-3", - "rel": "related", - "text": "SC-3" - } - ], - "parts": [ - { - "id": "si-16_smt", - "name": "statement", - "prose": "Implement the following controls to protect the system memory from unauthorized code execution: {{ si-16_prm_1 }}." - }, - { - "id": "si-16_gdn", - "name": "guidance", - "prose": "Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism." - } - ] - } - ] - }, - { - "id": "sr", - "class": "family", - "title": "Supply Chain Risk Management", - "controls": [ - { - "id": "sr-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "sr-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "sr-1_prm_2" - }, - { - "id": "sr-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "sr-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "sr-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-1" - }, - { - "name": "sort-id", - "value": "SR-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "sr-1_smt", - "name": "statement", - "parts": [ - { - "id": "sr-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ sr-1_prm_1 }}:", - "parts": [ - { - "id": "sr-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ sr-1_prm_2 }} supply chain risk management policy that:", - "parts": [ - { - "id": "sr-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "sr-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "sr-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" - } - ] - }, - { - "id": "sr-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ sr-1_prm_3 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" - }, - { - "id": "sr-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current supply chain risk management:", - "parts": [ - { - "id": "sr-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ sr-1_prm_4 }}; and" - }, - { - "id": "sr-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ sr-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "sr-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "sr-2", - "class": "SP800-53", - "title": "Supply Chain Risk Management Plan", - "parameters": [ - { - "id": "sr-2_prm_1", - "label": "organization-defined systems, system components, or system services" - }, - { - "id": "sr-2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-2" - }, - { - "name": "sort-id", - "value": "SR-02" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - } - ], - "parts": [ - { - "id": "sr-2_smt", - "name": "statement", - "parts": [ - { - "id": "sr-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: {{ sr-2_prm_1 }};" - }, - { - "id": "sr-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the supply chain risk management plan consistently across the organization; and" - }, - { - "id": "sr-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the supply chain risk management plan {{ sr-2_prm_2 }} or as required, to address threat, organizational or environmental changes." - } - ] - }, - { - "id": "sr-2_gdn", - "name": "guidance", - "prose": "The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans.\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8)." - } - ], - "controls": [ - { - "id": "sr-2.1", - "class": "SP800-53-enhancement", - "title": "Establish Scrm Team", - "parameters": [ - { - "id": "sr-2.1_prm_1", - "label": "organization-defined personnel, roles, and responsibilities" - }, - { - "id": "sr-2.1_prm_2", - "label": "organization-defined supply chain risk management activities" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-2(1)" - }, - { - "name": "sort-id", - "value": "SR-02(01)" - } - ], - "parts": [ - { - "id": "sr-2.1_smt", - "name": "statement", - "prose": "Establish a supply chain risk management team consisting of {{ sr-2.1_prm_1 }} to lead and support the following SCRM activities: {{ sr-2.1_prm_2 }}." - }, - { - "id": "sr-2.1_gdn", - "name": "guidance", - "prose": "To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team." - } - ] - } - ] - }, - { - "id": "sr-3", - "class": "SP800-53", - "title": "Supply Chain Controls and Processes", - "parameters": [ - { - "id": "sr-3_prm_1", - "label": "organization-defined system or system component" - }, - { - "id": "sr-3_prm_2", - "label": "organization-defined supply chain personnel" - }, - { - "id": "sr-3_prm_3", - "label": "organization-defined supply chain controls" - }, - { - "id": "sr-3_prm_4" - }, - { - "id": "sr-3_prm_5", - "depends-on": "sr-3_prm_4", - "label": "organization-defined document" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-3" - }, - { - "name": "sort-id", - "value": "SR-03" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-6", - "rel": "related", - "text": "MA-6" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-29", - "rel": "related", - "text": "SC-29" - }, - { - "href": "#sc-30", - "rel": "related", - "text": "SC-30" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "sr-3_smt", - "name": "statement", - "parts": [ - { - "id": "sr-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ sr-3_prm_1 }} in coordination with {{ sr-3_prm_2 }};" - }, - { - "id": "sr-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ sr-3_prm_3 }}; and" - }, - { - "id": "sr-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document the selected and implemented supply chain processes and controls in {{ sr-3_prm_4 }}." - } - ] - }, - { - "id": "sr-3_gdn", - "name": "guidance", - "prose": "Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." - } - ] - }, - { - "id": "sr-5", - "class": "SP800-53", - "title": "Acquisition Strategies, Tools, and Methods", - "parameters": [ - { - "id": "sr-5_prm_1", - "label": "organization-defined acquisition strategies, contract tools, and procurement methods" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-5" - }, - { - "name": "sort-id", - "value": "SR-05" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "sr-5_smt", - "name": "statement", - "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ sr-5_prm_1 }}." - }, - { - "id": "sr-5_gdn", - "name": "guidance", - "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." - } - ] - }, - { - "id": "sr-6", - "class": "SP800-53", - "title": "Supplier Reviews", - "parameters": [ - { - "id": "sr-6_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-6" - }, - { - "name": "sort-id", - "value": "SR-06" - } - ], - "links": [ - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "rel": "reference", - "text": "[FIPS 180-4]" - }, - { - "href": "#0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "rel": "reference", - "text": "[FIPS 186-4]" - }, - { - "href": "#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "rel": "reference", - "text": "[FIPS 202]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sr-6_smt", - "name": "statement", - "prose": "Review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ sr-6_prm_1 }}." - }, - { - "id": "sr-6_gdn", - "name": "guidance", - "prose": "A review of supplier risk includes security processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess any subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate to share review results with other organizations in accordance with any applicable inter-organizational agreements or contracts." - } - ] - }, - { - "id": "sr-8", - "class": "SP800-53", - "title": "Notification Agreements", - "parameters": [ - { - "id": "sr-8_prm_1" - }, - { - "id": "sr-8_prm_2", - "depends-on": "sr-8_prm_1", - "label": "organization-defined information" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-8" - }, - { - "name": "sort-id", - "value": "SR-08" - } - ], - "links": [ - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - } - ], - "parts": [ - { - "id": "sr-8_smt", - "name": "statement", - "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ sr-8_prm_1 }}." - }, - { - "id": "sr-8_gdn", - "name": "guidance", - "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." - } - ] - }, - { - "id": "sr-10", - "class": "SP800-53", - "title": "Inspection of Systems or Components", - "parameters": [ - { - "id": "sr-10_prm_1" - }, - { - "id": "sr-10_prm_2", - "depends-on": "sr-10_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "sr-10_prm_3", - "depends-on": "sr-10_prm_1", - "label": "organization-defined indications of need for inspection" - }, - { - "id": "sr-10_prm_4", - "label": "organization-defined systems or system components" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-10" - }, - { - "name": "sort-id", - "value": "SR-10" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "sr-10_smt", - "name": "statement", - "prose": "Inspect the following systems or system components {{ sr-10_prm_1 }} to detect tampering: {{ sr-10_prm_4 }}." - }, - { - "id": "sr-10_gdn", - "name": "guidance", - "prose": "Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations." - } - ] - }, - { - "id": "sr-11", - "class": "SP800-53", - "title": "Component Authenticity", - "parameters": [ - { - "id": "sr-11_prm_1" - }, - { - "id": "sr-11_prm_2", - "depends-on": "sr-11_prm_1", - "label": "organization-defined external reporting organizations" - }, - { - "id": "sr-11_prm_3", - "depends-on": "sr-11_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11" - }, - { - "name": "sort-id", - "value": "SR-11" - } - ], - "links": [ - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#sr-9", - "rel": "related", - "text": "SR-9" - }, - { - "href": "#sr-10", - "rel": "related", - "text": "SR-10" - } - ], - "parts": [ - { - "id": "sr-11_smt", - "name": "statement", - "parts": [ - { - "id": "sr-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" - }, - { - "id": "sr-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Report counterfeit system components to {{ sr-11_prm_1 }}." - } - ] - }, - { - "id": "sr-11_gdn", - "name": "guidance", - "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." - } - ], - "controls": [ - { - "id": "sr-11.1", - "class": "SP800-53-enhancement", - "title": "Anti-counterfeit Training", - "parameters": [ - { - "id": "sr-11.1_prm_1", - "label": "organization-defined personnel or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11(1)" - }, - { - "name": "sort-id", - "value": "SR-11(01)" - } - ], - "links": [ - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - } - ], - "parts": [ - { - "id": "sr-11.1_smt", - "name": "statement", - "prose": "Train {{ sr-11.1_prm_1 }} to detect counterfeit system components (including hardware, software, and firmware)." - }, - { - "id": "sr-11.1_gdn", - "name": "guidance", - "prose": "None." - } - ] - }, - { - "id": "sr-11.2", - "class": "SP800-53-enhancement", - "title": "Configuration Control for Component Service and Repair", - "parameters": [ - { - "id": "sr-11.2_prm_1", - "label": "organization-defined system components" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11(2)" - }, - { - "name": "sort-id", - "value": "SR-11(02)" - } - ], - "links": [ - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - } - ], - "parts": [ - { - "id": "sr-11.2_smt", - "name": "statement", - "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ sr-11.2_prm_1 }}." - }, - { - "id": "sr-11.2_gdn", - "name": "guidance", - "prose": "None." - } - ] - }, - { - "id": "sr-11.3", - "class": "SP800-53-enhancement", - "title": "Component Disposal", - "parameters": [ - { - "id": "sr-11.3_prm_1", - "label": "organization-defined techniques and methods" - } - ], - "properties": [ - { - "name": "label", - "value": "SR-11(3)" - }, - { - "name": "sort-id", - "value": "SR-11(03)" - } - ], - "links": [ - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - } - ], - "parts": [ - { - "id": "sr-11.3_smt", - "name": "statement", - "prose": "Dispose of system components using the following techniques and methods: {{ sr-11.3_prm_1 }}." - }, - { - "id": "sr-11.3_gdn", - "name": "guidance", - "prose": "Proper disposal of system components helps to prevent such components from entering the gray market." - } - ] - } - ] - } - ] - } - ], - "back-matter": { - "resources": [ - { - "uuid": "a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "title": "[PRIVACT]", - "citation": { - "text": "Privacy Act (P.L. 93-579), December 1974." - }, - "rlinks": [ - { - "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" - } - ] - }, - { - "uuid": "43facb7b-0afb-480f-8191-34790d5b444b", - "title": "[EVIDACT]", - "citation": { - "text": "Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019." - }, - "rlinks": [ - { - "href": "https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf" - } - ] - }, - { - "uuid": "52a8b0c6-0c6b-424b-928d-41c50ba87838", - "title": "[EO 13526]", - "citation": { - "text": "Executive Order 13526, *Classified National Security Information*, December 2009." - }, - "rlinks": [ - { - "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" - } - ] - }, - { - "uuid": "14958422-54f6-471f-a345-802dca594dd8", - "title": "[FISMA]", - "citation": { - "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." - }, - "rlinks": [ - { - "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" - } - ] - }, - { - "uuid": "2b5e12fb-633f-49e6-8aff-81d75bf53545", - "title": "[EO 13587]", - "citation": { - "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information*, October 2011." - }, - "rlinks": [ - { - "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" - } - ] - }, - { - "uuid": "cde25174-38e0-4a00-8919-8ee3674b8088", - "title": "[HSPD 7]", - "citation": { - "text": "Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003." - }, - "rlinks": [ - { - "href": "https://www.dhs.gov/homeland-security-presidential-directive-7" - } - ] - }, - { - "uuid": "2383ccfd-d8a0-4e3a-bf40-21288ae1e07a", - "title": "[5 CFR 731]", - "citation": { - "text": "Code of Federal Regulations, Title 5, *Administrative Personnel*, Section 731.106, *Designation of Public Trust Positions and Investigative Requirements*(5 C.F.R. 731.106)." - }, - "rlinks": [ - { - "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" - } - ] - }, - { - "uuid": "742b7c0e-218e-4fca-9c3d-5f264bbaf2bc", - "title": "[32 CFR 2002]", - "citation": { - "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information*(32 C.F.R 2002)." - }, - "rlinks": [ - { - "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" - } - ] - }, - { - "uuid": "286d42a1-efbe-49a2-9ce1-4c9bf68feb3b", - "title": "[ODNI NITP]", - "citation": { - "text": "Office of the Director National Intelligence, *National Insider Threat Policy*\n " - }, - "rlinks": [ - { - "href": "https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf" - } - ] - }, - { - "uuid": "395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "title": "[OMB A-108]", - "citation": { - "text": "Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf" - } - ] - }, - { - "uuid": "a646d45d-775f-4887-86d3-5a00ffbc4090", - "title": "[OMB A-130]", - "citation": { - "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016." - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" - } - ] - }, - { - "uuid": "f7d3617a-9a4f-4f1a-a688-845081b70390", - "title": "[OMB M-17-06]", - "citation": { - "text": "Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf" - } - ] - }, - { - "uuid": "389fe193-866e-46b1-bf1d-38904b56aa7b", - "title": "[OMB M-17-12]", - "citation": { - "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. **\n " - }, - "rlinks": [ - { - "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" - } - ] - }, - { - "uuid": "ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3", - "title": "[OMB M-17-25]", - "citation": { - "text": "Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure*, May 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf" - } - ] - }, - { - "uuid": "d843e915-eeb6-4bbe-8cab-ccc802088703", - "title": "[OMB M-19-23]", - "citation": { - "text": "Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance*, July 2019. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf" - } - ] - }, - { - "uuid": "ee96f130-3f91-46ed-a4d8-57e5f220a623", - "title": "[CNSSI 1253]", - "citation": { - "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems*, March 2014." - }, - "rlinks": [ - { - "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" - } - ] - }, - { - "uuid": "24b7b1ec-6430-41de-9353-29fdb1b488fc", - "title": "[DHS NIPP]", - "citation": { - "text": "Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009." - }, - "rlinks": [ - { - "href": "https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf" - } - ] - }, - { - "uuid": "6ddb507b-6ddb-4e15-a8d4-0854e704446e", - "title": "[ISO 15408-1]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" - } - ] - }, - { - "uuid": "18abb755-c10f-407d-b0ef-4f99e5ec4a49", - "title": "[ISO 15408-2]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" - } - ] - }, - { - "uuid": "2ce3a8bf-7f8b-4249-bd16-808231415b14", - "title": "[ISO 15408-3]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" - } - ] - }, - { - "uuid": "aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "title": "[FIPS 140-3]", - "citation": { - "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.140-3" - } - ] - }, - { - "uuid": "d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd", - "title": "[FIPS 180-4]", - "citation": { - "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.180-4" - } - ] - }, - { - "uuid": "0b9fe06d-1b89-4dba-b9f8-3baf51504b17", - "title": "[FIPS 186-4]", - "citation": { - "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.186-4" - } - ] - }, - { - "uuid": "bbc7085f-b383-444e-af74-722a55cccc0f", - "title": "[FIPS 197]", - "citation": { - "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.197" - } - ] - }, - { - "uuid": "b3e26423-0687-47c7-ba9a-a96870d58a27", - "title": "[FIPS 199]", - "citation": { - "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.199" - } - ] - }, - { - "uuid": "f2163084-3287-45e2-9ee7-95f020415495", - "title": "[FIPS 200]", - "citation": { - "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.200" - } - ] - }, - { - "uuid": "ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "title": "[FIPS 201-2]", - "citation": { - "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.201-2" - } - ] - }, - { - "uuid": "11b9fa15-bc4e-4669-ab65-a2bf74daa9fa", - "title": "[FIPS 202]", - "citation": { - "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.202" - } - ] - }, - { - "uuid": "12702585-0c72-43c9-9185-a76a59f74233", - "title": "[SP 800-12]", - "citation": { - "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-12r1" - } - ] - }, - { - "uuid": "ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "title": "[SP 800-18]", - "citation": { - "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-18r1" - } - ] - }, - { - "uuid": "8e334d74-fc06-47a9-bbb1-804fdfae0e44", - "title": "[SP 800-28]", - "citation": { - "text": "Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-28ver2" - } - ] - }, - { - "uuid": "1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "title": "[SP 800-30]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-30r1" - } - ] - }, - { - "uuid": "b7140427-d4c4-467a-97a1-5ca9f7c6584a", - "title": "[SP 800-32]", - "citation": { - "text": "Kuhn R, Hu VC, Polk T, Chang S-jH (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-32" - } - ] - }, - { - "uuid": "65774382-fcc6-4bbc-89fc-9d35aab19952", - "title": "[SP 800-34]", - "citation": { - "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-34r1" - } - ] - }, - { - "uuid": "ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "title": "[SP 800-35]", - "citation": { - "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-35" - } - ] - }, - { - "uuid": "e07d73ea-96b9-4330-aff2-e0215f455343", - "title": "[SP 800-37]", - "citation": { - "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-37r2" - } - ] - }, - { - "uuid": "451e9636-402e-4c27-b3f5-e0e50f957f27", - "title": "[SP 800-39]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-39" - } - ] - }, - { - "uuid": "1126ec09-2b27-4a21-80b2-fef70b31c49d", - "title": "[SP 800-40]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-40r3" - } - ] - }, - { - "uuid": "db7877cf-1013-4fb1-b943-ca9361d16370", - "title": "[SP 800-41]", - "citation": { - "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-41r1" - } - ] - }, - { - "uuid": "23b0a203-c020-47dd-b86c-9f8c35ecaa4e", - "title": "[SP 800-45]", - "citation": { - "text": "Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-45ver2" - } - ] - }, - { - "uuid": "7768c184-088d-4ee8-a316-f9286b52df7f", - "title": "[SP 800-46]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-46r2" - } - ] - }, - { - "uuid": "2e66c31a-190e-49ad-8e00-f306f8a0df17", - "title": "[SP 800-47]", - "citation": { - "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-47" - } - ] - }, - { - "uuid": "2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "title": "[SP 800-50]", - "citation": { - "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-50" - } - ] - }, - { - "uuid": "286604ec-e383-4c1d-bd8c-d88f88e54a0f", - "title": "[SP 800-52]", - "citation": { - "text": "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-52r2" - } - ] - }, - { - "uuid": "5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "title": "[SP 800-53A]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" - } - ] - }, - { - "uuid": "31f3c9de-c57c-4281-929b-f9951f9640f1", - "title": "[SP 800-53B]", - "citation": { - "text": "National Institute of Standards and Technology Special Publication 800-53B, *Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations*. Projected for publication in 2020." - } - }, - { - "uuid": "8ba0d54e-fa16-4f5d-baa1-763ec3e33e26", - "title": "[SP 800-55]", - "citation": { - "text": "Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-55r1" - } - ] - }, - { - "uuid": "77dc1838-3664-4faa-bc6e-4e2a16e52f35", - "title": "[SP 800-56A]", - "citation": { - "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" - } - ] - }, - { - "uuid": "f417e4ec-cadb-47a8-a363-6006b32c28ad", - "title": "[SP 800-56B]", - "citation": { - "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" - } - ] - }, - { - "uuid": "7c3ba335-62bd-4f03-888f-960790409b11", - "title": "[SP 800-56C]", - "citation": { - "text": "Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-56Cr1" - } - ] - }, - { - "uuid": "770f9bdc-4023-48ef-8206-c65397f061ea", - "title": "[SP 800-57-1]", - "citation": { - "text": "Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r4" - } - ] - }, - { - "uuid": "69644a9e-438a-47c3-bac9-cf28b5baf848", - "title": "[SP 800-57-2]", - "citation": { - "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" - } - ] - }, - { - "uuid": "9933c883-e8f3-4a83-9a9a-d1e058038080", - "title": "[SP 800-57-3]", - "citation": { - "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" - } - ] - }, - { - "uuid": "68949f14-9cf5-4116-91d8-e820b9df3ffd", - "title": "[SP 800-60 v1]", - "citation": { - "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" - } - ] - }, - { - "uuid": "e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "title": "[SP 800-60 v2]", - "citation": { - "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" - } - ] - }, - { - "uuid": "7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "title": "[SP 800-61]", - "citation": { - "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-61r2" - } - ] - }, - { - "uuid": "549993c0-9bdd-4d49-875c-f56950cc5f30", - "title": "[SP 800-63-3]", - "citation": { - "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-63-3" - } - ] - }, - { - "uuid": "3c50fa31-7f4d-4d30-91d7-27ee87cd5f75", - "title": "[SP 800-63A]", - "citation": { - "text": "Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-63a" - } - ] - }, - { - "uuid": "14a7d982-9747-48e0-a877-3e8fbf6ae381", - "title": "[SP 800-70]", - "citation": { - "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-70r4" - } - ] - }, - { - "uuid": "3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "title": "[SP 800-73-4]", - "citation": { - "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-73-4" - } - ] - }, - { - "uuid": "d5ef0056-c807-44c3-a7b5-6eb491538f8e", - "title": "[SP 800-76-2]", - "citation": { - "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-76-2" - } - ] - }, - { - "uuid": "8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa", - "title": "[SP 800-77]", - "citation": { - "text": "Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-77" - } - ] - }, - { - "uuid": "013e098f-0680-4856-a130-b768c69dab9c", - "title": "[SP 800-78-4]", - "citation": { - "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-78-4" - } - ] - }, - { - "uuid": "bb55e71a-e059-4263-8dd8-bc96fd3f063d", - "title": "[SP 800-79-2]", - "citation": { - "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-79-2" - } - ] - }, - { - "uuid": "93d44344-59f9-4669-845d-6cc2a5852621", - "title": "[SP 800-81-2]", - "citation": { - "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-81-2" - } - ] - }, - { - "uuid": "8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "title": "[SP 800-83]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-83r1" - } - ] - }, - { - "uuid": "20bf433b-074c-47a0-8fca-cd591772ccd6", - "title": "[SP 800-84]", - "citation": { - "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-84" - } - ] - }, - { - "uuid": "35dfd59f-eef2-4f71-bdb5-6d878267456a", - "title": "[SP 800-86]", - "citation": { - "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-86" - } - ] - }, - { - "uuid": "fed6a3b5-2b74-499f-9172-46671f7c24c8", - "title": "[SP 800-88]", - "citation": { - "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-88r1" - } - ] - }, - { - "uuid": "02d8ec60-6197-43f8-9f47-18732127963e", - "title": "[SP 800-92]", - "citation": { - "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-92" - } - ] - }, - { - "uuid": "41e2e2c6-2260-4258-85c8-09db17c43103", - "title": "[SP 800-94]", - "citation": { - "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-94" - } - ] - }, - { - "uuid": "1d91d984-0cb6-4f96-a01d-c39a3eee7d43", - "title": "[SP 800-95]", - "citation": { - "text": "Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-95" - } - ] - }, - { - "uuid": "6bed1550-cd5d-4e80-8d83-4e597c1514fe", - "title": "[SP 800-97]", - "citation": { - "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-97" - } - ] - }, - { - "uuid": "9183bd83-170e-4701-b32c-97e08ef8bedb", - "title": "[SP 800-100]", - "citation": { - "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-100" - } - ] - }, - { - "uuid": "1e2c475a-84ae-4c60-b420-8fb2ea552b71", - "title": "[SP 800-101]", - "citation": { - "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-101r1" - } - ] - }, - { - "uuid": "1b14b50f-7154-4226-958c-7dfff8276755", - "title": "[SP 800-111]", - "citation": { - "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-111" - } - ] - }, - { - "uuid": "36132a58-56fd-4980-9f6c-c010d3faf52b", - "title": "[SP 800-113]", - "citation": { - "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-113" - } - ] - }, - { - "uuid": "49fa1ee1-aaf7-4270-bb5a-a86497f717dc", - "title": "[SP 800-114]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-114r1" - } - ] - }, - { - "uuid": "a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "title": "[SP 800-115]", - "citation": { - "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-115" - } - ] - }, - { - "uuid": "ad7d575f-b5fe-489b-8d48-36a93d964a5f", - "title": "[SP 800-116]", - "citation": { - "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-116r1" - } - ] - }, - { - "uuid": "60b24979-65b8-4ca5-a442-11b74339fab5", - "title": "[SP 800-121]", - "citation": { - "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-121r2" - } - ] - }, - { - "uuid": "18c6942b-95f8-414c-b548-c8e6b8d8a172", - "title": "[SP 800-124]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-124r1" - } - ] - }, - { - "uuid": "c972a85c-fa75-4596-be25-a338dc7e4e46", - "title": "[SP 800-125B]", - "citation": { - "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-125B" - } - ] - }, - { - "uuid": "0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f", - "title": "[SP 800-126]", - "citation": { - "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-126r3" - } - ] - }, - { - "uuid": "a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "title": "[SP 800-128]", - "citation": { - "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-128" - } - ] - }, - { - "uuid": "ae412317-c2b4-47bb-b47b-c329ce0d7a0b", - "title": "[SP 800-130]", - "citation": { - "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-130" - } - ] - }, - { - "uuid": "c3b34083-77b2-4dab-a980-73068f8933bd", - "title": "[SP 800-137]", - "citation": { - "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-137" - } - ] - }, - { - "uuid": "e9224c9b-4fa5-40b7-bfbb-02bff7712d92", - "title": "[SP 800-147]", - "citation": { - "text": "Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-147" - } - ] - }, - { - "uuid": "ad3e8f21-07c6-4968-b002-00b64dfa70ae", - "title": "[SP 800-150]", - "citation": { - "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-150" - } - ] - }, - { - "uuid": "38dbdf55-9a14-446f-b563-c48e4e3d37fb", - "title": "[SP 800-152]", - "citation": { - "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-152" - } - ] - }, - { - "uuid": "fd0f14f5-8910-45c4-b60a-0c8936e00daa", - "title": "[SP 800-154]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154." - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/publications/detail/sp/800-154/draft" - } - ] - }, - { - "uuid": "f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa", - "title": "[SP 800-156]", - "citation": { - "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-156" - } - ] - }, - { - "uuid": "8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "title": "[SP 800-160 v1]", - "citation": { - "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-160v1" - } - ] - }, - { - "uuid": "8411e6e8-09bd-431d-bbcb-3423d36ad880", - "title": "[SP 800-160 v2]", - "citation": { - "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-160v2" - } - ] - }, - { - "uuid": "66476e76-46b4-47fb-be19-d13e6f3840df", - "title": "[SP 800-161]", - "citation": { - "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-161" - } - ] - }, - { - "uuid": "359f960c-2598-454c-ba3b-a30c553e498f", - "title": "[SP 800-162]", - "citation": { - "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-162" - } - ] - }, - { - "uuid": "a8f55663-86c5-415b-aabe-d2a126981d65", - "title": "[SP 800-166]", - "citation": { - "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-166" - } - ] - }, - { - "uuid": "893d1736-324c-41d6-a5f4-d526b5ca981a", - "title": "[SP 800-167]", - "citation": { - "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-167" - } - ] - }, - { - "uuid": "0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a", - "title": "[SP 800-171]", - "citation": { - "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-171r2" - } - ] - }, - { - "uuid": "aad55f03-8ece-4b21-b09c-9ef65b5a9f55", - "title": "[SP 800-171B]", - "citation": { - "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B." - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf" - } - ] - }, - { - "uuid": "64e044e4-b2a9-490f-a079-1106407c812f", - "title": "[SP 800-177]", - "citation": { - "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-177r1" - } - ] - }, - { - "uuid": "223b23a9-baea-4a50-8058-63cf7967b61f", - "title": "[SP 800-178]", - "citation": { - "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-178" - } - ] - }, - { - "uuid": "f4c3f657-de83-47ae-9aec-e144de8268d1", - "title": "[SP 800-181]", - "citation": { - "text": "Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-181" - } - ] - }, - { - "uuid": "08f518f7-f9b9-4bee-8986-860214f46b16", - "title": "[SP 800-184]", - "citation": { - "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-184" - } - ] - }, - { - "uuid": "eadef75e-7e4d-4554-b818-44946c1dde0e", - "title": "[SP 800-188]", - "citation": { - "text": "Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188." - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/publications/detail/sp/800-188/draft" - } - ] - }, - { - "uuid": "3862cd94-ff25-4631-9a9a-b92c21a0a923", - "title": "[SP 800-189]", - "citation": { - "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-189" - } - ] - }, - { - "uuid": "06d3c11a-4a00-42d9-ad75-e6a777ffae5e", - "title": "[SP 800-192]", - "citation": { - "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-192" - } - ] - }, - { - "uuid": "d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "title": "[IR 7539]", - "citation": { - "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7539" - } - ] - }, - { - "uuid": "09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "title": "[IR 7559]", - "citation": { - "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7559" - } - ] - }, - { - "uuid": "7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "title": "[IR 7622]", - "citation": { - "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7622" - } - ] - }, - { - "uuid": "daf69edb-a0ef-4447-9880-8c4bf553181f", - "title": "[IR 7676]", - "citation": { - "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7676" - } - ] - }, - { - "uuid": "bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c", - "title": "[IR 7788]", - "citation": { - "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7788" - } - ] - }, - { - "uuid": "a49f67fc-827c-40e6-9a37-2b1cbe8142fd", - "title": "[IR 7817]", - "citation": { - "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7817" - } - ] - }, - { - "uuid": "972c10bd-aedf-485f-b0db-f46a402127e2", - "title": "[IR 7849]", - "citation": { - "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7849" - } - ] - }, - { - "uuid": "197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "title": "[IR 7870]", - "citation": { - "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7870" - } - ] - }, - { - "uuid": "bb22d510-54a9-4588-b725-00d37576562b", - "title": "[IR 7874]", - "citation": { - "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7874" - } - ] - }, - { - "uuid": "f437b52f-7f26-42aa-8e8f-999e7d67b2fe", - "title": "[IR 7956]", - "citation": { - "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7956" - } - ] - }, - { - "uuid": "30213e10-2aca-47b3-8cdb-61303e0959f5", - "title": "[IR 7966]", - "citation": { - "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7966" - } - ] - }, - { - "uuid": "851b5ba4-6aa0-4583-857c-4c360cbdf2a0", - "title": "[IR 8011 v1]", - "citation": { - "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8011-1" - } - ] - }, - { - "uuid": "7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "title": "[IR 8023]", - "citation": { - "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8023" - } - ] - }, - { - "uuid": "24738ee6-b3f3-4e37-825b-58775846bdbc", - "title": "[IR 8040]", - "citation": { - "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8040" - } - ] - }, - { - "uuid": "817b4227-5857-494d-9032-915980b32f15", - "title": "[IR 8062]", - "citation": { - "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8062" - } - ] - }, - { - "uuid": "7a93e915-fd58-4147-be12-e48044c367e6", - "title": "[IR 8179]", - "citation": { - "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8179" - } - ] - }, - { - "uuid": "294eed19-7471-4517-9480-2ec73e7c6a78", - "title": "[DOD STIG]", - "citation": { - "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." - }, - "rlinks": [ - { - "href": "https://iase.disa.mil/stigs/Pages/index.aspx" - } - ] - }, - { - "uuid": "17ca9481-ea11-4ef2-81c1-885fd37d4be5", - "title": "[IETF 5905]", - "citation": { - "text": "" - } - }, - { - "uuid": "dd87fdf0-840d-4392-9de4-220b2327e340", - "title": "[NARA CUI]", - "citation": { - "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." - }, - "rlinks": [ - { - "href": "https://www.archives.gov/cui" - } - ] - }, - { - "uuid": "5dac2312-1d0d-416f-aebb-400fa9775b74", - "title": "[NIAP CCEVS]", - "citation": { - "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." - }, - "rlinks": [ - { - "href": "https://www.niap-ccevs.org/" - } - ] - }, - { - "uuid": "5cc04a1c-5489-4751-a493-746a9639067b", - "title": "[NCPR]", - "citation": { - "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository*. Available at" - }, - "rlinks": [ - { - "href": "https://nvd.nist.gov/ncp/repository" - } - ] - }, - { - "uuid": "634dec27-df88-4c30-b1a4-b57cdfd24f20", - "title": "[NSA CSFC]", - "citation": { - "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." - }, - "rlinks": [ - { - "href": "https://www.nsa.gov/resources/everyone/csfc" - } - ] - }, - { - "uuid": "a52271dc-11b5-423a-8b6f-14867bd94259", - "title": "[NSA MEDIA]", - "citation": { - "text": "National Security Agency, *Media Destruction Guidance*." - }, - "rlinks": [ - { - "href": "https://www.nsa.gov/resources/everyone/media-destruction" - } - ] - }, - { - "uuid": "06842bea-64c9-4e20-807a-b8fc003fa737", - "title": "[USGCB]", - "citation": { - "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline*. Available at" - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" - } - ] - } - ] - } - } -} diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile-min.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile-min.json deleted file mode 100644 index cb1ed34c54..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile-min.json +++ /dev/null @@ -1 +0,0 @@ -{"profile":{"uuid":"0976da03-108c-4f01-81a6-ad9ed63354fe","metadata":{"title":"SP800-53 MODERATE IMPACT BASELINE","last-modified":"2020-08-26T16:28:37.775-04:00","version":"FPD","oscal-version":"1.0.0-milestone3","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"2ef7cfec-cb8e-4571-a7a2-a5c609b4767a","type":"organization","party-name":"Joint Task Force, Transformation Initiative","addresses":[{"postal-address":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}],"email-addresses":["sec-cert@nist.gov"]}],"responsible-parties":{"creator":{"party-uuids":["2ef7cfec-cb8e-4571-a7a2-a5c609b4767a"]},"contact":{"party-uuids":["2ef7cfec-cb8e-4571-a7a2-a5c609b4767a"]}}},"imports":[{"href":"NIST_SP-800-53_rev5-FPD_catalog.xml","include":{"id-selectors":[{"control-id":"ac-1"},{"control-id":"ac-2"},{"control-id":"ac-2.1"},{"control-id":"ac-2.2"},{"control-id":"ac-2.3"},{"control-id":"ac-2.4"},{"control-id":"ac-2.5"},{"control-id":"ac-2.13"},{"control-id":"ac-3"},{"control-id":"ac-4"},{"control-id":"ac-5"},{"control-id":"ac-6"},{"control-id":"ac-6.1"},{"control-id":"ac-6.2"},{"control-id":"ac-6.5"},{"control-id":"ac-6.7"},{"control-id":"ac-6.9"},{"control-id":"ac-6.10"},{"control-id":"ac-7"},{"control-id":"ac-8"},{"control-id":"ac-11"},{"control-id":"ac-11.1"},{"control-id":"ac-12"},{"control-id":"ac-14"},{"control-id":"ac-17"},{"control-id":"ac-17.1"},{"control-id":"ac-17.2"},{"control-id":"ac-17.3"},{"control-id":"ac-17.4"},{"control-id":"ac-18"},{"control-id":"ac-18.1"},{"control-id":"ac-18.3"},{"control-id":"ac-19"},{"control-id":"ac-19.5"},{"control-id":"ac-20"},{"control-id":"ac-20.1"},{"control-id":"ac-20.2"},{"control-id":"ac-21"},{"control-id":"ac-22"},{"control-id":"at-1"},{"control-id":"at-2"},{"control-id":"at-2.2"},{"control-id":"at-2.3"},{"control-id":"at-3"},{"control-id":"at-4"},{"control-id":"au-1"},{"control-id":"au-2"},{"control-id":"au-3"},{"control-id":"au-3.1"},{"control-id":"au-4"},{"control-id":"au-5"},{"control-id":"au-6"},{"control-id":"au-6.1"},{"control-id":"au-6.3"},{"control-id":"au-7"},{"control-id":"au-7.1"},{"control-id":"au-8"},{"control-id":"au-8.1"},{"control-id":"au-9"},{"control-id":"au-9.4"},{"control-id":"au-11"},{"control-id":"au-12"},{"control-id":"ca-1"},{"control-id":"ca-2"},{"control-id":"ca-2.1"},{"control-id":"ca-3"},{"control-id":"ca-5"},{"control-id":"ca-6"},{"control-id":"ca-7"},{"control-id":"ca-7.1"},{"control-id":"ca-7.4"},{"control-id":"ca-9"},{"control-id":"cm-1"},{"control-id":"cm-2"},{"control-id":"cm-2.2"},{"control-id":"cm-2.3"},{"control-id":"cm-2.7"},{"control-id":"cm-3"},{"control-id":"cm-3.2"},{"control-id":"cm-3.4"},{"control-id":"cm-4"},{"control-id":"cm-4.2"},{"control-id":"cm-5"},{"control-id":"cm-6"},{"control-id":"cm-7"},{"control-id":"cm-7.1"},{"control-id":"cm-7.2"},{"control-id":"cm-7.5"},{"control-id":"cm-8"},{"control-id":"cm-8.1"},{"control-id":"cm-8.3"},{"control-id":"cm-9"},{"control-id":"cm-10"},{"control-id":"cm-11"},{"control-id":"cm-12"},{"control-id":"cm-12.1"},{"control-id":"cp-1"},{"control-id":"cp-2"},{"control-id":"cp-2.1"},{"control-id":"cp-2.3"},{"control-id":"cp-2.8"},{"control-id":"cp-3"},{"control-id":"cp-4"},{"control-id":"cp-4.1"},{"control-id":"cp-6"},{"control-id":"cp-6.1"},{"control-id":"cp-6.3"},{"control-id":"cp-7"},{"control-id":"cp-7.1"},{"control-id":"cp-7.2"},{"control-id":"cp-7.3"},{"control-id":"cp-8"},{"control-id":"cp-8.1"},{"control-id":"cp-8.2"},{"control-id":"cp-9"},{"control-id":"cp-9.1"},{"control-id":"cp-9.8"},{"control-id":"cp-10"},{"control-id":"cp-10.2"},{"control-id":"ia-1"},{"control-id":"ia-2"},{"control-id":"ia-2.1"},{"control-id":"ia-2.2"},{"control-id":"ia-2.8"},{"control-id":"ia-2.12"},{"control-id":"ia-3"},{"control-id":"ia-4"},{"control-id":"ia-4.4"},{"control-id":"ia-5"},{"control-id":"ia-5.1"},{"control-id":"ia-5.2"},{"control-id":"ia-5.6"},{"control-id":"ia-6"},{"control-id":"ia-7"},{"control-id":"ia-8"},{"control-id":"ia-8.1"},{"control-id":"ia-8.2"},{"control-id":"ia-8.4"},{"control-id":"ia-11"},{"control-id":"ia-12"},{"control-id":"ia-12.2"},{"control-id":"ia-12.3"},{"control-id":"ia-12.5"},{"control-id":"ir-1"},{"control-id":"ir-2"},{"control-id":"ir-3"},{"control-id":"ir-3.2"},{"control-id":"ir-4"},{"control-id":"ir-4.1"},{"control-id":"ir-5"},{"control-id":"ir-6"},{"control-id":"ir-6.1"},{"control-id":"ir-6.3"},{"control-id":"ir-7"},{"control-id":"ir-7.1"},{"control-id":"ir-8"},{"control-id":"ma-1"},{"control-id":"ma-2"},{"control-id":"ma-3"},{"control-id":"ma-3.1"},{"control-id":"ma-3.2"},{"control-id":"ma-3.3"},{"control-id":"ma-4"},{"control-id":"ma-5"},{"control-id":"ma-6"},{"control-id":"mp-1"},{"control-id":"mp-2"},{"control-id":"mp-3"},{"control-id":"mp-4"},{"control-id":"mp-5"},{"control-id":"mp-6"},{"control-id":"mp-7"},{"control-id":"pe-1"},{"control-id":"pe-2"},{"control-id":"pe-3"},{"control-id":"pe-4"},{"control-id":"pe-5"},{"control-id":"pe-6"},{"control-id":"pe-6.1"},{"control-id":"pe-8"},{"control-id":"pe-9"},{"control-id":"pe-10"},{"control-id":"pe-11"},{"control-id":"pe-12"},{"control-id":"pe-13"},{"control-id":"pe-13.1"},{"control-id":"pe-14"},{"control-id":"pe-15"},{"control-id":"pe-16"},{"control-id":"pe-17"},{"control-id":"pl-1"},{"control-id":"pl-2"},{"control-id":"pl-4"},{"control-id":"pl-4.1"},{"control-id":"pl-8"},{"control-id":"pl-10"},{"control-id":"pl-11"},{"control-id":"pm-1"},{"control-id":"pm-2"},{"control-id":"pm-3"},{"control-id":"pm-4"},{"control-id":"pm-5"},{"control-id":"pm-5.1"},{"control-id":"pm-6"},{"control-id":"pm-7"},{"control-id":"pm-7.1"},{"control-id":"pm-8"},{"control-id":"pm-9"},{"control-id":"pm-10"},{"control-id":"pm-11"},{"control-id":"pm-12"},{"control-id":"pm-13"},{"control-id":"pm-14"},{"control-id":"pm-15"},{"control-id":"pm-16"},{"control-id":"pm-16.1"},{"control-id":"pm-17"},{"control-id":"pm-18"},{"control-id":"pm-19"},{"control-id":"pm-20"},{"control-id":"pm-21"},{"control-id":"pm-22"},{"control-id":"pm-23"},{"control-id":"pm-24"},{"control-id":"pm-25"},{"control-id":"pm-26"},{"control-id":"pm-27"},{"control-id":"pm-28"},{"control-id":"pm-29"},{"control-id":"pm-30"},{"control-id":"pm-31"},{"control-id":"pm-32"},{"control-id":"ps-1"},{"control-id":"ps-2"},{"control-id":"ps-3"},{"control-id":"ps-4"},{"control-id":"ps-5"},{"control-id":"ps-6"},{"control-id":"ps-7"},{"control-id":"ps-8"},{"control-id":"ra-1"},{"control-id":"ra-2"},{"control-id":"ra-3"},{"control-id":"ra-3.1"},{"control-id":"ra-5"},{"control-id":"ra-5.2"},{"control-id":"ra-5.5"},{"control-id":"ra-7"},{"control-id":"ra-9"},{"control-id":"sa-1"},{"control-id":"sa-2"},{"control-id":"sa-3"},{"control-id":"sa-4"},{"control-id":"sa-4.1"},{"control-id":"sa-4.2"},{"control-id":"sa-4.9"},{"control-id":"sa-4.10"},{"control-id":"sa-5"},{"control-id":"sa-8"},{"control-id":"sa-9"},{"control-id":"sa-9.2"},{"control-id":"sa-10"},{"control-id":"sa-11"},{"control-id":"sa-15"},{"control-id":"sa-15.3"},{"control-id":"sa-22"},{"control-id":"sc-1"},{"control-id":"sc-2"},{"control-id":"sc-4"},{"control-id":"sc-5"},{"control-id":"sc-7"},{"control-id":"sc-7.3"},{"control-id":"sc-7.4"},{"control-id":"sc-7.5"},{"control-id":"sc-7.7"},{"control-id":"sc-7.8"},{"control-id":"sc-8"},{"control-id":"sc-8.1"},{"control-id":"sc-10"},{"control-id":"sc-12"},{"control-id":"sc-13"},{"control-id":"sc-15"},{"control-id":"sc-17"},{"control-id":"sc-18"},{"control-id":"sc-20"},{"control-id":"sc-21"},{"control-id":"sc-22"},{"control-id":"sc-23"},{"control-id":"sc-28"},{"control-id":"sc-28.1"},{"control-id":"sc-39"},{"control-id":"si-1"},{"control-id":"si-2"},{"control-id":"si-2.2"},{"control-id":"si-3"},{"control-id":"si-3.1"},{"control-id":"si-4"},{"control-id":"si-4.2"},{"control-id":"si-4.4"},{"control-id":"si-4.5"},{"control-id":"si-5"},{"control-id":"si-7"},{"control-id":"si-7.1"},{"control-id":"si-7.7"},{"control-id":"si-8"},{"control-id":"si-8.1"},{"control-id":"si-8.2"},{"control-id":"si-10"},{"control-id":"si-11"},{"control-id":"si-12"},{"control-id":"si-16"},{"control-id":"sr-1"},{"control-id":"sr-2"},{"control-id":"sr-2.1"},{"control-id":"sr-3"},{"control-id":"sr-5"},{"control-id":"sr-6"},{"control-id":"sr-8"},{"control-id":"sr-10"},{"control-id":"sr-11"},{"control-id":"sr-11.1"},{"control-id":"sr-11.2"},{"control-id":"sr-11.3"}]}}],"merge":{"as-is":true}}} \ No newline at end of file diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.json deleted file mode 100644 index e862ab4416..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.json +++ /dev/null @@ -1,1037 +0,0 @@ -{ - "profile": { - "uuid": "0976da03-108c-4f01-81a6-ad9ed63354fe", - "metadata": { - "title": "SP800-53 MODERATE IMPACT BASELINE", - "last-modified": "2020-08-26T16:28:37.775-04:00", - "version": "FPD", - "oscal-version": "1.0.0-milestone3", - "roles": [ - { - "id": "creator", - "title": "Document Creator" - }, - { - "id": "contact", - "title": "Contact" - } - ], - "parties": [ - { - "uuid": "2ef7cfec-cb8e-4571-a7a2-a5c609b4767a", - "type": "organization", - "party-name": "Joint Task Force, Transformation Initiative", - "addresses": [ - { - "postal-address": [ - "National Institute of Standards and Technology", - "Attn: Computer Security Division", - "Information Technology Laboratory", - "100 Bureau Drive (Mail Stop 8930)" - ], - "city": "Gaithersburg", - "state": "MD", - "postal-code": "20899-8930" - } - ], - "email-addresses": [ - "sec-cert@nist.gov" - ] - } - ], - "responsible-parties": { - "creator": { - "party-uuids": [ - "2ef7cfec-cb8e-4571-a7a2-a5c609b4767a" - ] - }, - "contact": { - "party-uuids": [ - "2ef7cfec-cb8e-4571-a7a2-a5c609b4767a" - ] - } - } - }, - "imports": [ - { - "href": "NIST_SP-800-53_rev5-FPD_catalog.xml", - "include": { - "id-selectors": [ - { - "control-id": "ac-1" - }, - { - "control-id": "ac-2" - }, - { - "control-id": "ac-2.1" - }, - { - "control-id": "ac-2.2" - }, - { - "control-id": "ac-2.3" - }, - { - "control-id": "ac-2.4" - }, - { - "control-id": "ac-2.5" - }, - { - "control-id": "ac-2.13" - }, - { - "control-id": "ac-3" - }, - { - "control-id": "ac-4" - }, - { - "control-id": "ac-5" - }, - { - "control-id": "ac-6" - }, - { - "control-id": "ac-6.1" - }, - { - "control-id": "ac-6.2" - }, - { - "control-id": "ac-6.5" - }, - { - "control-id": "ac-6.7" - }, - { - "control-id": "ac-6.9" - }, - { - "control-id": "ac-6.10" - }, - { - "control-id": "ac-7" - }, - { - "control-id": "ac-8" - }, - { - "control-id": "ac-11" - }, - { - "control-id": "ac-11.1" - }, - { - "control-id": "ac-12" - }, - { - "control-id": "ac-14" - }, - { - "control-id": "ac-17" - }, - { - "control-id": "ac-17.1" - }, - { - "control-id": "ac-17.2" - }, - { - "control-id": "ac-17.3" - }, - { - "control-id": "ac-17.4" - }, - { - "control-id": "ac-18" - }, - { - "control-id": "ac-18.1" - }, - { - "control-id": "ac-18.3" - }, - { - "control-id": "ac-19" - }, - { - "control-id": "ac-19.5" - }, - { - "control-id": "ac-20" - }, - { - "control-id": "ac-20.1" - }, - { - "control-id": "ac-20.2" - }, - { - "control-id": "ac-21" - }, - { - "control-id": "ac-22" - }, - { - "control-id": "at-1" - }, - { - "control-id": "at-2" - }, - { - "control-id": "at-2.2" - }, - { - "control-id": "at-2.3" - }, - { - "control-id": "at-3" - }, - { - "control-id": "at-4" - }, - { - "control-id": "au-1" - }, - { - "control-id": "au-2" - }, - { - "control-id": "au-3" - }, - { - "control-id": "au-3.1" - }, - { - "control-id": "au-4" - }, - { - "control-id": "au-5" - }, - { - "control-id": "au-6" - }, - { - "control-id": "au-6.1" - }, - { - "control-id": "au-6.3" - }, - { - "control-id": "au-7" - }, - { - "control-id": "au-7.1" - }, - { - "control-id": "au-8" - }, - { - "control-id": "au-8.1" - }, - { - "control-id": "au-9" - }, - { - "control-id": "au-9.4" - }, - { - "control-id": "au-11" - }, - { - "control-id": "au-12" - }, - { - "control-id": "ca-1" - }, - { - "control-id": "ca-2" - }, - { - "control-id": "ca-2.1" - }, - { - "control-id": "ca-3" - }, - { - "control-id": "ca-5" - }, - { - "control-id": "ca-6" - }, - { - "control-id": "ca-7" - }, - { - "control-id": "ca-7.1" - }, - { - "control-id": "ca-7.4" - }, - { - "control-id": "ca-9" - }, - { - "control-id": "cm-1" - }, - { - "control-id": "cm-2" - }, - { - "control-id": "cm-2.2" - }, - { - "control-id": "cm-2.3" - }, - { - "control-id": "cm-2.7" - }, - { - "control-id": "cm-3" - }, - { - "control-id": "cm-3.2" - }, - { - "control-id": "cm-3.4" - }, - { - "control-id": "cm-4" - }, - { - "control-id": "cm-4.2" - }, - { - "control-id": "cm-5" - }, - { - "control-id": "cm-6" - }, - { - "control-id": "cm-7" - }, - { - "control-id": "cm-7.1" - }, - { - "control-id": "cm-7.2" - }, - { - "control-id": "cm-7.5" - }, - { - "control-id": "cm-8" - }, - { - "control-id": "cm-8.1" - }, - { - "control-id": "cm-8.3" - }, - { - "control-id": "cm-9" - }, - { - "control-id": "cm-10" - }, - { - "control-id": "cm-11" - }, - { - "control-id": "cm-12" - }, - { - "control-id": "cm-12.1" - }, - { - "control-id": "cp-1" - }, - { - "control-id": "cp-2" - }, - { - "control-id": "cp-2.1" - }, - { - "control-id": "cp-2.3" - }, - { - "control-id": "cp-2.8" - }, - { - "control-id": "cp-3" - }, - { - "control-id": "cp-4" - }, - { - "control-id": "cp-4.1" - }, - { - "control-id": "cp-6" - }, - { - "control-id": "cp-6.1" - }, - { - "control-id": "cp-6.3" - }, - { - "control-id": "cp-7" - }, - { - "control-id": "cp-7.1" - }, - { - "control-id": "cp-7.2" - }, - { - "control-id": "cp-7.3" - }, - { - "control-id": "cp-8" - }, - { - "control-id": "cp-8.1" - }, - { - "control-id": "cp-8.2" - }, - { - "control-id": "cp-9" - }, - { - "control-id": "cp-9.1" - }, - { - "control-id": "cp-9.8" - }, - { - "control-id": "cp-10" - }, - { - "control-id": "cp-10.2" - }, - { - "control-id": "ia-1" - }, - { - "control-id": "ia-2" - }, - { - "control-id": "ia-2.1" - }, - { - "control-id": "ia-2.2" - }, - { - "control-id": "ia-2.8" - }, - { - "control-id": "ia-2.12" - }, - { - "control-id": "ia-3" - }, - { - "control-id": "ia-4" - }, - { - "control-id": "ia-4.4" - }, - { - "control-id": "ia-5" - }, - { - "control-id": "ia-5.1" - }, - { - "control-id": "ia-5.2" - }, - { - "control-id": "ia-5.6" - }, - { - "control-id": "ia-6" - }, - { - "control-id": "ia-7" - }, - { - "control-id": "ia-8" - }, - { - "control-id": "ia-8.1" - }, - { - "control-id": "ia-8.2" - }, - { - "control-id": "ia-8.4" - }, - { - "control-id": "ia-11" - }, - { - "control-id": "ia-12" - }, - { - "control-id": "ia-12.2" - }, - { - "control-id": "ia-12.3" - }, - { - "control-id": "ia-12.5" - }, - { - "control-id": "ir-1" - }, - { - "control-id": "ir-2" - }, - { - "control-id": "ir-3" - }, - { - "control-id": "ir-3.2" - }, - { - "control-id": "ir-4" - }, - { - "control-id": "ir-4.1" - }, - { - "control-id": "ir-5" - }, - { - "control-id": "ir-6" - }, - { - "control-id": "ir-6.1" - }, - { - "control-id": "ir-6.3" - }, - { - "control-id": "ir-7" - }, - { - "control-id": "ir-7.1" - }, - { - "control-id": "ir-8" - }, - { - "control-id": "ma-1" - }, - { - "control-id": "ma-2" - }, - { - "control-id": "ma-3" - }, - { - "control-id": "ma-3.1" - }, - { - "control-id": "ma-3.2" - }, - { - "control-id": "ma-3.3" - }, - { - "control-id": "ma-4" - }, - { - "control-id": "ma-5" - }, - { - "control-id": "ma-6" - }, - { - "control-id": "mp-1" - }, - { - "control-id": "mp-2" - }, - { - "control-id": "mp-3" - }, - { - "control-id": "mp-4" - }, - { - "control-id": "mp-5" - }, - { - "control-id": "mp-6" - }, - { - "control-id": "mp-7" - }, - { - "control-id": "pe-1" - }, - { - "control-id": "pe-2" - }, - { - "control-id": "pe-3" - }, - { - "control-id": "pe-4" - }, - { - "control-id": "pe-5" - }, - { - "control-id": "pe-6" - }, - { - "control-id": "pe-6.1" - }, - { - "control-id": "pe-8" - }, - { - "control-id": "pe-9" - }, - { - "control-id": "pe-10" - }, - { - "control-id": "pe-11" - }, - { - "control-id": "pe-12" - }, - { - "control-id": "pe-13" - }, - { - "control-id": "pe-13.1" - }, - { - "control-id": "pe-14" - }, - { - "control-id": "pe-15" - }, - { - "control-id": "pe-16" - }, - { - "control-id": "pe-17" - }, - { - "control-id": "pl-1" - }, - { - "control-id": "pl-2" - }, - { - "control-id": "pl-4" - }, - { - "control-id": "pl-4.1" - }, - { - "control-id": "pl-8" - }, - { - "control-id": "pl-10" - }, - { - "control-id": "pl-11" - }, - { - "control-id": "pm-1" - }, - { - "control-id": "pm-2" - }, - { - "control-id": "pm-3" - }, - { - "control-id": "pm-4" - }, - { - "control-id": "pm-5" - }, - { - "control-id": "pm-5.1" - }, - { - "control-id": "pm-6" - }, - { - "control-id": "pm-7" - }, - { - "control-id": "pm-7.1" - }, - { - "control-id": "pm-8" - }, - { - "control-id": "pm-9" - }, - { - "control-id": "pm-10" - }, - { - "control-id": "pm-11" - }, - { - "control-id": "pm-12" - }, - { - "control-id": "pm-13" - }, - { - "control-id": "pm-14" - }, - { - "control-id": "pm-15" - }, - { - "control-id": "pm-16" - }, - { - "control-id": "pm-16.1" - }, - { - "control-id": "pm-17" - }, - { - "control-id": "pm-18" - }, - { - "control-id": "pm-19" - }, - { - "control-id": "pm-20" - }, - { - "control-id": "pm-21" - }, - { - "control-id": "pm-22" - }, - { - "control-id": "pm-23" - }, - { - "control-id": "pm-24" - }, - { - "control-id": "pm-25" - }, - { - "control-id": "pm-26" - }, - { - "control-id": "pm-27" - }, - { - "control-id": "pm-28" - }, - { - "control-id": "pm-29" - }, - { - "control-id": "pm-30" - }, - { - "control-id": "pm-31" - }, - { - "control-id": "pm-32" - }, - { - "control-id": "ps-1" - }, - { - "control-id": "ps-2" - }, - { - "control-id": "ps-3" - }, - { - "control-id": "ps-4" - }, - { - "control-id": "ps-5" - }, - { - "control-id": "ps-6" - }, - { - "control-id": "ps-7" - }, - { - "control-id": "ps-8" - }, - { - "control-id": "ra-1" - }, - { - "control-id": "ra-2" - }, - { - "control-id": "ra-3" - }, - { - "control-id": "ra-3.1" - }, - { - "control-id": "ra-5" - }, - { - "control-id": "ra-5.2" - }, - { - "control-id": "ra-5.5" - }, - { - "control-id": "ra-7" - }, - { - "control-id": "ra-9" - }, - { - "control-id": "sa-1" - }, - { - "control-id": "sa-2" - }, - { - "control-id": "sa-3" - }, - { - "control-id": "sa-4" - }, - { - "control-id": "sa-4.1" - }, - { - "control-id": "sa-4.2" - }, - { - "control-id": "sa-4.9" - }, - { - "control-id": "sa-4.10" - }, - { - "control-id": "sa-5" - }, - { - "control-id": "sa-8" - }, - { - "control-id": "sa-9" - }, - { - "control-id": "sa-9.2" - }, - { - "control-id": "sa-10" - }, - { - "control-id": "sa-11" - }, - { - "control-id": "sa-15" - }, - { - "control-id": "sa-15.3" - }, - { - "control-id": "sa-22" - }, - { - "control-id": "sc-1" - }, - { - "control-id": "sc-2" - }, - { - "control-id": "sc-4" - }, - { - "control-id": "sc-5" - }, - { - "control-id": "sc-7" - }, - { - "control-id": "sc-7.3" - }, - { - "control-id": "sc-7.4" - }, - { - "control-id": "sc-7.5" - }, - { - "control-id": "sc-7.7" - }, - { - "control-id": "sc-7.8" - }, - { - "control-id": "sc-8" - }, - { - "control-id": "sc-8.1" - }, - { - "control-id": "sc-10" - }, - { - "control-id": "sc-12" - }, - { - "control-id": "sc-13" - }, - { - "control-id": "sc-15" - }, - { - "control-id": "sc-17" - }, - { - "control-id": "sc-18" - }, - { - "control-id": "sc-20" - }, - { - "control-id": "sc-21" - }, - { - "control-id": "sc-22" - }, - { - "control-id": "sc-23" - }, - { - "control-id": "sc-28" - }, - { - "control-id": "sc-28.1" - }, - { - "control-id": "sc-39" - }, - { - "control-id": "si-1" - }, - { - "control-id": "si-2" - }, - { - "control-id": "si-2.2" - }, - { - "control-id": "si-3" - }, - { - "control-id": "si-3.1" - }, - { - "control-id": "si-4" - }, - { - "control-id": "si-4.2" - }, - { - "control-id": "si-4.4" - }, - { - "control-id": "si-4.5" - }, - { - "control-id": "si-5" - }, - { - "control-id": "si-7" - }, - { - "control-id": "si-7.1" - }, - { - "control-id": "si-7.7" - }, - { - "control-id": "si-8" - }, - { - "control-id": "si-8.1" - }, - { - "control-id": "si-8.2" - }, - { - "control-id": "si-10" - }, - { - "control-id": "si-11" - }, - { - "control-id": "si-12" - }, - { - "control-id": "si-16" - }, - { - "control-id": "sr-1" - }, - { - "control-id": "sr-2" - }, - { - "control-id": "sr-2.1" - }, - { - "control-id": "sr-3" - }, - { - "control-id": "sr-5" - }, - { - "control-id": "sr-6" - }, - { - "control-id": "sr-8" - }, - { - "control-id": "sr-10" - }, - { - "control-id": "sr-11" - }, - { - "control-id": "sr-11.1" - }, - { - "control-id": "sr-11.2" - }, - { - "control-id": "sr-11.3" - } - ] - } - } - ], - "merge": { - "as-is": true - } - } -} diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog-min.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog-min.json deleted file mode 100644 index def720be94..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog-min.json +++ /dev/null @@ -1 +0,0 @@ -{"catalog":{"uuid":"9c407281-40f0-4c8b-9e99-7cee1529b5b1","metadata":{"title":"SP800-53 PRIVACY BASELINE","last-modified":"2020-08-26T16:28:37.032-04:00","version":"FPD","oscal-version":"1.0.0-milestone3","properties":[{"name":"resolution-timestamp","value":"2020-08-31T17:39:57.58205Z"}],"links":[{"href":"NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml","rel":"resolution-source","text":"SP800-53 PRIVACY BASELINE"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696","type":"organization","party-name":"Joint Task Force, Transformation Initiative","addresses":[{"postal-address":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}],"email-addresses":["sec-cert@nist.gov"]}],"responsible-parties":{"creator":{"party-uuids":["d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696"]},"contact":{"party-uuids":["d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696"]}}},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2"},{"id":"ac-1_prm_3","label":"organization-defined official"},{"id":"ac-1_prm_4","label":"organization-defined frequency"},{"id":"ac-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-1"},{"name":"sort-id","value":"AC-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#bb22d510-54a9-4588-b725-00d37576562b","rel":"reference","text":"[IR 7874]"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ac-1_prm_2 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ac-1_prm_4 }}; and"},{"id":"ac-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ac-1_prm_5 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2"},{"id":"at-1_prm_3","label":"organization-defined official"},{"id":"at-1_prm_4","label":"organization-defined frequency"},{"id":"at-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-1"},{"name":"sort-id","value":"AT-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ at-1_prm_2 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ at-1_prm_4 }}; and"},{"id":"at-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ at-1_prm_5 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"at-2","class":"SP800-53","title":"Awareness Training","parameters":[{"id":"at-2_prm_1","label":"organization-defined frequency"},{"id":"at-2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-2"},{"name":"sort-id","value":"AT-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-13","rel":"related","text":"PM-13"},{"href":"#pm-21","rel":"related","text":"PM-21"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-16","rel":"related","text":"SA-16"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"}]},{"id":"at-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update awareness training {{ at-2_prm_2 }}."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective."}],"controls":[{"id":"at-2.5","class":"SP800-53-enhancement","title":"Breach","properties":[{"name":"label","value":"AT-2(5)"},{"name":"sort-id","value":"AT-02(05)"}],"links":[{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ir-2","rel":"related","text":"IR-2"}],"parts":[{"id":"at-2.5_smt","name":"statement","prose":"Provide awareness training on how to identify and respond to a breach, including the organization’s process for reporting a breach."},{"id":"at-2.5_gdn","name":"guidance","prose":"A breach is a type of incident that involves personally identifiable information. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The awareness training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Awareness training includes tabletop exercises that simulate a breach."}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","parameters":[{"id":"at-3_prm_1","label":"organization-defined roles and responsibilities"},{"id":"at-3_prm_2","label":"organization-defined frequency"},{"id":"at-3_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-3"},{"name":"sort-id","value":"AT-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#ir-10","rel":"related","text":"IR-10"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-13","rel":"related","text":"PM-13"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-16","rel":"related","text":"SA-16"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"}]},{"id":"at-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update role-based training {{ at-3_prm_3 }}."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information.\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective."}],"controls":[{"id":"at-3.5","class":"SP800-53-enhancement","title":"Accessing Personally Identifiable Information","parameters":[{"id":"at-3.5_prm_1","label":"organization-defined personnel or roles"},{"id":"at-3.5_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-3(5)"},{"name":"sort-id","value":"AT-03(05)"}],"parts":[{"id":"at-3.5_smt","name":"statement","prose":"Provide {{ at-3.5_prm_1 }} with initial and {{ at-3.5_prm_2 }} training on:","parts":[{"id":"at-3.5_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Organizational authority for collecting personally identifiable information;"},{"id":"at-3.5_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Authorized uses of personally identifiable information;"},{"id":"at-3.5_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Identifying, reporting, and responding to a suspected or confirmed breach;"},{"id":"at-3.5_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Content of system of records notices, computer matching agreements, and privacy impact assessments;"},{"id":"at-3.5_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Authorized sharing of personally identifiable information with external parties; and"},{"id":"at-3.5_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Rules of behavior and the consequences for unauthorized collection, use, or sharing of personally identifiable information."}]},{"id":"at-3.5_gdn","name":"guidance","prose":"Role-based training addresses the responsibility of individuals when accessing personally identifiable information; the organization’s established rules of behavior when accessing personally identifiable information; the consequences for violating the rules of behavior; and how to respond to a breach. Role-based training helps ensure personnel comply with applicable privacy requirements and is necessary to manage privacy risks."}]}]},{"id":"at-4","class":"SP800-53","title":"Training Records","parameters":[{"id":"at-4_prm_1","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"AT-4"},{"name":"sort-id","value":"AT-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2"},{"id":"au-1_prm_3","label":"organization-defined official"},{"id":"au-1_prm_4","label":"organization-defined frequency"},{"id":"au-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AU-1"},{"name":"sort-id","value":"AU-01"}],"links":[{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ au-1_prm_2 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ au-1_prm_4 }}; and"},{"id":"au-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ au-1_prm_5 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","parameters":[{"id":"au-2_prm_1","label":"organization-defined event types that the system is capable of logging"},{"id":"au-2_prm_2","label":"organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-2_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AU-2"},{"name":"sort-id","value":"AU-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#02d8ec60-6197-43f8-9f47-18732127963e","rel":"reference","text":"[SP 800-92]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pm-21","rel":"related","text":"PM-21"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#si-10","rel":"related","text":"SI-10"},{"href":"#si-11","rel":"related","text":"SI-11"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ au-2_prm_3 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\nTo balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage.\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","parameters":[{"id":"au-11_prm_1","label":"organization-defined time-period consistent with records retention policy"}],"properties":[{"name":"label","value":"AU-11"},{"name":"sort-id","value":"AU-11"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-14","rel":"related","text":"AU-14"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention."}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2"},{"id":"ca-1_prm_3","label":"organization-defined official"},{"id":"ca-1_prm_4","label":"organization-defined frequency"},{"id":"ca-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-1"},{"name":"sort-id","value":"CA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ca-1_prm_4 }}; and"},{"id":"ca-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ca-1_prm_5 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","parameters":[{"id":"ca-2_prm_1","label":"organization-defined frequency"},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles"}],"properties":[{"name":"label","value":"CA-2"},{"name":"sort-id","value":"CA-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-3","rel":"related","text":"SR-3"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Provide the results of the control assessment to {{ ca-2_prm_2 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\nOrganizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control."}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","parameters":[{"id":"ca-5_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-5"},{"name":"sort-id","value":"CA-05"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB."}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","parameters":[{"id":"ca-6_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-6"},{"name":"sort-id","value":"CA-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ ca-6_prm_1 }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","parameters":[{"id":"ca-7_prm_1","label":"organization-defined system-level metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-7"},{"name":"sort-id","value":"CA-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#851b5ba4-6aa0-4583-857c-4c360cbdf2a0","rel":"reference","text":"[IR 8011 v1]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#pm-31","rel":"related","text":"PM-31"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-6","rel":"related","text":"SR-6"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }};"},{"id":"ca-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ ca-7_prm_4 }}\n {{ ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4."}],"controls":[{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","properties":[{"name":"label","value":"CA-7(4)"},{"name":"sort-id","value":"CA-07(04)"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2"},{"id":"cm-1_prm_3","label":"organization-defined official"},{"id":"cm-1_prm_4","label":"organization-defined frequency"},{"id":"cm-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-1"},{"name":"sort-id","value":"CM-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ cm-1_prm_2 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ cm-1_prm_4 }}; and"},{"id":"cm-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ cm-1_prm_5 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","properties":[{"name":"label","value":"CM-4"},{"name":"sort-id","value":"CM-04"}],"links":[{"href":"#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","rel":"reference","text":"[SP 800-128]"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-2","rel":"related","text":"SI-2"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required."}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2"},{"id":"ir-1_prm_3","label":"organization-defined official"},{"id":"ir-1_prm_4","label":"organization-defined frequency"},{"id":"ir-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IR-1"},{"name":"sort-id","value":"IR-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#2e29c363-d5be-47ba-92f5-f8a58a69b65e","rel":"reference","text":"[SP 800-50]"},{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","rel":"reference","text":"[SP 800-83]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ir-1_prm_2 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ir-1_prm_4 }}; and"},{"id":"ir-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ir-1_prm_5 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","parameters":[{"id":"ir-3_prm_1","label":"organization-defined frequency"},{"id":"ir-3_prm_2","label":"organization-defined tests"}],"properties":[{"name":"label","value":"IR-3"},{"name":"sort-id","value":"IR-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#20bf433b-074c-47a0-8fca-cd591772ccd6","rel":"reference","text":"[SP 800-84]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pm-14","rel":"related","text":"PM-14"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"Test the effectiveness of the incident response capability for the system {{ ir-3_prm_1 }} using the following tests: {{ ir-3_prm_2 }}."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes."}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","properties":[{"name":"label","value":"IR-4"},{"name":"sort-id","value":"IR-04"}],"links":[{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#35dfd59f-eef2-4f71-bdb5-6d878267456a","rel":"reference","text":"[SP 800-86]"},{"href":"#1e2c475a-84ae-4c60-b420-8fb2ea552b71","rel":"reference","text":"[SP 800-101]"},{"href":"#ad3e8f21-07c6-4968-b002-00b64dfa70ae","rel":"reference","text":"[SP 800-150]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#08f518f7-f9b9-4bee-8986-860214f46b16","rel":"reference","text":"[SP 800-184]"},{"href":"#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","rel":"reference","text":"[IR 7559]"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-10","rel":"related","text":"IR-10"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk."}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","parameters":[{"id":"ir-6_prm_1","label":"organization-defined time-period"},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"properties":[{"name":"label","value":"IR-6"},{"name":"sort-id","value":"IR-06"}],"links":[{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ir-9","rel":"related","text":"IR-9"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","properties":[{"name":"label","value":"IR-7"},{"name":"sort-id","value":"IR-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","rel":"reference","text":"[IR 7559]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pm-26","rel":"related","text":"PM-26"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","parameters":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined frequency"},{"id":"ir-8_prm_3","label":"organization-defined entities, personnel, or roles"},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and/or by role) and organizational elements"},{"id":"ir-8_prm_5","label":"organization-defined incident response personnel (identified by name and/or by role) and organizational elements"}],"properties":[{"name":"label","value":"IR-8"},{"name":"sort-id","value":"IR-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","rel":"reference","text":"[SP 800-61]"},{"href":"#389fe193-866e-46b1-bf1d-38904b56aa7b","rel":"reference","text":"[OMB M-17-12]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-8","rel":"related","text":"SR-8"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ ir-8_prm_1 }}\n {{ ir-8_prm_2 }}; and"},{"id":"ir-8_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}."}]},{"id":"ir-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ ir-8_prm_4 }};"},{"id":"ir-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ ir-8_prm_5 }}; and"},{"id":"ir-8_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."}],"controls":[{"id":"ir-8.1","class":"SP800-53-enhancement","title":"Privacy Breaches","properties":[{"name":"label","value":"IR-8(1)"},{"name":"sort-id","value":"IR-08(01)"}],"links":[{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#pt-5","rel":"related","text":"PT-5"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#pt-8","rel":"related","text":"PT-8"}],"parts":[{"id":"ir-8.1_smt","name":"statement","prose":"Include the following in the Incident Response Plan for breaches involving personally identifiable information:","parts":[{"id":"ir-8.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;"},{"id":"ir-8.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and"},{"id":"ir-8.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Identification of applicable privacy requirements."}]},{"id":"ir-8.1_gdn","name":"guidance","prose":"Organizations may be required by law, regulation, or policy to follow specific procedures relating to privacy breaches, including notice to individuals, affected organizations, and oversight bodies, standards of harm, and mitigation or other specific requirements."}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2"},{"id":"mp-1_prm_3","label":"organization-defined official"},{"id":"mp-1_prm_4","label":"organization-defined frequency"},{"id":"mp-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MP-1"},{"name":"sort-id","value":"MP-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ mp-1_prm_2 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ mp-1_prm_4 }}; and"},{"id":"mp-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ mp-1_prm_5 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","parameters":[{"id":"mp-6_prm_1","label":"organization-defined system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"properties":[{"name":"label","value":"MP-6"},{"name":"sort-id","value":"MP-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#fed6a3b5-2b74-499f-9172-46671f7c24c8","rel":"reference","text":"[SP 800-88]"},{"href":"#18c6942b-95f8-414c-b548-c8e6b8d8a172","rel":"reference","text":"[SP 800-124]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#a52271dc-11b5-423a-8b6f-14867bd94259","rel":"reference","text":"[NSA MEDIA]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#si-18","rel":"related","text":"SI-18"},{"href":"#si-19","rel":"related","text":"SI-19"},{"href":"#sr-11","rel":"related","text":"SR-11"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and"},{"id":"mp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information."}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2"},{"id":"pl-1_prm_3","label":"organization-defined official"},{"id":"pl-1_prm_4","label":"organization-defined frequency"},{"id":"pl-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-1"},{"name":"sort-id","value":"PL-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ pl-1_prm_2 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ pl-1_prm_4 }}; and"},{"id":"pl-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ pl-1_prm_5 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","parameters":[{"id":"pl-2_prm_1","label":"organization-defined individuals or groups"},{"id":"pl-2_prm_2","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-2"},{"name":"sort-id","value":"PL-02"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-22","rel":"related","text":"SA-22"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.10","name":"item","properties":[{"name":"label","value":"10."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.11","name":"item","properties":[{"name":"label","value":"11."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.12","name":"item","properties":[{"name":"label","value":"12."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and"},{"id":"pl-2_smt.a.13","name":"item","properties":[{"name":"label","value":"13."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }};"},{"id":"pl-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review the plans {{ pl-2_prm_3 }};"},{"id":"pl-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation.\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate."}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","parameters":[{"id":"pl-4_prm_1","label":"organization-defined frequency"},{"id":"pl-4_prm_2"},{"id":"pl-4_prm_3","depends-on":"pl-4_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-4"},{"name":"sort-id","value":"PL-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ae962073-f9bb-4210-b1ad-53ef6f6afad6","rel":"reference","text":"[SP 800-18]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons."}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site/application Usage Restrictions","properties":[{"name":"label","value":"PL-4(1)"},{"name":"sort-id","value":"PL-04(01)"}],"links":[{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#au-13","rel":"related","text":"AU-13"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites/applications;"},{"id":"pl-4.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information."}]}]},{"id":"pl-8","class":"SP800-53","title":"Security and Privacy Architectures","parameters":[{"id":"pl-8_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-8"},{"name":"sort-id","value":"PL-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pl-9","rel":"related","text":"PL-9"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-17","rel":"related","text":"SA-17"}],"parts":[{"id":"pl-8_smt","name":"statement","parts":[{"id":"pl-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop security and privacy architectures for the system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describe how the architectures are integrated into and support the enterprise architecture; and"},{"id":"pl-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Describe any assumptions about, and dependencies on, external systems and services;"}]},{"id":"pl-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update the architectures {{ pl-8_prm_1 }} to reflect changes in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs.\n[SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented.\nPL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures."}]},{"id":"pl-9","class":"SP800-53","title":"Central Management","parameters":[{"id":"pl-9_prm_1","label":"organization-defined controls and related processes"}],"properties":[{"name":"label","value":"PL-9"},{"name":"sort-id","value":"PL-09"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-9","rel":"related","text":"PM-9"}],"parts":[{"id":"pl-9_smt","name":"statement","prose":"Centrally manage {{ pl-9_prm_1 }}."},{"id":"pl-9_gdn","name":"guidance","prose":"Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and judicious use of organizational resources. Centrally-managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring.\nAs part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include, but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-17(1), AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1), AT-3(2), AT-3(3), AT-4, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11, AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM-3(1), CM-3(4), CM-4, CM-6(1), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-43, SI-2, SI-3, SI-7, SI-8."}]}]},{"id":"pm","class":"family","title":"Program Management","controls":[{"id":"pm-3","class":"SP800-53","title":"Information Security and Privacy Resources","properties":[{"name":"label","value":"PM-3"},{"name":"sort-id","value":"PM-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#sa-2","rel":"related","text":"SA-2"}],"parts":[{"id":"pm-3_smt","name":"statement","parts":[{"id":"pm-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;"},{"id":"pm-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and"},{"id":"pm-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Make available for expenditure, the planned information security and privacy resources."}]},{"id":"pm-3_gdn","name":"guidance","prose":"Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process."}]},{"id":"pm-4","class":"SP800-53","title":"Plan of Action and Milestones Process","properties":[{"name":"label","value":"PM-4"},{"name":"sort-id","value":"PM-04"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-3","rel":"related","text":"PM-3"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pm-4_smt","name":"statement","parts":[{"id":"pm-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:","parts":[{"id":"pm-4_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are developed and maintained;"},{"id":"pm-4_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and"},{"id":"pm-4_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Are reported in accordance with established reporting requirements."}]},{"id":"pm-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-4_gdn","name":"guidance","prose":"The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5."}]},{"id":"pm-6","class":"SP800-53","title":"Measures of Performance","properties":[{"name":"label","value":"PM-6"},{"name":"sort-id","value":"PM-06"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#8ba0d54e-fa16-4f5d-baa1-763ec3e33e26","rel":"reference","text":"[SP 800-55]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ca-7","rel":"related","text":"CA-7"}],"parts":[{"id":"pm-6_smt","name":"statement","prose":"Develop, monitor, and report on the results of information security and privacy measures of performance."},{"id":"pm-6_gdn","name":"guidance","prose":"Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program."}]},{"id":"pm-7","class":"SP800-53","title":"Enterprise Architecture","properties":[{"name":"label","value":"PM-7"},{"name":"sort-id","value":"PM-07"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#8411e6e8-09bd-431d-bbcb-3423d36ad880","rel":"reference","text":"[SP 800-160 v2]"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-17","rel":"related","text":"SA-17"}],"parts":[{"id":"pm-7_smt","name":"statement","prose":"Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."},{"id":"pm-7_gdn","name":"guidance","prose":"The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines."}]},{"id":"pm-8","class":"SP800-53","title":"Critical Infrastructure Plan","properties":[{"name":"label","value":"PM-8"},{"name":"sort-id","value":"PM-08"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#cde25174-38e0-4a00-8919-8ee3674b8088","rel":"reference","text":"[HSPD 7]"},{"href":"#24b7b1ec-6430-41de-9353-29fdb1b488fc","rel":"reference","text":"[DHS NIPP]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#pe-18","rel":"related","text":"PE-18"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pm-8_smt","name":"statement","prose":"Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan."},{"id":"pm-8_gdn","name":"guidance","prose":"Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."}]},{"id":"pm-9","class":"SP800-53","title":"Risk Management Strategy","parameters":[{"id":"pm-9_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-9"},{"name":"sort-id","value":"PM-09"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#at-1","rel":"related","text":"AT-1"},{"href":"#ca-1","rel":"related","text":"CA-1"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cp-1","rel":"related","text":"CP-1"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ma-1","rel":"related","text":"MA-1"},{"href":"#mp-1","rel":"related","text":"MP-1"},{"href":"#pe-1","rel":"related","text":"PE-1"},{"href":"#pl-1","rel":"related","text":"PL-1"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-2","rel":"related","text":"PM-2"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#pm-30","rel":"related","text":"PM-30"},{"href":"#ps-1","rel":"related","text":"PS-1"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-9","rel":"related","text":"RA-9"},{"href":"#sa-1","rel":"related","text":"SA-1"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-1","rel":"related","text":"SC-1"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-1","rel":"related","text":"SI-1"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"pm-9_smt","name":"statement","parts":[{"id":"pm-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a comprehensive strategy to manage:","parts":[{"id":"pm-9_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and"},{"id":"pm-9_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Privacy risk to individuals resulting from the authorized processing of personally identifiable information;"}]},{"id":"pm-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implement the risk management strategy consistently across the organization; and"},{"id":"pm-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes."}]},{"id":"pm-9_gdn","name":"guidance","prose":"An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive."}]},{"id":"pm-10","class":"SP800-53","title":"Authorization Process","properties":[{"name":"label","value":"PM-10"},{"name":"sort-id","value":"PM-10"}],"links":[{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pl-2","rel":"related","text":"PL-2"}],"parts":[{"id":"pm-10_smt","name":"statement","parts":[{"id":"pm-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;"},{"id":"pm-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and"},{"id":"pm-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Integrate the authorization processes into an organization-wide risk management program."}]},{"id":"pm-10_gdn","name":"guidance","prose":"Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation."}]},{"id":"pm-11","class":"SP800-53","title":"Mission and Business Process Definition","parameters":[{"id":"pm-11_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-11"},{"name":"sort-id","value":"PM-11"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#68949f14-9cf5-4116-91d8-e820b9df3ffd","rel":"reference","text":"[SP 800-60 v1]"},{"href":"#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","rel":"reference","text":"[SP 800-60 v2]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-2","rel":"related","text":"SA-2"}],"parts":[{"id":"pm-11_smt","name":"statement","parts":[{"id":"pm-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"},{"id":"pm-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and"},{"id":"pm-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and revise the mission and business processes {{ pm-11_prm_1 }}."}]},{"id":"pm-11_gdn","name":"guidance","prose":"Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures."}]},{"id":"pm-13","class":"SP800-53","title":"Security and Privacy Workforce","properties":[{"name":"label","value":"PM-13"},{"name":"sort-id","value":"PM-13"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#f4c3f657-de83-47ae-9aec-e144de8268d1","rel":"reference","text":"[SP 800-181]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"}],"parts":[{"id":"pm-13_smt","name":"statement","prose":"Establish a security and privacy workforce development and improvement program."},{"id":"pm-13_gdn","name":"guidance","prose":"Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals."}]},{"id":"pm-14","class":"SP800-53","title":"Testing, Training, and Monitoring","properties":[{"name":"label","value":"PM-14"},{"name":"sort-id","value":"PM-14"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#a6b97214-55d4-4b86-a3a4-53d5911d96f7","rel":"reference","text":"[SP 800-115]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"pm-14_smt","name":"statement","parts":[{"id":"pm-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:","parts":[{"id":"pm-14_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Are developed and maintained; and"},{"id":"pm-14_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Continue to be executed; and"}]},{"id":"pm-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-14_gdn","name":"guidance","prose":"This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments."}]},{"id":"pm-18","class":"SP800-53","title":"Privacy Program Plan","properties":[{"name":"label","value":"PM-18"},{"name":"sort-id","value":"PM-18"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-19","rel":"related","text":"PM-19"}],"parts":[{"id":"pm-18_smt","name":"statement","parts":[{"id":"pm-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:","parts":[{"id":"pm-18_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;"},{"id":"pm-18_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-18_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;"},{"id":"pm-18_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;"},{"id":"pm-18_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Reflects coordination among organizational entities responsible for the different aspects of privacy; and"},{"id":"pm-18_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and"}]},{"id":"pm-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments."}]},{"id":"pm-18_gdn","name":"guidance","prose":"A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls."}]},{"id":"pm-19","class":"SP800-53","title":"Privacy Program Leadership Role","properties":[{"name":"label","value":"PM-19"},{"name":"sort-id","value":"PM-19"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-18","rel":"related","text":"PM-18"},{"href":"#pm-20","rel":"related","text":"PM-20"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-24","rel":"related","text":"PM-24"}],"parts":[{"id":"pm-19_smt","name":"statement","prose":"Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."},{"id":"pm-19_gdn","name":"guidance","prose":"The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24)."}]},{"id":"pm-20","class":"SP800-53","title":"Dissemination of Privacy Program Information","properties":[{"name":"label","value":"PM-20"},{"name":"sort-id","value":"PM-20"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#f7d3617a-9a4f-4f1a-a688-845081b70390","rel":"reference","text":"[OMB M-17-06]"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#pt-7","rel":"related","text":"PT-7"},{"href":"#ra-8","rel":"related","text":"RA-8"}],"parts":[{"id":"pm-20_smt","name":"statement","prose":"Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:","parts":[{"id":"pm-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;"},{"id":"pm-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that organizational privacy practices and reports are publicly available; and"},{"id":"pm-20_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices."}]},{"id":"pm-20_gdn","name":"guidance","prose":"Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications."}]},{"id":"pm-21","class":"SP800-53","title":"Accounting of Disclosures","properties":[{"name":"label","value":"PM-21"},{"name":"sort-id","value":"PM-21"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pt-2","rel":"related","text":"PT-2"}],"parts":[{"id":"pm-21_smt","name":"statement","parts":[{"id":"pm-21_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:","parts":[{"id":"pm-21_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Date, nature, and purpose of each disclosure; and"},{"id":"pm-21_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Name and address, or other contact information of the person or organization to which the disclosure was made;"}]},{"id":"pm-21_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and"},{"id":"pm-21_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request."}]},{"id":"pm-21_gdn","name":"guidance","prose":"The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions."}]},{"id":"pm-22","class":"SP800-53","title":"Personally Identifiable Information Quality Management","properties":[{"name":"label","value":"PM-22"},{"name":"sort-id","value":"PM-22"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#eadef75e-7e4d-4554-b818-44946c1dde0e","rel":"reference","text":"[SP 800-188]"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pm-22_smt","name":"statement","prose":"Develop and document policies and procedures for:","parts":[{"id":"pm-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;"},{"id":"pm-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Correcting or deleting inaccurate or outdated personally identifiable information;"},{"id":"pm-22_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and"},{"id":"pm-22_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Appeals of adverse decisions on correction or deletion requests."}]},{"id":"pm-22_gdn","name":"guidance","prose":"Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem."}]},{"id":"pm-24","class":"SP800-53","title":"Data Integrity Board","properties":[{"name":"label","value":"PM-24"},{"name":"sort-id","value":"PM-24"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pt-8","rel":"related","text":"PT-8"}],"parts":[{"id":"pm-24_smt","name":"statement","prose":"Establish a Data Integrity Board to:","parts":[{"id":"pm-24_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Review proposals to conduct or participate in a matching program; and"},{"id":"pm-24_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Conduct an annual review of all matching programs in which the agency has participated."}]},{"id":"pm-24_gdn","name":"guidance","prose":"A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy."}]},{"id":"pm-25","class":"SP800-53","title":"Minimization of Pii Used in Testing, Training, and Research","parameters":[{"id":"pm-25_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-25"},{"name":"sort-id","value":"PM-25"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#sa-3","rel":"related","text":"SA-3"}],"parts":[{"id":"pm-25_smt","name":"statement","parts":[{"id":"pm-25_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;"},{"id":"pm-25_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;"},{"id":"pm-25_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and"},{"id":"pm-25_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review and update policies and procedures {{ pm-25_prm_1 }}."}]},{"id":"pm-25_gdn","name":"guidance","prose":"The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2)."}]},{"id":"pm-26","class":"SP800-53","title":"Complaint Management","parameters":[{"id":"pm-26_prm_1","label":"organization-defined time-period"},{"id":"pm-26_prm_2","label":"organization-defined time-period"},{"id":"pm-26_prm_3","label":"organization-defined time-period"}],"properties":[{"name":"label","value":"PM-26"},{"name":"sort-id","value":"PM-26"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pm-26_smt","name":"statement","prose":"Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:","parts":[{"id":"pm-26_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Mechanisms that are easy to use and readily accessible by the public;"},{"id":"pm-26_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"All information necessary for successfully filing complaints;"},{"id":"pm-26_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }};"},{"id":"pm-26_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and"},{"id":"pm-26_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}."}]},{"id":"pm-26_gdn","name":"guidance","prose":"Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information."}]},{"id":"pm-27","class":"SP800-53","title":"Privacy Reporting","parameters":[{"id":"pm-27_prm_1","label":"organization-defined privacy reports"},{"id":"pm-27_prm_2","label":"organization-defined officials"},{"id":"pm-27_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-27"},{"name":"sort-id","value":"PM-27"}],"links":[{"href":"#14958422-54f6-471f-a345-802dca594dd8","rel":"reference","text":"[FISMA]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-19","rel":"related","text":"PM-19"}],"parts":[{"id":"pm-27_smt","name":"statement","parts":[{"id":"pm-27_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop {{ pm-27_prm_1 }} and disseminate to:","parts":[{"id":"pm-27_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and"},{"id":"pm-27_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and"}]},{"id":"pm-27_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Review and update privacy reports {{ pm-27_prm_3 }}."}]},{"id":"pm-27_gdn","name":"guidance","prose":"Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements."}]},{"id":"pm-31","class":"SP800-53","title":"Continuous Monitoring Strategy","parameters":[{"id":"pm-31_prm_1","label":"organization-defined metrics"},{"id":"pm-31_prm_2","label":"organization-defined frequencies"},{"id":"pm-31_prm_3","label":"organization-defined frequencies"},{"id":"pm-31_prm_4","label":"organization-defined personnel or roles"},{"id":"pm-31_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PM-31"},{"name":"sort-id","value":"PM-31"}],"links":[{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-13","rel":"related","text":"AU-13"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pe-20","rel":"related","text":"PE-20"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#pm-14","rel":"related","text":"PM-14"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#sr-2","rel":"related","text":"SR-2"},{"href":"#sr-4","rel":"related","text":"SR-4"}],"parts":[{"id":"pm-31_smt","name":"statement","prose":"Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:","parts":[{"id":"pm-31_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }};"},{"id":"pm-31_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness;"},{"id":"pm-31_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"pm-31_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"pm-31_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"pm-31_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }}\n {{ pm-31_prm_5 }}."}]},{"id":"pm-31_gdn","name":"guidance","prose":"Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4."}]},{"id":"pm-33","class":"SP800-53","title":"Privacy Policies on Websites, Applications, and Digital Services","properties":[{"name":"label","value":"PM-33"},{"name":"sort-id","value":"PM-33"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-19","rel":"related","text":"PM-19"},{"href":"#pm-20","rel":"related","text":"PM-20"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#pt-7","rel":"related","text":"PT-7"},{"href":"#ra-8","rel":"related","text":"RA-8"}],"parts":[{"id":"pm-33_smt","name":"statement","prose":"Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:","parts":[{"id":"pm-33_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Are written in plain language and organized in a way that is easy to understand and navigate;"},{"id":"pm-33_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provide useful information that the public would need to make an informed decision about whether and how to interact with the organization; and"},{"id":"pm-33_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes."}]},{"id":"pm-33_gdn","name":"guidance","prose":"Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations should post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations should provide a link to the privacy policy on any webpage that collects personally identifiable information."}]}]},{"id":"pt","class":"family","title":"Personally Identifiable Information Processing and Transparency","controls":[{"id":"pt-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"pt-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pt-1_prm_2"},{"id":"pt-1_prm_3","label":"organization-defined official"},{"id":"pt-1_prm_4","label":"organization-defined frequency"},{"id":"pt-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PT-1"},{"name":"sort-id","value":"PT-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"}],"parts":[{"id":"pt-1_smt","name":"statement","parts":[{"id":"pt-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ pt-1_prm_1 }}:","parts":[{"id":"pt-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ pt-1_prm_2 }} personally identifiable information processing and transparency policy that:","parts":[{"id":"pt-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pt-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pt-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls;"}]},{"id":"pt-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ pt-1_prm_3 }} to manage the development, documentation, and dissemination of the incident personally identifiable information processing and transparency policy and procedures; and"},{"id":"pt-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current personally identifiable information processing and transparency:","parts":[{"id":"pt-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ pt-1_prm_4 }}; and"},{"id":"pt-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ pt-1_prm_5 }}."}]}]},{"id":"pt-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the PT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"pt-2","class":"SP800-53","title":"Authority to Process Personally Identifiable Information","parameters":[{"id":"pt-2_prm_1","label":"organization-defined authority"},{"id":"pt-2_prm_2","label":"organization-defined processing"},{"id":"pt-2_prm_3","label":"organization-defined processing"}],"properties":[{"name":"label","value":"PT-2"},{"name":"sort-id","value":"PT-02"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#pt-7","rel":"related","text":"PT-7"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pt-2_smt","name":"statement","parts":[{"id":"pt-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ pt-2_prm_1 }} that permits the {{ pt-2_prm_2 }} of personally identifiable information; and"},{"id":"pt-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Restrict the {{ pt-2_prm_3 }} of personally identifiable information to only that which is authorized."}]},{"id":"pt-2_gdn","name":"guidance","prose":"Processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes, but is not limited to, creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining.\nOrganizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organizations’ policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise from its processing. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks.\nOrganizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, [PRIVACT] statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and/or other documentation.\nOrganizations take steps to ensure that personally identifiable information is processed only for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information."}]},{"id":"pt-3","class":"SP800-53","title":"Personally Identifiable Information Processing Purposes","parameters":[{"id":"pt-3_prm_1","label":"Assignment organization-defined purpose(s)"},{"id":"pt-3_prm_2","label":"organization-defined processing"},{"id":"pt-3_prm_3","label":"organization-defined mechanisms"},{"id":"pt-3_prm_4","label":"organization-defined requirements"}],"properties":[{"name":"label","value":"PT-3"},{"name":"sort-id","value":"PT-03"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-25","rel":"related","text":"PM-25"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#pt-7","rel":"related","text":"PT-7"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-8","rel":"related","text":"RA-8"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-12","rel":"related","text":"SI-12"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pt-3_smt","name":"statement","parts":[{"id":"pt-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identify and document the {{ pt-3_prm_1 }} for processing personally identifiable information;"},{"id":"pt-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Describe the purpose(s) in the public privacy notices and policies of the organization;"},{"id":"pt-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Restrict the {{ pt-3_prm_2 }} of personally identifiable information to only that which is compatible with the identified purpose(s); and"},{"id":"pt-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Monitor changes in processing personally identifiable information and implement {{ pt-3_prm_3 }} to ensure that any changes are made in accordance with {{ pt-3_prm_4 }}."}]},{"id":"pt-3_gdn","name":"guidance","prose":"Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term process includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system, and individuals whose information is processed by the system, to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations, and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, [PRIVACT] statements, computer matching notices, and other applicable Federal Register notices.\nOrganizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information.\nOrganizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes arising from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks arising from changes in personally identifiable information processing purposes."}]},{"id":"pt-4","class":"SP800-53","title":"Minimization","parameters":[{"id":"pt-4_prm_1","label":"organization-defined processes"}],"properties":[{"name":"label","value":"PT-4"},{"name":"sort-id","value":"PT-04"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#pm-25","rel":"related","text":"PM-25"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sc-42","rel":"related","text":"SC-42"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"pt-4_smt","name":"statement","prose":"Implement the privacy principle of minimization using {{ pt-4_prm_1 }}."},{"id":"pt-4_gdn","name":"guidance","prose":"The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose, and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization."}]},{"id":"pt-5","class":"SP800-53","title":"Consent","parameters":[{"id":"pt-5_prm_1","label":"organization-defined tools or mechanisms"}],"properties":[{"name":"label","value":"PT-5"},{"name":"sort-id","value":"PT-05"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#549993c0-9bdd-4d49-875c-f56950cc5f30","rel":"reference","text":"[SP 800-63-3]"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#pt-6","rel":"related","text":"PT-6"}],"parts":[{"id":"pt-5_smt","name":"statement","prose":"Implement {{ pt-5_prm_1 }} for individuals to consent to the processing of their personally identifiable information prior to its collection that:","parts":[{"id":"pt-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Facilitate individuals’ informed decision-making; and"},{"id":"pt-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provide a means for individuals to decline consent."}]},{"id":"pt-5_gdn","name":"guidance","prose":"Consent allows individuals to participate in the decision-making about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting this control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks arising from their authorization. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the data actions carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon."}]},{"id":"pt-6","class":"SP800-53","title":"Privacy Notice","parameters":[{"id":"pt-6_prm_1","label":"organization-defined frequency"},{"id":"pt-6_prm_2","label":"organization-defined information"}],"properties":[{"name":"label","value":"PT-6"},{"name":"sort-id","value":"PT-06"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#pm-20","rel":"related","text":"PM-20"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#pt-5","rel":"related","text":"PT-5"},{"href":"#pt-8","rel":"related","text":"PT-8"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#si-18","rel":"related","text":"SI-18"}],"parts":[{"id":"pt-6_smt","name":"statement","prose":"Provide notice to individuals about the processing of personally identifiable information that:","parts":[{"id":"pt-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Is available to individuals upon first interacting with an organization, and subsequently at {{ pt-6_prm_1 }};"},{"id":"pt-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;"},{"id":"pt-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identifies the authority that authorizes the processing of personally identifiable information;"},{"id":"pt-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Identifies the purposes for which personally identifiable information is to be processed; and"},{"id":"pt-6_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Includes {{ pt-6_prm_2 }}."}]},{"id":"pt-6_gdn","name":"guidance","prose":"Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and, other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.\nPrivacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon."}],"controls":[{"id":"pt-6.2","class":"SP800-53-enhancement","title":"Privacy Act Statements","properties":[{"name":"label","value":"PT-6(2)"},{"name":"sort-id","value":"PT-06(02)"}],"links":[{"href":"#pt-7","rel":"related","text":"PT-7"}],"parts":[{"id":"pt-6.2_smt","name":"statement","prose":"Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals."},{"id":"pt-6.2_gdn","name":"guidance","prose":"If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a [PRIVACT] statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a [PRIVACT] statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond.\n[PRIVACT] statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the [PRIVACT]."}]}]},{"id":"pt-7","class":"SP800-53","title":"System of Records Notice","properties":[{"name":"label","value":"PT-7"},{"name":"sort-id","value":"PT-07"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#pm-20","rel":"related","text":"PM-20"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#pt-6","rel":"related","text":"PT-6"}],"parts":[{"id":"pt-7_smt","name":"statement","prose":"For systems that process information that will be maintained in a Privacy Act system of records:","parts":[{"id":"pt-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;"},{"id":"pt-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Publish system of records notices in the Federal Register; and"},{"id":"pt-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Keep system of records notices accurate, up-to-date, and scoped in accordance with policy."}]},{"id":"pt-7_gdn","name":"guidance","prose":"The [PRIVACT] requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and/or modification of a [PRIVACT] system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system, and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in [OMB A-108]."}],"controls":[{"id":"pt-7.1","class":"SP800-53-enhancement","title":"Routine Uses","parameters":[{"id":"pt-7.1_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PT-7(1)"},{"name":"sort-id","value":"PT-07(01)"}],"parts":[{"id":"pt-7.1_smt","name":"statement","prose":"Review all routine uses published in the system of records notice at {{ pt-7.1_prm_1 }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected."},{"id":"pt-7.1_gdn","name":"guidance","prose":"A [PRIVACT] routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the [PRIVACT] prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The [PRIVACT] requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice."}]},{"id":"pt-7.2","class":"SP800-53-enhancement","title":"Exemption Rules","parameters":[{"id":"pt-7.2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PT-7(2)"},{"name":"sort-id","value":"PT-07(02)"}],"parts":[{"id":"pt-7.2_smt","name":"statement","prose":"Review all Privacy Act exemptions claimed for the system of records at {{ pt-7.2_prm_1 }} to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice."},{"id":"pt-7.2_gdn","name":"guidance","prose":"The [PRIVACT] includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. These provisions allow agencies in certain circumstances to promulgate regulations to exempt a system of records from select provisions of the [PRIVACT]. At a minimum, organizations’ [PRIVACT] exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the [PRIVACT] from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate."}]}]},{"id":"pt-8","class":"SP800-53","title":"Specific Categories of Personally Identifiable Information","parameters":[{"id":"pt-8_prm_1","label":"organization-defined processing conditions"}],"properties":[{"name":"label","value":"PT-8"},{"name":"sort-id","value":"PT-08"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"}],"parts":[{"id":"pt-8_smt","name":"statement","prose":"Apply {{ pt-8_prm_1 }} for specific categories of personally identifiable information."},{"id":"pt-8_gdn","name":"guidance","prose":"Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from organizational policies and determinations when an organization has determined that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary."}],"controls":[{"id":"pt-8.1","class":"SP800-53-enhancement","title":"Social Security Numbers","properties":[{"name":"label","value":"PT-8(1)"},{"name":"sort-id","value":"PT-08(01)"}],"parts":[{"id":"pt-8.1_smt","name":"statement","prose":"When a system processes Social Security numbers:","parts":[{"id":"pt-8.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;"},{"id":"pt-8.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and"},{"id":"pt-8.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it."}]},{"id":"pt-8.1_gdn","name":"guidance","prose":"Federal law and policy establish specific requirements for organizations’ processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information, and observe any particular requirements that apply."}]},{"id":"pt-8.2","class":"SP800-53-enhancement","title":"First Amendment Information","properties":[{"name":"label","value":"PT-8(2)"},{"name":"sort-id","value":"PT-08(02)"}],"parts":[{"id":"pt-8.2_smt","name":"statement","prose":"Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity."},{"id":"pt-8.2_gdn","name":"guidance","prose":"None.\nRelated Controls: The [PRIVACT] limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements."}]}]},{"id":"pt-9","class":"SP800-53","title":"Computer Matching Requirements","properties":[{"name":"label","value":"PT-9"},{"name":"sort-id","value":"PT-09"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#395f6bb9-bcc2-41fc-977f-04372f4a6a82","rel":"reference","text":"[OMB A-108]"},{"href":"#pm-24","rel":"related","text":"PM-24"}],"parts":[{"id":"pt-9_smt","name":"statement","prose":"When a system or organization processes information for the purpose of conducting a matching program:","parts":[{"id":"pt-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Obtain approval from the Data Integrity Board to conduct the matching program;"},{"id":"pt-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Develop and enter into a computer matching agreement;"},{"id":"pt-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Publish a matching notice in the Federal Register;"},{"id":"pt-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and"},{"id":"pt-9_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual."}]},{"id":"pt-9_gdn","name":"guidance","prose":"The [PRIVACT] establishes a set of requirements for federal and non-federal agencies when they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. A Federal benefit match is performed for purposes of determining or verifying eligibility for payments under Federal benefit programs, or recouping payments or delinquent debts under Federal benefit programs. A matching program involves not just the matching activity itself, but also the investigative follow-up and ultimate action, if any."}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2"},{"id":"ra-1_prm_3","label":"organization-defined official"},{"id":"ra-1_prm_4","label":"organization-defined frequency"},{"id":"ra-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-1"},{"name":"sort-id","value":"RA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ ra-1_prm_2 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ ra-1_prm_4 }}; and"},{"id":"ra-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ ra-1_prm_5 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","parameters":[{"id":"ra-3_prm_1"},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document"},{"id":"ra-3_prm_3","label":"organization-defined frequency"},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-3"},{"name":"sort-id","value":"RA-03"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#7e7538d7-9c3a-4e5f-bbb4-638cec975415","rel":"reference","text":"[IR 8023]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-18","rel":"related","text":"PE-18"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#ra-7","rel":"related","text":"RA-7"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ ra-3_prm_1 }};"},{"id":"ra-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ ra-3_prm_3 }};"},{"id":"ra-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ ra-3_prm_4 }}; and"},{"id":"ra-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities.\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\nIn addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","properties":[{"name":"label","value":"RA-7"},{"name":"sort-id","value":"RA-07"}],"links":[{"href":"#b3e26423-0687-47c7-ba9a-a96870d58a27","rel":"reference","text":"[FIPS 199]"},{"href":"#f2163084-3287-45e2-9ee7-95f020415495","rel":"reference","text":"[FIPS 200]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ir-9","rel":"related","text":"IR-9"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-28","rel":"related","text":"PM-28"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sr-2","rel":"related","text":"SR-2"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."}]},{"id":"ra-8","class":"SP800-53","title":"Privacy Impact Assessments","properties":[{"name":"label","value":"RA-8"},{"name":"sort-id","value":"RA-08"}],"links":[{"href":"#bc2bf069-c3a5-48a4-a274-684d997be0c2","rel":"reference","text":"[EGOV]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#cm-13","rel":"related","text":"CM-13"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#pt-6","rel":"related","text":"PT-6"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#ra-7","rel":"related","text":"RA-7"}],"parts":[{"id":"ra-8_smt","name":"statement","prose":"Conduct privacy impact assessments for systems, programs, or other activities before:","parts":[{"id":"ra-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Developing or procuring information technology that processes personally identifiable information; and"},{"id":"ra-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Initiating a new collection of personally identifiable information that:","parts":[{"id":"ra-8_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Will be processed using information technology; and"},{"id":"ra-8_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Includes personally identifiable information permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more persons, other than agencies, instrumentalities, or employees of the federal government."}]}]},{"id":"ra-8_gdn","name":"guidance","prose":"A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document detailing the process and the outcome of the analysis.\nOrganizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology.\nTo conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes which may have different labels, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by [EGOV]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision."}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2"},{"id":"sa-1_prm_3","label":"organization-defined official"},{"id":"sa-1_prm_4","label":"organization-defined frequency"},{"id":"sa-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SA-1"},{"name":"sort-id","value":"SA-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#451e9636-402e-4c27-b3f5-e0e50f957f27","rel":"reference","text":"[SP 800-39]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ sa-1_prm_2 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ sa-1_prm_4 }}; and"},{"id":"sa-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ sa-1_prm_5 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","parameters":[{"id":"sa-4_prm_1"},{"id":"sa-4_prm_2","depends-on":"sa-4_prm_1","label":"organization-defined contract language"}],"properties":[{"name":"label","value":"SA-4"},{"name":"sort-id","value":"SA-04"}],"links":[{"href":"#a7dfa526-b81f-41d7-9875-c8b0faafe74b","rel":"reference","text":"[PRIVACT]"},{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#6ddb507b-6ddb-4e15-a8d4-0854e704446e","rel":"reference","text":"[ISO 15408-1]"},{"href":"#18abb755-c10f-407d-b0ef-4f99e5ec4a49","rel":"reference","text":"[ISO 15408-2]"},{"href":"#2ce3a8bf-7f8b-4249-bd16-808231415b14","rel":"reference","text":"[ISO 15408-3]"},{"href":"#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","rel":"reference","text":"[FIPS 140-3]"},{"href":"#ab414c48-b7a2-4ffe-b74d-4d8b8120adce","rel":"reference","text":"[FIPS 201-2]"},{"href":"#ed919d0d-8e21-4df6-801d-3fbc4cb8a505","rel":"reference","text":"[SP 800-35]"},{"href":"#e07d73ea-96b9-4330-aff2-e0215f455343","rel":"reference","text":"[SP 800-37]"},{"href":"#14a7d982-9747-48e0-a877-3e8fbf6ae381","rel":"reference","text":"[SP 800-70]"},{"href":"#3d6b3a16-94e7-4a43-8648-8bdeaadb271b","rel":"reference","text":"[SP 800-73-4]"},{"href":"#c3b34083-77b2-4dab-a980-73068f8933bd","rel":"reference","text":"[SP 800-137]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#d4779b49-8acc-45ef-b4f0-30f945e81d1b","rel":"reference","text":"[IR 7539]"},{"href":"#7b03adec-4405-4aac-94a0-6a9eb3f42e31","rel":"reference","text":"[IR 7622]"},{"href":"#daf69edb-a0ef-4447-9880-8c4bf553181f","rel":"reference","text":"[IR 7676]"},{"href":"#197f7ba7-9af8-4a67-b3a4-5523d850e53b","rel":"reference","text":"[IR 7870]"},{"href":"#817b4227-5857-494d-9032-915980b32f15","rel":"reference","text":"[IR 8062]"},{"href":"#5dac2312-1d0d-416f-aebb-400fa9775b74","rel":"reference","text":"[NIAP CCEVS]"},{"href":"#634dec27-df88-4c30-b1a4-b57cdfd24f20","rel":"reference","text":"[NSA CSFC]"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-16","rel":"related","text":"SA-16"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sa-21","rel":"related","text":"SA-21"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle.\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement."}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","parameters":[{"id":"sa-9_prm_1","label":"organization-defined controls"},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques"}],"properties":[{"name":"label","value":"SA-9"},{"name":"sort-id","value":"SA-09"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#ed919d0d-8e21-4df6-801d-3fbc4cb8a505","rel":"reference","text":"[SP 800-35]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#66476e76-46b4-47fb-be19-d13e6f3840df","rel":"reference","text":"[SP 800-161]"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#pl-10","rel":"related","text":"PL-10"},{"href":"#pl-11","rel":"related","text":"PL-11"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-2","rel":"related","text":"SA-2"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sr-3","rel":"related","text":"SR-3"},{"href":"#sr-5","rel":"related","text":"SR-5"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }};"},{"id":"sa-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."}]},{"id":"sa-11","class":"SP800-53","title":"Developer Testing and Evaluation","parameters":[{"id":"sa-11_prm_1"},{"id":"sa-11_prm_2","label":"organization-defined frequency"},{"id":"sa-11_prm_3","label":"organization-defined depth and coverage"}],"properties":[{"name":"label","value":"SA-11"},{"name":"sort-id","value":"SA-11"}],"links":[{"href":"#2ce3a8bf-7f8b-4249-bd16-808231415b14","rel":"reference","text":"[ISO 15408-3]"},{"href":"#1d9f757b-00d5-4db1-b15b-0ad641c6df7c","rel":"reference","text":"[SP 800-30]"},{"href":"#5db6dfe4-788e-4183-93b9-f6fb29d75e41","rel":"reference","text":"[SP 800-53A]"},{"href":"#fd0f14f5-8910-45c4-b60a-0c8936e00daa","rel":"reference","text":"[SP 800-154]"},{"href":"#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","rel":"reference","text":"[SP 800-160 v1]"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#sr-5","rel":"related","text":"SR-5"},{"href":"#sr-6","rel":"related","text":"SR-6"},{"href":"#sr-7","rel":"related","text":"SR-7"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:","parts":[{"id":"sa-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop and implement a plan for ongoing security and privacy assessments;"},{"id":"sa-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Perform {{ sa-11_prm_1 }} testing/evaluation {{ sa-11_prm_2 }} at {{ sa-11_prm_3 }};"},{"id":"sa-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;"},{"id":"sa-11_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during testing and evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation."}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","parameters":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2"},{"id":"si-1_prm_3","label":"organization-defined official"},{"id":"si-1_prm_4","label":"organization-defined frequency"},{"id":"si-1_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-1"},{"name":"sort-id","value":"SI-01"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130]"},{"href":"#12702585-0c72-43c9-9185-a76a59f74233","rel":"reference","text":"[SP 800-12]"},{"href":"#9183bd83-170e-4701-b32c-97e08ef8bedb","rel":"reference","text":"[SP 800-100]"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"\n {{ si-1_prm_2 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Policy {{ si-1_prm_4 }}; and"},{"id":"si-1_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures {{ si-1_prm_5 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure."}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","properties":[{"name":"label","value":"SI-12"},{"name":"sort-id","value":"SI-12"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#ac-1","rel":"related","text":"AC-1"},{"href":"#at-1","rel":"related","text":"AT-1"},{"href":"#au-1","rel":"related","text":"AU-1"},{"href":"#ca-1","rel":"related","text":"CA-1"},{"href":"#cm-1","rel":"related","text":"CM-1"},{"href":"#cp-1","rel":"related","text":"CP-1"},{"href":"#ia-1","rel":"related","text":"IA-1"},{"href":"#ir-1","rel":"related","text":"IR-1"},{"href":"#ma-1","rel":"related","text":"MA-1"},{"href":"#mp-1","rel":"related","text":"MP-1"},{"href":"#pe-1","rel":"related","text":"PE-1"},{"href":"#pl-1","rel":"related","text":"PL-1"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#ps-1","rel":"related","text":"PS-1"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#ra-1","rel":"related","text":"RA-1"},{"href":"#sa-1","rel":"related","text":"SA-1"},{"href":"#sc-1","rel":"related","text":"SC-1"},{"href":"#si-1","rel":"related","text":"SI-1"},{"href":"#sr-1","rel":"related","text":"SR-1"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-3","rel":"related","text":"MP-3"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-4","rel":"related","text":"PM-4"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#pt-1","rel":"related","text":"PT-1"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sr-1","rel":"related","text":"SR-1"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel."}],"controls":[{"id":"si-12.1","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","parameters":[{"id":"si-12.1_prm_1","label":"organization-defined elements of personally identifiable information"}],"properties":[{"name":"label","value":"SI-12(1)"},{"name":"sort-id","value":"SI-12(01)"}],"links":[{"href":"#pm-25","rel":"related","text":"PM-25"},{"href":"#pt-2","rel":"related","text":"PT-2"},{"href":"#pt-3","rel":"related","text":"PT-3"},{"href":"#ra-3","rel":"related","text":"RA-3"}],"parts":[{"id":"si-12.1_smt","name":"statement","prose":"Limit personally identifiable information being processed in the information life cycle to the following elements of PII: {{ si-12.1_prm_1 }}."},{"id":"si-12.1_gdn","name":"guidance","prose":"Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk."}]},{"id":"si-12.2","class":"SP800-53-enhancement","title":"Minimize Personally Identifiable Information in Testing, Training, and Research","parameters":[{"id":"si-12.2_prm_1","label":"organization-defined techniques"}],"properties":[{"name":"label","value":"SI-12(2)"},{"name":"sort-id","value":"SI-12(02)"}],"links":[{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pm-25","rel":"related","text":"PM-25"},{"href":"#si-19","rel":"related","text":"SI-19"}],"parts":[{"id":"si-12.2_smt","name":"statement","prose":"Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: {{ si-12.2_prm_1 }}."},{"id":"si-12.2_gdn","name":"guidance","prose":"Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them."}]},{"id":"si-12.3","class":"SP800-53-enhancement","title":"Information Disposal","parameters":[{"id":"si-12.3_prm_1","label":"organization-defined techniques"}],"properties":[{"name":"label","value":"SI-12(3)"},{"name":"sort-id","value":"SI-12(03)"}],"links":[{"href":"#mp-6","rel":"related","text":"MP-6"}],"parts":[{"id":"si-12.3_smt","name":"statement","prose":"Use the following techniques to dispose of, destroy, or erase information following the retention period: {{ si-12.3_prm_1 }}."},{"id":"si-12.3_gdn","name":"guidance","prose":"Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. Disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information."}]}]},{"id":"si-18","class":"SP800-53","title":"Personally Identifiable Information Quality Operations","parameters":[{"id":"si-18_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-18"},{"name":"sort-id","value":"SI-18"}],"links":[{"href":"#eadef75e-7e4d-4554-b818-44946c1dde0e","rel":"reference","text":"[SP 800-188]"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#si-4","rel":"related","text":"SI-4"}],"parts":[{"id":"si-18_smt","name":"statement","parts":[{"id":"si-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle {{ si-18_prm_1 }}; and"},{"id":"si-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Correct or delete inaccurate or outdated personally identifiable information."}]},{"id":"si-18_gdn","name":"guidance","prose":"Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes."}],"controls":[{"id":"si-18.4","class":"SP800-53-enhancement","title":"Individual Requests","properties":[{"name":"label","value":"SI-18(4)"},{"name":"sort-id","value":"SI-18(04)"}],"links":[{"href":"#pm-22","rel":"related","text":"PM-22"}],"parts":[{"id":"si-18.4_smt","name":"statement","prose":"Correct or delete personally identifiable information upon request by individuals or their designated representatives."},{"id":"si-18.4_gdn","name":"guidance","prose":"Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion in determining if personally identifiable information is to be corrected or deleted, based on the scope of requests, the changes sought, the impact of the changes, and applicable laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion."}]}]},{"id":"si-19","class":"SP800-53","title":"De-identification","parameters":[{"id":"si-19_prm_1","label":"organization-defined elements of personally identifiable information"},{"id":"si-19_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-19"},{"name":"sort-id","value":"SI-19"}],"links":[{"href":"#a646d45d-775f-4887-86d3-5a00ffbc4090","rel":"reference","text":"[OMB A-130, Appendix II]"},{"href":"#eadef75e-7e4d-4554-b818-44946c1dde0e","rel":"reference","text":"[SP 800-188]"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pm-22","rel":"related","text":"PM-22"},{"href":"#pm-23","rel":"related","text":"PM-23"},{"href":"#pm-24","rel":"related","text":"PM-24"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#si-12","rel":"related","text":"SI-12"}],"parts":[{"id":"si-19_smt","name":"statement","parts":[{"id":"si-19_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Remove the following elements of personally identifiable information from datasets: {{ si-19_prm_1 }}; and"},{"id":"si-19_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Evaluate {{ si-19_prm_2 }} for effectiveness of de-identification."}]},{"id":"si-19_gdn","name":"guidance","prose":"De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection, since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time supports management of this residual risk."}]}]}],"back-matter":{"resources":[{"uuid":"a7dfa526-b81f-41d7-9875-c8b0faafe74b","title":"[PRIVACT]","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf"}]},{"uuid":"bc2bf069-c3a5-48a4-a274-684d997be0c2","title":"[EGOV]","citation":{"text":"E-Government Act [includes FISMA] (P.L. 107-347), December 2002."},"rlinks":[{"href":"https://www.congress.gov/107/plaws/publ347/PLAW-107publ347.pdf"}]},{"uuid":"14958422-54f6-471f-a345-802dca594dd8","title":"[FISMA]","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf"}]},{"uuid":"cde25174-38e0-4a00-8919-8ee3674b8088","title":"[HSPD 7]","citation":{"text":"Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003."},"rlinks":[{"href":"https://www.dhs.gov/homeland-security-presidential-directive-7"}]},{"uuid":"395f6bb9-bcc2-41fc-977f-04372f4a6a82","title":"[OMB A-108]","citation":{"text":"Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf"}]},{"uuid":"a646d45d-775f-4887-86d3-5a00ffbc4090","title":"[OMB A-130]","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016."},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf"}]},{"uuid":"f7d3617a-9a4f-4f1a-a688-845081b70390","title":"[OMB M-17-06]","citation":{"text":"Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. **\n "},"rlinks":[{"href":"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf"}]},{"uuid":"389fe193-866e-46b1-bf1d-38904b56aa7b","title":"[OMB M-17-12]","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. **\n "},"rlinks":[{"href":"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf"}]},{"uuid":"24b7b1ec-6430-41de-9353-29fdb1b488fc","title":"[DHS NIPP]","citation":{"text":"Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009."},"rlinks":[{"href":"https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf"}]},{"uuid":"6ddb507b-6ddb-4e15-a8d4-0854e704446e","title":"[ISO 15408-1]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf"}]},{"uuid":"18abb755-c10f-407d-b0ef-4f99e5ec4a49","title":"[ISO 15408-2]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf"}]},{"uuid":"2ce3a8bf-7f8b-4249-bd16-808231415b14","title":"[ISO 15408-3]","citation":{"text":"International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. **\n "},"rlinks":[{"href":"https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf"}]},{"uuid":"aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b","title":"[FIPS 140-3]","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.140-3"}]},{"uuid":"b3e26423-0687-47c7-ba9a-a96870d58a27","title":"[FIPS 199]","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.199"}]},{"uuid":"f2163084-3287-45e2-9ee7-95f020415495","title":"[FIPS 200]","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.200"}]},{"uuid":"ab414c48-b7a2-4ffe-b74d-4d8b8120adce","title":"[FIPS 201-2]","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.FIPS.201-2"}]},{"uuid":"12702585-0c72-43c9-9185-a76a59f74233","title":"[SP 800-12]","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-12r1"}]},{"uuid":"ae962073-f9bb-4210-b1ad-53ef6f6afad6","title":"[SP 800-18]","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-18r1"}]},{"uuid":"1d9f757b-00d5-4db1-b15b-0ad641c6df7c","title":"[SP 800-30]","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-30r1"}]},{"uuid":"ed919d0d-8e21-4df6-801d-3fbc4cb8a505","title":"[SP 800-35]","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-35"}]},{"uuid":"e07d73ea-96b9-4330-aff2-e0215f455343","title":"[SP 800-37]","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-37r2"}]},{"uuid":"451e9636-402e-4c27-b3f5-e0e50f957f27","title":"[SP 800-39]","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-39"}]},{"uuid":"2e29c363-d5be-47ba-92f5-f8a58a69b65e","title":"[SP 800-50]","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-50"}]},{"uuid":"5db6dfe4-788e-4183-93b9-f6fb29d75e41","title":"[SP 800-53A]","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-53Ar4"}]},{"uuid":"8ba0d54e-fa16-4f5d-baa1-763ec3e33e26","title":"[SP 800-55]","citation":{"text":"Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-55r1"}]},{"uuid":"68949f14-9cf5-4116-91d8-e820b9df3ffd","title":"[SP 800-60 v1]","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-60v1r1"}]},{"uuid":"e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc","title":"[SP 800-60 v2]","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-60v2r1"}]},{"uuid":"7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b","title":"[SP 800-61]","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-61r2"}]},{"uuid":"549993c0-9bdd-4d49-875c-f56950cc5f30","title":"[SP 800-63-3]","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-63-3"}]},{"uuid":"14a7d982-9747-48e0-a877-3e8fbf6ae381","title":"[SP 800-70]","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-70r4"}]},{"uuid":"3d6b3a16-94e7-4a43-8648-8bdeaadb271b","title":"[SP 800-73-4]","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-73-4"}]},{"uuid":"8b0f8559-1185-45f9-b0a9-876d7b3c1c7b","title":"[SP 800-83]","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-83r1"}]},{"uuid":"20bf433b-074c-47a0-8fca-cd591772ccd6","title":"[SP 800-84]","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-84"}]},{"uuid":"35dfd59f-eef2-4f71-bdb5-6d878267456a","title":"[SP 800-86]","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-86"}]},{"uuid":"fed6a3b5-2b74-499f-9172-46671f7c24c8","title":"[SP 800-88]","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-88r1"}]},{"uuid":"02d8ec60-6197-43f8-9f47-18732127963e","title":"[SP 800-92]","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-92"}]},{"uuid":"9183bd83-170e-4701-b32c-97e08ef8bedb","title":"[SP 800-100]","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-100"}]},{"uuid":"1e2c475a-84ae-4c60-b420-8fb2ea552b71","title":"[SP 800-101]","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. **\n "},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-101r1"}]},{"uuid":"a6b97214-55d4-4b86-a3a4-53d5911d96f7","title":"[SP 800-115]","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-115"}]},{"uuid":"18c6942b-95f8-414c-b548-c8e6b8d8a172","title":"[SP 800-124]","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-124r1"}]},{"uuid":"a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4","title":"[SP 800-128]","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-128"}]},{"uuid":"c3b34083-77b2-4dab-a980-73068f8933bd","title":"[SP 800-137]","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-137"}]},{"uuid":"ad3e8f21-07c6-4968-b002-00b64dfa70ae","title":"[SP 800-150]","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-150"}]},{"uuid":"fd0f14f5-8910-45c4-b60a-0c8936e00daa","title":"[SP 800-154]","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154."},"rlinks":[{"href":"https://csrc.nist.gov/publications/detail/sp/800-154/draft"}]},{"uuid":"8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e","title":"[SP 800-160 v1]","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-160v1"}]},{"uuid":"8411e6e8-09bd-431d-bbcb-3423d36ad880","title":"[SP 800-160 v2]","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-160v2"}]},{"uuid":"66476e76-46b4-47fb-be19-d13e6f3840df","title":"[SP 800-161]","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-161"}]},{"uuid":"f4c3f657-de83-47ae-9aec-e144de8268d1","title":"[SP 800-181]","citation":{"text":"Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-181"}]},{"uuid":"08f518f7-f9b9-4bee-8986-860214f46b16","title":"[SP 800-184]","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-184"}]},{"uuid":"eadef75e-7e4d-4554-b818-44946c1dde0e","title":"[SP 800-188]","citation":{"text":"Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188."},"rlinks":[{"href":"https://csrc.nist.gov/publications/detail/sp/800-188/draft"}]},{"uuid":"d4779b49-8acc-45ef-b4f0-30f945e81d1b","title":"[IR 7539]","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7539"}]},{"uuid":"09ac1fdb-36a9-483f-a04c-5c1e1bf104fb","title":"[IR 7559]","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7559"}]},{"uuid":"7b03adec-4405-4aac-94a0-6a9eb3f42e31","title":"[IR 7622]","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7622"}]},{"uuid":"daf69edb-a0ef-4447-9880-8c4bf553181f","title":"[IR 7676]","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7676"}]},{"uuid":"197f7ba7-9af8-4a67-b3a4-5523d850e53b","title":"[IR 7870]","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7870"}]},{"uuid":"bb22d510-54a9-4588-b725-00d37576562b","title":"[IR 7874]","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.7874"}]},{"uuid":"851b5ba4-6aa0-4583-857c-4c360cbdf2a0","title":"[IR 8011 v1]","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8011-1"}]},{"uuid":"7e7538d7-9c3a-4e5f-bbb4-638cec975415","title":"[IR 8023]","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8023"}]},{"uuid":"817b4227-5857-494d-9032-915980b32f15","title":"[IR 8062]","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https://doi.org/10.6028/NIST.IR.8062"}]},{"uuid":"5dac2312-1d0d-416f-aebb-400fa9775b74","title":"[NIAP CCEVS]","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https://www.niap-ccevs.org/"}]},{"uuid":"634dec27-df88-4c30-b1a4-b57cdfd24f20","title":"[NSA CSFC]","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https://www.nsa.gov/resources/everyone/csfc"}]},{"uuid":"a52271dc-11b5-423a-8b6f-14867bd94259","title":"[NSA MEDIA]","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https://www.nsa.gov/resources/everyone/media-destruction"}]}]}}} \ No newline at end of file diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.json deleted file mode 100644 index d2b87f5dae..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.json +++ /dev/null @@ -1,12765 +0,0 @@ -{ - "catalog": { - "uuid": "9c407281-40f0-4c8b-9e99-7cee1529b5b1", - "metadata": { - "title": "SP800-53 PRIVACY BASELINE", - "last-modified": "2020-08-26T16:28:37.032-04:00", - "version": "FPD", - "oscal-version": "1.0.0-milestone3", - "properties": [ - { - "name": "resolution-timestamp", - "value": "2020-08-31T17:39:57.58205Z" - } - ], - "links": [ - { - "href": "NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml", - "rel": "resolution-source", - "text": "SP800-53 PRIVACY BASELINE" - } - ], - "roles": [ - { - "id": "creator", - "title": "Document Creator" - }, - { - "id": "contact", - "title": "Contact" - } - ], - "parties": [ - { - "uuid": "d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696", - "type": "organization", - "party-name": "Joint Task Force, Transformation Initiative", - "addresses": [ - { - "postal-address": [ - "National Institute of Standards and Technology", - "Attn: Computer Security Division", - "Information Technology Laboratory", - "100 Bureau Drive (Mail Stop 8930)" - ], - "city": "Gaithersburg", - "state": "MD", - "postal-code": "20899-8930" - } - ], - "email-addresses": [ - "sec-cert@nist.gov" - ] - } - ], - "responsible-parties": { - "creator": { - "party-uuids": [ - "d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696" - ] - }, - "contact": { - "party-uuids": [ - "d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696" - ] - } - } - }, - "groups": [ - { - "id": "ac", - "class": "family", - "title": "Access Control", - "controls": [ - { - "id": "ac-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ac-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ac-1_prm_2" - }, - { - "id": "ac-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ac-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ac-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AC-1" - }, - { - "name": "sort-id", - "value": "AC-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#bb22d510-54a9-4588-b725-00d37576562b", - "rel": "reference", - "text": "[IR 7874]" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ac-1_smt", - "name": "statement", - "parts": [ - { - "id": "ac-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ac-1_prm_1 }}:", - "parts": [ - { - "id": "ac-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ac-1_prm_2 }} access control policy that:", - "parts": [ - { - "id": "ac-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ac-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ac-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" - } - ] - }, - { - "id": "ac-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" - }, - { - "id": "ac-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current access control:", - "parts": [ - { - "id": "ac-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ac-1_prm_4 }}; and" - }, - { - "id": "ac-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ac-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ac-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - } - ] - }, - { - "id": "at", - "class": "family", - "title": "Awareness and Training", - "controls": [ - { - "id": "at-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "at-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "at-1_prm_2" - }, - { - "id": "at-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "at-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "at-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-1" - }, - { - "name": "sort-id", - "value": "AT-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "at-1_smt", - "name": "statement", - "parts": [ - { - "id": "at-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ at-1_prm_1 }}:", - "parts": [ - { - "id": "at-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ at-1_prm_2 }} awareness and training policy that:", - "parts": [ - { - "id": "at-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "at-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "at-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" - } - ] - }, - { - "id": "at-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" - }, - { - "id": "at-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current awareness and training:", - "parts": [ - { - "id": "at-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ at-1_prm_4 }}; and" - }, - { - "id": "at-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ at-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "at-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "at-2", - "class": "SP800-53", - "title": "Awareness Training", - "parameters": [ - { - "id": "at-2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "at-2_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-2" - }, - { - "name": "sort-id", - "value": "AT-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-13", - "rel": "related", - "text": "PM-13" - }, - { - "href": "#pm-21", - "rel": "related", - "text": "PM-21" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - } - ], - "parts": [ - { - "id": "at-2_smt", - "name": "statement", - "parts": [ - { - "id": "at-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):", - "parts": [ - { - "id": "at-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and" - }, - { - "id": "at-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "When required by system changes; and" - } - ] - }, - { - "id": "at-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update awareness training {{ at-2_prm_2 }}." - } - ] - }, - { - "id": "at-2_gdn", - "name": "guidance", - "prose": "Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective." - } - ], - "controls": [ - { - "id": "at-2.5", - "class": "SP800-53-enhancement", - "title": "Breach", - "properties": [ - { - "name": "label", - "value": "AT-2(5)" - }, - { - "name": "sort-id", - "value": "AT-02(05)" - } - ], - "links": [ - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - } - ], - "parts": [ - { - "id": "at-2.5_smt", - "name": "statement", - "prose": "Provide awareness training on how to identify and respond to a breach, including the organization’s process for reporting a breach." - }, - { - "id": "at-2.5_gdn", - "name": "guidance", - "prose": "A breach is a type of incident that involves personally identifiable information. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The awareness training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Awareness training includes tabletop exercises that simulate a breach." - } - ] - } - ] - }, - { - "id": "at-3", - "class": "SP800-53", - "title": "Role-based Training", - "parameters": [ - { - "id": "at-3_prm_1", - "label": "organization-defined roles and responsibilities" - }, - { - "id": "at-3_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "at-3_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-3" - }, - { - "name": "sort-id", - "value": "AT-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#ir-10", - "rel": "related", - "text": "IR-10" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-13", - "rel": "related", - "text": "PM-13" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "at-3_smt", - "name": "statement", - "parts": [ - { - "id": "at-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}:", - "parts": [ - { - "id": "at-3_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and" - }, - { - "id": "at-3_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "When required by system changes; and" - } - ] - }, - { - "id": "at-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update role-based training {{ at-3_prm_3 }}." - } - ] - }, - { - "id": "at-3_gdn", - "name": "guidance", - "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information.\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective." - } - ], - "controls": [ - { - "id": "at-3.5", - "class": "SP800-53-enhancement", - "title": "Accessing Personally Identifiable Information", - "parameters": [ - { - "id": "at-3.5_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "at-3.5_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-3(5)" - }, - { - "name": "sort-id", - "value": "AT-03(05)" - } - ], - "parts": [ - { - "id": "at-3.5_smt", - "name": "statement", - "prose": "Provide {{ at-3.5_prm_1 }} with initial and {{ at-3.5_prm_2 }} training on:", - "parts": [ - { - "id": "at-3.5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Organizational authority for collecting personally identifiable information;" - }, - { - "id": "at-3.5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Authorized uses of personally identifiable information;" - }, - { - "id": "at-3.5_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Identifying, reporting, and responding to a suspected or confirmed breach;" - }, - { - "id": "at-3.5_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(d)" - } - ], - "prose": "Content of system of records notices, computer matching agreements, and privacy impact assessments;" - }, - { - "id": "at-3.5_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(e)" - } - ], - "prose": "Authorized sharing of personally identifiable information with external parties; and" - }, - { - "id": "at-3.5_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(f)" - } - ], - "prose": "Rules of behavior and the consequences for unauthorized collection, use, or sharing of personally identifiable information." - } - ] - }, - { - "id": "at-3.5_gdn", - "name": "guidance", - "prose": "Role-based training addresses the responsibility of individuals when accessing personally identifiable information; the organization’s established rules of behavior when accessing personally identifiable information; the consequences for violating the rules of behavior; and how to respond to a breach. Role-based training helps ensure personnel comply with applicable privacy requirements and is necessary to manage privacy risks." - } - ] - } - ] - }, - { - "id": "at-4", - "class": "SP800-53", - "title": "Training Records", - "parameters": [ - { - "id": "at-4_prm_1", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "AT-4" - }, - { - "name": "sort-id", - "value": "AT-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "at-4_smt", - "name": "statement", - "parts": [ - { - "id": "at-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" - }, - { - "id": "at-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain individual training records for {{ at-4_prm_1 }}." - } - ] - }, - { - "id": "at-4_gdn", - "name": "guidance", - "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." - } - ] - } - ] - }, - { - "id": "au", - "class": "family", - "title": "Audit and Accountability", - "controls": [ - { - "id": "au-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "au-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "au-1_prm_2" - }, - { - "id": "au-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "au-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "au-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-1" - }, - { - "name": "sort-id", - "value": "AU-01" - } - ], - "links": [ - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "au-1_smt", - "name": "statement", - "parts": [ - { - "id": "au-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ au-1_prm_1 }}:", - "parts": [ - { - "id": "au-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ au-1_prm_2 }} audit and accountability policy that:", - "parts": [ - { - "id": "au-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "au-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "au-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" - } - ] - }, - { - "id": "au-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" - }, - { - "id": "au-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current audit and accountability:", - "parts": [ - { - "id": "au-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ au-1_prm_4 }}; and" - }, - { - "id": "au-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ au-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "au-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "au-2", - "class": "SP800-53", - "title": "Event Logging", - "parameters": [ - { - "id": "au-2_prm_1", - "label": "organization-defined event types that the system is capable of logging" - }, - { - "id": "au-2_prm_2", - "label": "organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type" - }, - { - "id": "au-2_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-2" - }, - { - "name": "sort-id", - "value": "AU-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#02d8ec60-6197-43f8-9f47-18732127963e", - "rel": "reference", - "text": "[SP 800-92]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#au-3", - "rel": "related", - "text": "AU-3" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#au-12", - "rel": "related", - "text": "AU-12" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#ia-3", - "rel": "related", - "text": "IA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pm-21", - "rel": "related", - "text": "PM-21" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - }, - { - "href": "#si-10", - "rel": "related", - "text": "SI-10" - }, - { - "href": "#si-11", - "rel": "related", - "text": "SI-11" - } - ], - "parts": [ - { - "id": "au-2_smt", - "name": "statement", - "parts": [ - { - "id": "au-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }};" - }, - { - "id": "au-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" - }, - { - "id": "au-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Specify the following event types for logging within the system: {{ au-2_prm_2 }};" - }, - { - "id": "au-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" - }, - { - "id": "au-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Review and update the event types selected for logging {{ au-2_prm_3 }}." - } - ] - }, - { - "id": "au-2_gdn", - "name": "guidance", - "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\nTo balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage.\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." - } - ] - }, - { - "id": "au-11", - "class": "SP800-53", - "title": "Audit Record Retention", - "parameters": [ - { - "id": "au-11_prm_1", - "label": "organization-defined time-period consistent with records retention policy" - } - ], - "properties": [ - { - "name": "label", - "value": "AU-11" - }, - { - "name": "sort-id", - "value": "AU-11" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#au-4", - "rel": "related", - "text": "AU-4" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-9", - "rel": "related", - "text": "AU-9" - }, - { - "href": "#au-14", - "rel": "related", - "text": "AU-14" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "au-11_smt", - "name": "statement", - "prose": "Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." - }, - { - "id": "au-11_gdn", - "name": "guidance", - "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention." - } - ] - } - ] - }, - { - "id": "ca", - "class": "family", - "title": "Assessment, Authorization, and Monitoring", - "controls": [ - { - "id": "ca-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ca-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ca-1_prm_2" - }, - { - "id": "ca-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ca-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ca-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-1" - }, - { - "name": "sort-id", - "value": "CA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-1_smt", - "name": "statement", - "parts": [ - { - "id": "ca-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ca-1_prm_1 }}:", - "parts": [ - { - "id": "ca-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that:", - "parts": [ - { - "id": "ca-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ca-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ca-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" - } - ] - }, - { - "id": "ca-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" - }, - { - "id": "ca-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current assessment, authorization, and monitoring:", - "parts": [ - { - "id": "ca-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ca-1_prm_4 }}; and" - }, - { - "id": "ca-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ca-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ca-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ca-2", - "class": "SP800-53", - "title": "Control Assessments", - "parameters": [ - { - "id": "ca-2_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ca-2_prm_2", - "label": "organization-defined individuals or roles" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-2" - }, - { - "name": "sort-id", - "value": "CA-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - } - ], - "parts": [ - { - "id": "ca-2_smt", - "name": "statement", - "parts": [ - { - "id": "ca-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a control assessment plan that describes the scope of the assessment including:", - "parts": [ - { - "id": "ca-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Controls and control enhancements under assessment;" - }, - { - "id": "ca-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Assessment procedures to be used to determine control effectiveness; and" - }, - { - "id": "ca-2_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" - } - ] - }, - { - "id": "ca-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" - }, - { - "id": "ca-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" - }, - { - "id": "ca-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Produce a control assessment report that document the results of the assessment; and" - }, - { - "id": "ca-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Provide the results of the control assessment to {{ ca-2_prm_2 }}." - } - ] - }, - { - "id": "ca-2_gdn", - "name": "guidance", - "prose": "Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\nOrganizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control." - } - ] - }, - { - "id": "ca-5", - "class": "SP800-53", - "title": "Plan of Action and Milestones", - "parameters": [ - { - "id": "ca-5_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-5" - }, - { - "name": "sort-id", - "value": "CA-05" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-5_smt", - "name": "statement", - "parts": [ - { - "id": "ca-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" - }, - { - "id": "ca-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities." - } - ] - }, - { - "id": "ca-5_gdn", - "name": "guidance", - "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB." - } - ] - }, - { - "id": "ca-6", - "class": "SP800-53", - "title": "Authorization", - "parameters": [ - { - "id": "ca-6_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-6" - }, - { - "name": "sort-id", - "value": "CA-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ca-6_smt", - "name": "statement", - "parts": [ - { - "id": "ca-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Assign a senior official as the authorizing official for the system;" - }, - { - "id": "ca-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" - }, - { - "id": "ca-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ensure that the authorizing official for the system, before commencing operations:", - "parts": [ - { - "id": "ca-6_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Accepts the use of common controls inherited by the system; and" - }, - { - "id": "ca-6_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Authorizes the system to operate;" - } - ] - }, - { - "id": "ca-6_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" - }, - { - "id": "ca-6_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Update the authorizations {{ ca-6_prm_1 }}." - } - ] - }, - { - "id": "ca-6_gdn", - "name": "guidance", - "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." - } - ] - }, - { - "id": "ca-7", - "class": "SP800-53", - "title": "Continuous Monitoring", - "parameters": [ - { - "id": "ca-7_prm_1", - "label": "organization-defined system-level metrics" - }, - { - "id": "ca-7_prm_2", - "label": "organization-defined frequencies" - }, - { - "id": "ca-7_prm_3", - "label": "organization-defined frequencies" - }, - { - "id": "ca-7_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "ca-7_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CA-7" - }, - { - "name": "sort-id", - "value": "CA-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#851b5ba4-6aa0-4583-857c-4c360cbdf2a0", - "rel": "reference", - "text": "[IR 8011 v1]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pe-14", - "rel": "related", - "text": "PE-14" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-6", - "rel": "related", - "text": "PM-6" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#pm-31", - "rel": "related", - "text": "PM-31" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - } - ], - "parts": [ - { - "id": "ca-7_smt", - "name": "statement", - "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", - "parts": [ - { - "id": "ca-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }};" - }, - { - "id": "ca-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness;" - }, - { - "id": "ca-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" - }, - { - "id": "ca-7_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" - }, - { - "id": "ca-7_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Correlation and analysis of information generated by control assessments and monitoring;" - }, - { - "id": "ca-7_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" - }, - { - "id": "ca-7_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Reporting the security and privacy status of the system to {{ ca-7_prm_4 }}\n {{ ca-7_prm_5 }}." - } - ] - }, - { - "id": "ca-7_gdn", - "name": "guidance", - "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4." - } - ], - "controls": [ - { - "id": "ca-7.4", - "class": "SP800-53-enhancement", - "title": "Risk Monitoring", - "properties": [ - { - "name": "label", - "value": "CA-7(4)" - }, - { - "name": "sort-id", - "value": "CA-07(04)" - } - ], - "parts": [ - { - "id": "ca-7.4_smt", - "name": "statement", - "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", - "parts": [ - { - "id": "ca-7.4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Effectiveness monitoring;" - }, - { - "id": "ca-7.4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Compliance monitoring; and" - }, - { - "id": "ca-7.4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Change monitoring." - } - ] - }, - { - "id": "ca-7.4_gdn", - "name": "guidance", - "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." - } - ] - } - ] - } - ] - }, - { - "id": "cm", - "class": "family", - "title": "Configuration Management", - "controls": [ - { - "id": "cm-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "cm-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "cm-1_prm_2" - }, - { - "id": "cm-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "cm-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "cm-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "CM-1" - }, - { - "name": "sort-id", - "value": "CM-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "cm-1_smt", - "name": "statement", - "parts": [ - { - "id": "cm-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ cm-1_prm_1 }}:", - "parts": [ - { - "id": "cm-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ cm-1_prm_2 }} configuration management policy that:", - "parts": [ - { - "id": "cm-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "cm-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "cm-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" - } - ] - }, - { - "id": "cm-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" - }, - { - "id": "cm-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current configuration management:", - "parts": [ - { - "id": "cm-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ cm-1_prm_4 }}; and" - }, - { - "id": "cm-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ cm-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "cm-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "cm-4", - "class": "SP800-53", - "title": "Impact Analyses", - "properties": [ - { - "name": "label", - "value": "CM-4" - }, - { - "name": "sort-id", - "value": "CM-04" - } - ], - "links": [ - { - "href": "#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "rel": "reference", - "text": "[SP 800-128]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-10", - "rel": "related", - "text": "SA-10" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - } - ], - "parts": [ - { - "id": "cm-4_smt", - "name": "statement", - "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." - }, - { - "id": "cm-4_gdn", - "name": "guidance", - "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required." - } - ] - } - ] - }, - { - "id": "ir", - "class": "family", - "title": "Incident Response", - "controls": [ - { - "id": "ir-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ir-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ir-1_prm_2" - }, - { - "id": "ir-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ir-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ir-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-1" - }, - { - "name": "sort-id", - "value": "IR-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "rel": "reference", - "text": "[SP 800-50]" - }, - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "rel": "reference", - "text": "[SP 800-83]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ir-1_smt", - "name": "statement", - "parts": [ - { - "id": "ir-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ir-1_prm_1 }}:", - "parts": [ - { - "id": "ir-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ir-1_prm_2 }} incident response policy that:", - "parts": [ - { - "id": "ir-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ir-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ir-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" - } - ] - }, - { - "id": "ir-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" - }, - { - "id": "ir-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current incident response:", - "parts": [ - { - "id": "ir-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ir-1_prm_4 }}; and" - }, - { - "id": "ir-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ir-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ir-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ir-3", - "class": "SP800-53", - "title": "Incident Response Testing", - "parameters": [ - { - "id": "ir-3_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "ir-3_prm_2", - "label": "organization-defined tests" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-3" - }, - { - "name": "sort-id", - "value": "IR-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#20bf433b-074c-47a0-8fca-cd591772ccd6", - "rel": "reference", - "text": "[SP 800-84]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - } - ], - "parts": [ - { - "id": "ir-3_smt", - "name": "statement", - "prose": "Test the effectiveness of the incident response capability for the system {{ ir-3_prm_1 }} using the following tests: {{ ir-3_prm_2 }}." - }, - { - "id": "ir-3_gdn", - "name": "guidance", - "prose": "Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes." - } - ] - }, - { - "id": "ir-4", - "class": "SP800-53", - "title": "Incident Handling", - "properties": [ - { - "name": "label", - "value": "IR-4" - }, - { - "name": "sort-id", - "value": "IR-04" - } - ], - "links": [ - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#35dfd59f-eef2-4f71-bdb5-6d878267456a", - "rel": "reference", - "text": "[SP 800-86]" - }, - { - "href": "#1e2c475a-84ae-4c60-b420-8fb2ea552b71", - "rel": "reference", - "text": "[SP 800-101]" - }, - { - "href": "#ad3e8f21-07c6-4968-b002-00b64dfa70ae", - "rel": "reference", - "text": "[SP 800-150]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#08f518f7-f9b9-4bee-8986-860214f46b16", - "rel": "reference", - "text": "[SP 800-184]" - }, - { - "href": "#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "rel": "reference", - "text": "[IR 7559]" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-7", - "rel": "related", - "text": "AU-7" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-3", - "rel": "related", - "text": "CP-3" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-2", - "rel": "related", - "text": "IR-2" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-10", - "rel": "related", - "text": "IR-10" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-7", - "rel": "related", - "text": "SI-7" - } - ], - "parts": [ - { - "id": "ir-4_smt", - "name": "statement", - "parts": [ - { - "id": "ir-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" - }, - { - "id": "ir-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Coordinate incident handling activities with contingency planning activities;" - }, - { - "id": "ir-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" - }, - { - "id": "ir-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." - } - ] - }, - { - "id": "ir-4_gdn", - "name": "guidance", - "prose": "Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk." - } - ] - }, - { - "id": "ir-6", - "class": "SP800-53", - "title": "Incident Reporting", - "parameters": [ - { - "id": "ir-6_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "ir-6_prm_2", - "label": "organization-defined authorities" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-6" - }, - { - "name": "sort-id", - "value": "IR-06" - } - ], - "links": [ - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - } - ], - "parts": [ - { - "id": "ir-6_smt", - "name": "statement", - "parts": [ - { - "id": "ir-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and" - }, - { - "id": "ir-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}." - } - ] - }, - { - "id": "ir-6_gdn", - "name": "guidance", - "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - } - ] - }, - { - "id": "ir-7", - "class": "SP800-53", - "title": "Incident Response Assistance", - "properties": [ - { - "name": "label", - "value": "IR-7" - }, - { - "name": "sort-id", - "value": "IR-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "rel": "reference", - "text": "[IR 7559]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-6", - "rel": "related", - "text": "IR-6" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pm-26", - "rel": "related", - "text": "PM-26" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "ir-7_smt", - "name": "statement", - "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents." - }, - { - "id": "ir-7_gdn", - "name": "guidance", - "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." - } - ] - }, - { - "id": "ir-8", - "class": "SP800-53", - "title": "Incident Response Plan", - "parameters": [ - { - "id": "ir-8_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ir-8_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "ir-8_prm_3", - "label": "organization-defined entities, personnel, or roles" - }, - { - "id": "ir-8_prm_4", - "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - }, - { - "id": "ir-8_prm_5", - "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - } - ], - "properties": [ - { - "name": "label", - "value": "IR-8" - }, - { - "name": "sort-id", - "value": "IR-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "rel": "reference", - "text": "[SP 800-61]" - }, - { - "href": "#389fe193-866e-46b1-bf1d-38904b56aa7b", - "rel": "reference", - "text": "[OMB M-17-12]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-8", - "rel": "related", - "text": "SR-8" - } - ], - "parts": [ - { - "id": "ir-8_smt", - "name": "statement", - "parts": [ - { - "id": "ir-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop an incident response plan that:", - "parts": [ - { - "id": "ir-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Provides the organization with a roadmap for implementing its incident response capability;" - }, - { - "id": "ir-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Describes the structure and organization of the incident response capability;" - }, - { - "id": "ir-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" - }, - { - "id": "ir-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" - }, - { - "id": "ir-8_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Defines reportable incidents;" - }, - { - "id": "ir-8_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Provides metrics for measuring the incident response capability within the organization;" - }, - { - "id": "ir-8_smt.a.7", - "name": "item", - "properties": [ - { - "name": "label", - "value": "7." - } - ], - "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" - }, - { - "id": "ir-8_smt.a.8", - "name": "item", - "properties": [ - { - "name": "label", - "value": "8." - } - ], - "prose": "Is reviewed and approved by {{ ir-8_prm_1 }}\n {{ ir-8_prm_2 }}; and" - }, - { - "id": "ir-8_smt.a.9", - "name": "item", - "properties": [ - { - "name": "label", - "value": "9." - } - ], - "prose": "Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}." - } - ] - }, - { - "id": "ir-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute copies of the incident response plan to {{ ir-8_prm_4 }};" - }, - { - "id": "ir-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" - }, - { - "id": "ir-8_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Communicate incident response plan changes to {{ ir-8_prm_5 }}; and" - }, - { - "id": "ir-8_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Protect the incident response plan from unauthorized disclosure and modification." - } - ] - }, - { - "id": "ir-8_gdn", - "name": "guidance", - "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." - } - ], - "controls": [ - { - "id": "ir-8.1", - "class": "SP800-53-enhancement", - "title": "Privacy Breaches", - "properties": [ - { - "name": "label", - "value": "IR-8(1)" - }, - { - "name": "sort-id", - "value": "IR-08(01)" - } - ], - "links": [ - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#pt-5", - "rel": "related", - "text": "PT-5" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - } - ], - "parts": [ - { - "id": "ir-8.1_smt", - "name": "statement", - "prose": "Include the following in the Incident Response Plan for breaches involving personally identifiable information:", - "parts": [ - { - "id": "ir-8.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;" - }, - { - "id": "ir-8.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and" - }, - { - "id": "ir-8.1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Identification of applicable privacy requirements." - } - ] - }, - { - "id": "ir-8.1_gdn", - "name": "guidance", - "prose": "Organizations may be required by law, regulation, or policy to follow specific procedures relating to privacy breaches, including notice to individuals, affected organizations, and oversight bodies, standards of harm, and mitigation or other specific requirements." - } - ] - } - ] - } - ] - }, - { - "id": "mp", - "class": "family", - "title": "Media Protection", - "controls": [ - { - "id": "mp-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "mp-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "mp-1_prm_2" - }, - { - "id": "mp-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "mp-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "mp-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-1" - }, - { - "name": "sort-id", - "value": "MP-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "mp-1_smt", - "name": "statement", - "parts": [ - { - "id": "mp-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ mp-1_prm_1 }}:", - "parts": [ - { - "id": "mp-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ mp-1_prm_2 }} media protection policy that:", - "parts": [ - { - "id": "mp-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "mp-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "mp-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" - } - ] - }, - { - "id": "mp-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" - }, - { - "id": "mp-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current media protection:", - "parts": [ - { - "id": "mp-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ mp-1_prm_4 }}; and" - }, - { - "id": "mp-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ mp-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "mp-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "mp-6", - "class": "SP800-53", - "title": "Media Sanitization", - "parameters": [ - { - "id": "mp-6_prm_1", - "label": "organization-defined system media" - }, - { - "id": "mp-6_prm_2", - "label": "organization-defined sanitization techniques and procedures" - } - ], - "properties": [ - { - "name": "label", - "value": "MP-6" - }, - { - "name": "sort-id", - "value": "MP-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#fed6a3b5-2b74-499f-9172-46671f7c24c8", - "rel": "reference", - "text": "[SP 800-88]" - }, - { - "href": "#18c6942b-95f8-414c-b548-c8e6b8d8a172", - "rel": "reference", - "text": "[SP 800-124]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#a52271dc-11b5-423a-8b6f-14867bd94259", - "rel": "reference", - "text": "[NSA MEDIA]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#ac-7", - "rel": "related", - "text": "AC-7" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - }, - { - "href": "#si-19", - "rel": "related", - "text": "SI-19" - }, - { - "href": "#sr-11", - "rel": "related", - "text": "SR-11" - } - ], - "parts": [ - { - "id": "mp-6_smt", - "name": "statement", - "parts": [ - { - "id": "mp-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and" - }, - { - "id": "mp-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." - } - ] - }, - { - "id": "mp-6_gdn", - "name": "guidance", - "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information." - } - ] - } - ] - }, - { - "id": "pl", - "class": "family", - "title": "Planning", - "controls": [ - { - "id": "pl-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "pl-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pl-1_prm_2" - }, - { - "id": "pl-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "pl-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "pl-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-1" - }, - { - "name": "sort-id", - "value": "PL-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pl-1_smt", - "name": "statement", - "parts": [ - { - "id": "pl-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ pl-1_prm_1 }}:", - "parts": [ - { - "id": "pl-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ pl-1_prm_2 }} planning policy that:", - "parts": [ - { - "id": "pl-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "pl-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "pl-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" - } - ] - }, - { - "id": "pl-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" - }, - { - "id": "pl-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current planning:", - "parts": [ - { - "id": "pl-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ pl-1_prm_4 }}; and" - }, - { - "id": "pl-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ pl-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "pl-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "pl-2", - "class": "SP800-53", - "title": "System Security and Privacy Plans", - "parameters": [ - { - "id": "pl-2_prm_1", - "label": "organization-defined individuals or groups" - }, - { - "id": "pl-2_prm_2", - "label": "organization-defined personnel or roles" - }, - { - "id": "pl-2_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-2" - }, - { - "name": "sort-id", - "value": "PL-02" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-14", - "rel": "related", - "text": "AC-14" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-5", - "rel": "related", - "text": "MP-5" - }, - { - "href": "#pl-7", - "rel": "related", - "text": "PL-7" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-22", - "rel": "related", - "text": "SA-22" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "pl-2_smt", - "name": "statement", - "parts": [ - { - "id": "pl-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop security and privacy plans for the system that:", - "parts": [ - { - "id": "pl-2_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are consistent with the organization’s enterprise architecture;" - }, - { - "id": "pl-2_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Explicitly define the constituent system components;" - }, - { - "id": "pl-2_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Describe the operational context of the system in terms of missions and business processes;" - }, - { - "id": "pl-2_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Provide the security categorization of the system, including supporting rationale;" - }, - { - "id": "pl-2_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Describe any specific threats to the system that are of concern to the organization;" - }, - { - "id": "pl-2_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" - }, - { - "id": "pl-2_smt.a.7", - "name": "item", - "properties": [ - { - "name": "label", - "value": "7." - } - ], - "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" - }, - { - "id": "pl-2_smt.a.8", - "name": "item", - "properties": [ - { - "name": "label", - "value": "8." - } - ], - "prose": "Provide an overview of the security and privacy requirements for the system;" - }, - { - "id": "pl-2_smt.a.9", - "name": "item", - "properties": [ - { - "name": "label", - "value": "9." - } - ], - "prose": "Identify any relevant control baselines or overlays, if applicable;" - }, - { - "id": "pl-2_smt.a.10", - "name": "item", - "properties": [ - { - "name": "label", - "value": "10." - } - ], - "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" - }, - { - "id": "pl-2_smt.a.11", - "name": "item", - "properties": [ - { - "name": "label", - "value": "11." - } - ], - "prose": "Include risk determinations for security and privacy architecture and design decisions;" - }, - { - "id": "pl-2_smt.a.12", - "name": "item", - "properties": [ - { - "name": "label", - "value": "12." - } - ], - "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and" - }, - { - "id": "pl-2_smt.a.13", - "name": "item", - "properties": [ - { - "name": "label", - "value": "13." - } - ], - "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." - } - ] - }, - { - "id": "pl-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }};" - }, - { - "id": "pl-2_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review the plans {{ pl-2_prm_3 }};" - }, - { - "id": "pl-2_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" - }, - { - "id": "pl-2_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Protect the plans from unauthorized disclosure and modification." - } - ] - }, - { - "id": "pl-2_gdn", - "name": "guidance", - "prose": "System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation.\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate." - } - ] - }, - { - "id": "pl-4", - "class": "SP800-53", - "title": "Rules of Behavior", - "parameters": [ - { - "id": "pl-4_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "pl-4_prm_2" - }, - { - "id": "pl-4_prm_3", - "depends-on": "pl-4_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-4" - }, - { - "name": "sort-id", - "value": "PL-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "rel": "reference", - "text": "[SP 800-18]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-8", - "rel": "related", - "text": "AC-8" - }, - { - "href": "#ac-9", - "rel": "related", - "text": "AC-9" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#ac-18", - "rel": "related", - "text": "AC-18" - }, - { - "href": "#ac-19", - "rel": "related", - "text": "AC-19" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-2", - "rel": "related", - "text": "IA-2" - }, - { - "href": "#ia-4", - "rel": "related", - "text": "IA-4" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#mp-7", - "rel": "related", - "text": "MP-7" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pl-4_smt", - "name": "statement", - "parts": [ - { - "id": "pl-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" - }, - { - "id": "pl-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" - }, - { - "id": "pl-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the rules of behavior {{ pl-4_prm_1 }}; and" - }, - { - "id": "pl-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}." - } - ] - }, - { - "id": "pl-4_gdn", - "name": "guidance", - "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons." - } - ], - "controls": [ - { - "id": "pl-4.1", - "class": "SP800-53-enhancement", - "title": "Social Media and External Site/application Usage Restrictions", - "properties": [ - { - "name": "label", - "value": "PL-4(1)" - }, - { - "name": "sort-id", - "value": "PL-04(01)" - } - ], - "links": [ - { - "href": "#ac-22", - "rel": "related", - "text": "AC-22" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - } - ], - "parts": [ - { - "id": "pl-4.1_smt", - "name": "statement", - "prose": "Include in the rules of behavior, restrictions on:", - "parts": [ - { - "id": "pl-4.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Use of social media, social networking sites, and external sites/applications;" - }, - { - "id": "pl-4.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Posting organizational information on public websites; and" - }, - { - "id": "pl-4.1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications." - } - ] - }, - { - "id": "pl-4.1_gdn", - "name": "guidance", - "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information." - } - ] - } - ] - }, - { - "id": "pl-8", - "class": "SP800-53", - "title": "Security and Privacy Architectures", - "parameters": [ - { - "id": "pl-8_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-8" - }, - { - "name": "sort-id", - "value": "PL-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#cm-2", - "rel": "related", - "text": "CM-2" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-7", - "rel": "related", - "text": "PL-7" - }, - { - "href": "#pl-9", - "rel": "related", - "text": "PL-9" - }, - { - "href": "#pm-5", - "rel": "related", - "text": "PM-5" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - } - ], - "parts": [ - { - "id": "pl-8_smt", - "name": "statement", - "parts": [ - { - "id": "pl-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop security and privacy architectures for the system that:", - "parts": [ - { - "id": "pl-8_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" - }, - { - "id": "pl-8_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" - }, - { - "id": "pl-8_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" - }, - { - "id": "pl-8_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Describe any assumptions about, and dependencies on, external systems and services;" - } - ] - }, - { - "id": "pl-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update the architectures {{ pl-8_prm_1 }} to reflect changes in the enterprise architecture; and" - }, - { - "id": "pl-8_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions." - } - ] - }, - { - "id": "pl-8_gdn", - "name": "guidance", - "prose": "The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs.\n[SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented.\nPL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures." - } - ] - }, - { - "id": "pl-9", - "class": "SP800-53", - "title": "Central Management", - "parameters": [ - { - "id": "pl-9_prm_1", - "label": "organization-defined controls and related processes" - } - ], - "properties": [ - { - "name": "label", - "value": "PL-9" - }, - { - "name": "sort-id", - "value": "PL-09" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - } - ], - "parts": [ - { - "id": "pl-9_smt", - "name": "statement", - "prose": "Centrally manage {{ pl-9_prm_1 }}." - }, - { - "id": "pl-9_gdn", - "name": "guidance", - "prose": "Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and judicious use of organizational resources. Centrally-managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring.\nAs part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include, but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-17(1), AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1), AT-3(2), AT-3(3), AT-4, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11, AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM-3(1), CM-3(4), CM-4, CM-6(1), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-43, SI-2, SI-3, SI-7, SI-8." - } - ] - } - ] - }, - { - "id": "pm", - "class": "family", - "title": "Program Management", - "controls": [ - { - "id": "pm-3", - "class": "SP800-53", - "title": "Information Security and Privacy Resources", - "properties": [ - { - "name": "label", - "value": "PM-3" - }, - { - "name": "sort-id", - "value": "PM-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - } - ], - "parts": [ - { - "id": "pm-3_smt", - "name": "statement", - "parts": [ - { - "id": "pm-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;" - }, - { - "id": "pm-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and" - }, - { - "id": "pm-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Make available for expenditure, the planned information security and privacy resources." - } - ] - }, - { - "id": "pm-3_gdn", - "name": "guidance", - "prose": "Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process." - } - ] - }, - { - "id": "pm-4", - "class": "SP800-53", - "title": "Plan of Action and Milestones Process", - "properties": [ - { - "name": "label", - "value": "PM-4" - }, - { - "name": "sort-id", - "value": "PM-04" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pm-3", - "rel": "related", - "text": "PM-3" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pm-4_smt", - "name": "statement", - "parts": [ - { - "id": "pm-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:", - "parts": [ - { - "id": "pm-4_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are developed and maintained;" - }, - { - "id": "pm-4_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and" - }, - { - "id": "pm-4_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Are reported in accordance with established reporting requirements." - } - ] - }, - { - "id": "pm-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." - } - ] - }, - { - "id": "pm-4_gdn", - "name": "guidance", - "prose": "The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5." - } - ] - }, - { - "id": "pm-6", - "class": "SP800-53", - "title": "Measures of Performance", - "properties": [ - { - "name": "label", - "value": "PM-6" - }, - { - "name": "sort-id", - "value": "PM-06" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#8ba0d54e-fa16-4f5d-baa1-763ec3e33e26", - "rel": "reference", - "text": "[SP 800-55]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - } - ], - "parts": [ - { - "id": "pm-6_smt", - "name": "statement", - "prose": "Develop, monitor, and report on the results of information security and privacy measures of performance." - }, - { - "id": "pm-6_gdn", - "name": "guidance", - "prose": "Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program." - } - ] - }, - { - "id": "pm-7", - "class": "SP800-53", - "title": "Enterprise Architecture", - "properties": [ - { - "name": "label", - "value": "PM-7" - }, - { - "name": "sort-id", - "value": "PM-07" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#8411e6e8-09bd-431d-bbcb-3423d36ad880", - "rel": "reference", - "text": "[SP 800-160 v2]" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-8", - "rel": "related", - "text": "PL-8" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - } - ], - "parts": [ - { - "id": "pm-7_smt", - "name": "statement", - "prose": "Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation." - }, - { - "id": "pm-7_gdn", - "name": "guidance", - "prose": "The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines." - } - ] - }, - { - "id": "pm-8", - "class": "SP800-53", - "title": "Critical Infrastructure Plan", - "properties": [ - { - "name": "label", - "value": "PM-8" - }, - { - "name": "sort-id", - "value": "PM-08" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#cde25174-38e0-4a00-8919-8ee3674b8088", - "rel": "reference", - "text": "[HSPD 7]" - }, - { - "href": "#24b7b1ec-6430-41de-9353-29fdb1b488fc", - "rel": "reference", - "text": "[DHS NIPP]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#pe-18", - "rel": "related", - "text": "PE-18" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-11", - "rel": "related", - "text": "PM-11" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pm-8_smt", - "name": "statement", - "prose": "Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan." - }, - { - "id": "pm-8_gdn", - "name": "guidance", - "prose": "Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." - } - ] - }, - { - "id": "pm-9", - "class": "SP800-53", - "title": "Risk Management Strategy", - "parameters": [ - { - "id": "pm-9_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-9" - }, - { - "name": "sort-id", - "value": "PM-09" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#at-1", - "rel": "related", - "text": "AT-1" - }, - { - "href": "#ca-1", - "rel": "related", - "text": "CA-1" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cp-1", - "rel": "related", - "text": "CP-1" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ma-1", - "rel": "related", - "text": "MA-1" - }, - { - "href": "#mp-1", - "rel": "related", - "text": "MP-1" - }, - { - "href": "#pe-1", - "rel": "related", - "text": "PE-1" - }, - { - "href": "#pl-1", - "rel": "related", - "text": "PL-1" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-2", - "rel": "related", - "text": "PM-2" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#pm-30", - "rel": "related", - "text": "PM-30" - }, - { - "href": "#ps-1", - "rel": "related", - "text": "PS-1" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-9", - "rel": "related", - "text": "RA-9" - }, - { - "href": "#sa-1", - "rel": "related", - "text": "SA-1" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sc-1", - "rel": "related", - "text": "SC-1" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-1", - "rel": "related", - "text": "SI-1" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "pm-9_smt", - "name": "statement", - "parts": [ - { - "id": "pm-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develops a comprehensive strategy to manage:", - "parts": [ - { - "id": "pm-9_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and" - }, - { - "id": "pm-9_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Privacy risk to individuals resulting from the authorized processing of personally identifiable information;" - } - ] - }, - { - "id": "pm-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Implement the risk management strategy consistently across the organization; and" - }, - { - "id": "pm-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes." - } - ] - }, - { - "id": "pm-9_gdn", - "name": "guidance", - "prose": "An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive." - } - ] - }, - { - "id": "pm-10", - "class": "SP800-53", - "title": "Authorization Process", - "properties": [ - { - "name": "label", - "value": "PM-10" - }, - { - "name": "sort-id", - "value": "PM-10" - } - ], - "links": [ - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - } - ], - "parts": [ - { - "id": "pm-10_smt", - "name": "statement", - "parts": [ - { - "id": "pm-10_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;" - }, - { - "id": "pm-10_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and" - }, - { - "id": "pm-10_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Integrate the authorization processes into an organization-wide risk management program." - } - ] - }, - { - "id": "pm-10_gdn", - "name": "guidance", - "prose": "Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation." - } - ] - }, - { - "id": "pm-11", - "class": "SP800-53", - "title": "Mission and Business Process Definition", - "parameters": [ - { - "id": "pm-11_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-11" - }, - { - "name": "sort-id", - "value": "PM-11" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#68949f14-9cf5-4116-91d8-e820b9df3ffd", - "rel": "reference", - "text": "[SP 800-60 v1]" - }, - { - "href": "#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "rel": "reference", - "text": "[SP 800-60 v2]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-7", - "rel": "related", - "text": "PM-7" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - } - ], - "parts": [ - { - "id": "pm-11_smt", - "name": "statement", - "parts": [ - { - "id": "pm-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and" - }, - { - "id": "pm-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and" - }, - { - "id": "pm-11_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and revise the mission and business processes {{ pm-11_prm_1 }}." - } - ] - }, - { - "id": "pm-11_gdn", - "name": "guidance", - "prose": "Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures." - } - ] - }, - { - "id": "pm-13", - "class": "SP800-53", - "title": "Security and Privacy Workforce", - "properties": [ - { - "name": "label", - "value": "PM-13" - }, - { - "name": "sort-id", - "value": "PM-13" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#f4c3f657-de83-47ae-9aec-e144de8268d1", - "rel": "reference", - "text": "[SP 800-181]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - } - ], - "parts": [ - { - "id": "pm-13_smt", - "name": "statement", - "prose": "Establish a security and privacy workforce development and improvement program." - }, - { - "id": "pm-13_gdn", - "name": "guidance", - "prose": "Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals." - } - ] - }, - { - "id": "pm-14", - "class": "SP800-53", - "title": "Testing, Training, and Monitoring", - "properties": [ - { - "name": "label", - "value": "PM-14" - }, - { - "name": "sort-id", - "value": "PM-14" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "rel": "reference", - "text": "[SP 800-115]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#at-2", - "rel": "related", - "text": "AT-2" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cp-4", - "rel": "related", - "text": "CP-4" - }, - { - "href": "#ir-3", - "rel": "related", - "text": "IR-3" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "pm-14_smt", - "name": "statement", - "parts": [ - { - "id": "pm-14_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:", - "parts": [ - { - "id": "pm-14_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Are developed and maintained; and" - }, - { - "id": "pm-14_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Continue to be executed; and" - } - ] - }, - { - "id": "pm-14_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." - } - ] - }, - { - "id": "pm-14_gdn", - "name": "guidance", - "prose": "This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments." - } - ] - }, - { - "id": "pm-18", - "class": "SP800-53", - "title": "Privacy Program Plan", - "properties": [ - { - "name": "label", - "value": "PM-18" - }, - { - "name": "sort-id", - "value": "PM-18" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - } - ], - "parts": [ - { - "id": "pm-18_smt", - "name": "statement", - "parts": [ - { - "id": "pm-18_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:", - "parts": [ - { - "id": "pm-18_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;" - }, - { - "id": "pm-18_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;" - }, - { - "id": "pm-18_smt.a.3", - "name": "item", - "properties": [ - { - "name": "label", - "value": "3." - } - ], - "prose": "Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;" - }, - { - "id": "pm-18_smt.a.4", - "name": "item", - "properties": [ - { - "name": "label", - "value": "4." - } - ], - "prose": "Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;" - }, - { - "id": "pm-18_smt.a.5", - "name": "item", - "properties": [ - { - "name": "label", - "value": "5." - } - ], - "prose": "Reflects coordination among organizational entities responsible for the different aspects of privacy; and" - }, - { - "id": "pm-18_smt.a.6", - "name": "item", - "properties": [ - { - "name": "label", - "value": "6." - } - ], - "prose": "Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and" - } - ] - }, - { - "id": "pm-18_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments." - } - ] - }, - { - "id": "pm-18_gdn", - "name": "guidance", - "prose": "A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization.\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls." - } - ] - }, - { - "id": "pm-19", - "class": "SP800-53", - "title": "Privacy Program Leadership Role", - "properties": [ - { - "name": "label", - "value": "PM-19" - }, - { - "name": "sort-id", - "value": "PM-19" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-18", - "rel": "related", - "text": "PM-18" - }, - { - "href": "#pm-20", - "rel": "related", - "text": "PM-20" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - } - ], - "parts": [ - { - "id": "pm-19_smt", - "name": "statement", - "prose": "Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program." - }, - { - "id": "pm-19_gdn", - "name": "guidance", - "prose": "The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24)." - } - ] - }, - { - "id": "pm-20", - "class": "SP800-53", - "title": "Dissemination of Privacy Program Information", - "properties": [ - { - "name": "label", - "value": "PM-20" - }, - { - "name": "sort-id", - "value": "PM-20" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#f7d3617a-9a4f-4f1a-a688-845081b70390", - "rel": "reference", - "text": "[OMB M-17-06]" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#pt-7", - "rel": "related", - "text": "PT-7" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - } - ], - "parts": [ - { - "id": "pm-20_smt", - "name": "statement", - "prose": "Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:", - "parts": [ - { - "id": "pm-20_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;" - }, - { - "id": "pm-20_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Ensures that organizational privacy practices and reports are publicly available; and" - }, - { - "id": "pm-20_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices." - } - ] - }, - { - "id": "pm-20_gdn", - "name": "guidance", - "prose": "Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications." - } - ] - }, - { - "id": "pm-21", - "class": "SP800-53", - "title": "Accounting of Disclosures", - "properties": [ - { - "name": "label", - "value": "PM-21" - }, - { - "name": "sort-id", - "value": "PM-21" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#au-2", - "rel": "related", - "text": "AU-2" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - } - ], - "parts": [ - { - "id": "pm-21_smt", - "name": "statement", - "parts": [ - { - "id": "pm-21_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:", - "parts": [ - { - "id": "pm-21_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Date, nature, and purpose of each disclosure; and" - }, - { - "id": "pm-21_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Name and address, or other contact information of the person or organization to which the disclosure was made;" - } - ] - }, - { - "id": "pm-21_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and" - }, - { - "id": "pm-21_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request." - } - ] - }, - { - "id": "pm-21_gdn", - "name": "guidance", - "prose": "The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions." - } - ] - }, - { - "id": "pm-22", - "class": "SP800-53", - "title": "Personally Identifiable Information Quality Management", - "properties": [ - { - "name": "label", - "value": "PM-22" - }, - { - "name": "sort-id", - "value": "PM-22" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#eadef75e-7e4d-4554-b818-44946c1dde0e", - "rel": "reference", - "text": "[SP 800-188]" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pm-22_smt", - "name": "statement", - "prose": "Develop and document policies and procedures for:", - "parts": [ - { - "id": "pm-22_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;" - }, - { - "id": "pm-22_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Correcting or deleting inaccurate or outdated personally identifiable information;" - }, - { - "id": "pm-22_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and" - }, - { - "id": "pm-22_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Appeals of adverse decisions on correction or deletion requests." - } - ] - }, - { - "id": "pm-22_gdn", - "name": "guidance", - "prose": "Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem." - } - ] - }, - { - "id": "pm-24", - "class": "SP800-53", - "title": "Data Integrity Board", - "properties": [ - { - "name": "label", - "value": "PM-24" - }, - { - "name": "sort-id", - "value": "PM-24" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#ac-4", - "rel": "related", - "text": "AC-4" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - } - ], - "parts": [ - { - "id": "pm-24_smt", - "name": "statement", - "prose": "Establish a Data Integrity Board to:", - "parts": [ - { - "id": "pm-24_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Review proposals to conduct or participate in a matching program; and" - }, - { - "id": "pm-24_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Conduct an annual review of all matching programs in which the agency has participated." - } - ] - }, - { - "id": "pm-24_gdn", - "name": "guidance", - "prose": "A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy." - } - ] - }, - { - "id": "pm-25", - "class": "SP800-53", - "title": "Minimization of Pii Used in Testing, Training, and Research", - "parameters": [ - { - "id": "pm-25_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-25" - }, - { - "name": "sort-id", - "value": "PM-25" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - } - ], - "parts": [ - { - "id": "pm-25_smt", - "name": "statement", - "parts": [ - { - "id": "pm-25_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;" - }, - { - "id": "pm-25_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;" - }, - { - "id": "pm-25_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and" - }, - { - "id": "pm-25_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review and update policies and procedures {{ pm-25_prm_1 }}." - } - ] - }, - { - "id": "pm-25_gdn", - "name": "guidance", - "prose": "The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2)." - } - ] - }, - { - "id": "pm-26", - "class": "SP800-53", - "title": "Complaint Management", - "parameters": [ - { - "id": "pm-26_prm_1", - "label": "organization-defined time-period" - }, - { - "id": "pm-26_prm_2", - "label": "organization-defined time-period" - }, - { - "id": "pm-26_prm_3", - "label": "organization-defined time-period" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-26" - }, - { - "name": "sort-id", - "value": "PM-26" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pm-26_smt", - "name": "statement", - "prose": "Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:", - "parts": [ - { - "id": "pm-26_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Mechanisms that are easy to use and readily accessible by the public;" - }, - { - "id": "pm-26_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "All information necessary for successfully filing complaints;" - }, - { - "id": "pm-26_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }};" - }, - { - "id": "pm-26_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and" - }, - { - "id": "pm-26_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}." - } - ] - }, - { - "id": "pm-26_gdn", - "name": "guidance", - "prose": "Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information." - } - ] - }, - { - "id": "pm-27", - "class": "SP800-53", - "title": "Privacy Reporting", - "parameters": [ - { - "id": "pm-27_prm_1", - "label": "organization-defined privacy reports" - }, - { - "id": "pm-27_prm_2", - "label": "organization-defined officials" - }, - { - "id": "pm-27_prm_3", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-27" - }, - { - "name": "sort-id", - "value": "PM-27" - } - ], - "links": [ - { - "href": "#14958422-54f6-471f-a345-802dca594dd8", - "rel": "reference", - "text": "[FISMA]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - } - ], - "parts": [ - { - "id": "pm-27_smt", - "name": "statement", - "parts": [ - { - "id": "pm-27_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop {{ pm-27_prm_1 }} and disseminate to:", - "parts": [ - { - "id": "pm-27_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and" - }, - { - "id": "pm-27_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "\n {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and" - } - ] - }, - { - "id": "pm-27_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Review and update privacy reports {{ pm-27_prm_3 }}." - } - ] - }, - { - "id": "pm-27_gdn", - "name": "guidance", - "prose": "Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements." - } - ] - }, - { - "id": "pm-31", - "class": "SP800-53", - "title": "Continuous Monitoring Strategy", - "parameters": [ - { - "id": "pm-31_prm_1", - "label": "organization-defined metrics" - }, - { - "id": "pm-31_prm_2", - "label": "organization-defined frequencies" - }, - { - "id": "pm-31_prm_3", - "label": "organization-defined frequencies" - }, - { - "id": "pm-31_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "pm-31_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PM-31" - }, - { - "name": "sort-id", - "value": "PM-31" - } - ], - "links": [ - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#ac-2", - "rel": "related", - "text": "AC-2" - }, - { - "href": "#ac-6", - "rel": "related", - "text": "AC-6" - }, - { - "href": "#ac-17", - "rel": "related", - "text": "AC-17" - }, - { - "href": "#at-4", - "rel": "related", - "text": "AT-4" - }, - { - "href": "#au-6", - "rel": "related", - "text": "AU-6" - }, - { - "href": "#au-13", - "rel": "related", - "text": "AU-13" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-3", - "rel": "related", - "text": "CM-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-11", - "rel": "related", - "text": "CM-11" - }, - { - "href": "#ia-5", - "rel": "related", - "text": "IA-5" - }, - { - "href": "#ir-5", - "rel": "related", - "text": "IR-5" - }, - { - "href": "#ma-2", - "rel": "related", - "text": "MA-2" - }, - { - "href": "#ma-3", - "rel": "related", - "text": "MA-3" - }, - { - "href": "#ma-4", - "rel": "related", - "text": "MA-4" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-6", - "rel": "related", - "text": "PE-6" - }, - { - "href": "#pe-14", - "rel": "related", - "text": "PE-14" - }, - { - "href": "#pe-16", - "rel": "related", - "text": "PE-16" - }, - { - "href": "#pe-20", - "rel": "related", - "text": "PE-20" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-6", - "rel": "related", - "text": "PM-6" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-10", - "rel": "related", - "text": "PM-10" - }, - { - "href": "#pm-12", - "rel": "related", - "text": "PM-12" - }, - { - "href": "#pm-14", - "rel": "related", - "text": "PM-14" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sc-5", - "rel": "related", - "text": "SC-5" - }, - { - "href": "#sc-7", - "rel": "related", - "text": "SC-7" - }, - { - "href": "#sc-18", - "rel": "related", - "text": "SC-18" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-3", - "rel": "related", - "text": "SI-3" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - }, - { - "href": "#sr-4", - "rel": "related", - "text": "SR-4" - } - ], - "parts": [ - { - "id": "pm-31_smt", - "name": "statement", - "prose": "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:", - "parts": [ - { - "id": "pm-31_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }};" - }, - { - "id": "pm-31_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness;" - }, - { - "id": "pm-31_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;" - }, - { - "id": "pm-31_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Correlation and analysis of information generated by control assessments and monitoring;" - }, - { - "id": "pm-31_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" - }, - { - "id": "pm-31_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }}\n {{ pm-31_prm_5 }}." - } - ] - }, - { - "id": "pm-31_gdn", - "name": "guidance", - "prose": "Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4." - } - ] - }, - { - "id": "pm-33", - "class": "SP800-53", - "title": "Privacy Policies on Websites, Applications, and Digital Services", - "properties": [ - { - "name": "label", - "value": "PM-33" - }, - { - "name": "sort-id", - "value": "PM-33" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-19", - "rel": "related", - "text": "PM-19" - }, - { - "href": "#pm-20", - "rel": "related", - "text": "PM-20" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#pt-7", - "rel": "related", - "text": "PT-7" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - } - ], - "parts": [ - { - "id": "pm-33_smt", - "name": "statement", - "prose": "Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:", - "parts": [ - { - "id": "pm-33_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Are written in plain language and organized in a way that is easy to understand and navigate;" - }, - { - "id": "pm-33_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Provide useful information that the public would need to make an informed decision about whether and how to interact with the organization; and" - }, - { - "id": "pm-33_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes." - } - ] - }, - { - "id": "pm-33_gdn", - "name": "guidance", - "prose": "Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations should post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations should provide a link to the privacy policy on any webpage that collects personally identifiable information." - } - ] - } - ] - }, - { - "id": "pt", - "class": "family", - "title": "Personally Identifiable Information Processing and Transparency", - "controls": [ - { - "id": "pt-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "pt-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "pt-1_prm_2" - }, - { - "id": "pt-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "pt-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "pt-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PT-1" - }, - { - "name": "sort-id", - "value": "PT-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - } - ], - "parts": [ - { - "id": "pt-1_smt", - "name": "statement", - "parts": [ - { - "id": "pt-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ pt-1_prm_1 }}:", - "parts": [ - { - "id": "pt-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ pt-1_prm_2 }} personally identifiable information processing and transparency policy that:", - "parts": [ - { - "id": "pt-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "pt-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "pt-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls;" - } - ] - }, - { - "id": "pt-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ pt-1_prm_3 }} to manage the development, documentation, and dissemination of the incident personally identifiable information processing and transparency policy and procedures; and" - }, - { - "id": "pt-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current personally identifiable information processing and transparency:", - "parts": [ - { - "id": "pt-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ pt-1_prm_4 }}; and" - }, - { - "id": "pt-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ pt-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "pt-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the PT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "pt-2", - "class": "SP800-53", - "title": "Authority to Process Personally Identifiable Information", - "parameters": [ - { - "id": "pt-2_prm_1", - "label": "organization-defined authority" - }, - { - "id": "pt-2_prm_2", - "label": "organization-defined processing" - }, - { - "id": "pt-2_prm_3", - "label": "organization-defined processing" - } - ], - "properties": [ - { - "name": "label", - "value": "PT-2" - }, - { - "name": "sort-id", - "value": "PT-02" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#pt-7", - "rel": "related", - "text": "PT-7" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pt-2_smt", - "name": "statement", - "parts": [ - { - "id": "pt-2_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Determine and document the {{ pt-2_prm_1 }} that permits the {{ pt-2_prm_2 }} of personally identifiable information; and" - }, - { - "id": "pt-2_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Restrict the {{ pt-2_prm_3 }} of personally identifiable information to only that which is authorized." - } - ] - }, - { - "id": "pt-2_gdn", - "name": "guidance", - "prose": "Processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes, but is not limited to, creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining.\nOrganizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organizations’ policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise from its processing. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks.\nOrganizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, [PRIVACT] statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and/or other documentation.\nOrganizations take steps to ensure that personally identifiable information is processed only for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information." - } - ] - }, - { - "id": "pt-3", - "class": "SP800-53", - "title": "Personally Identifiable Information Processing Purposes", - "parameters": [ - { - "id": "pt-3_prm_1", - "label": "Assignment organization-defined purpose(s)" - }, - { - "id": "pt-3_prm_2", - "label": "organization-defined processing" - }, - { - "id": "pt-3_prm_3", - "label": "organization-defined mechanisms" - }, - { - "id": "pt-3_prm_4", - "label": "organization-defined requirements" - } - ], - "properties": [ - { - "name": "label", - "value": "PT-3" - }, - { - "name": "sort-id", - "value": "PT-03" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#ac-3", - "rel": "related", - "text": "AC-3" - }, - { - "href": "#at-3", - "rel": "related", - "text": "AT-3" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-25", - "rel": "related", - "text": "PM-25" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#pt-7", - "rel": "related", - "text": "PT-7" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-8", - "rel": "related", - "text": "RA-8" - }, - { - "href": "#sc-43", - "rel": "related", - "text": "SC-43" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pt-3_smt", - "name": "statement", - "parts": [ - { - "id": "pt-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Identify and document the {{ pt-3_prm_1 }} for processing personally identifiable information;" - }, - { - "id": "pt-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Describe the purpose(s) in the public privacy notices and policies of the organization;" - }, - { - "id": "pt-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Restrict the {{ pt-3_prm_2 }} of personally identifiable information to only that which is compatible with the identified purpose(s); and" - }, - { - "id": "pt-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Monitor changes in processing personally identifiable information and implement {{ pt-3_prm_3 }} to ensure that any changes are made in accordance with {{ pt-3_prm_4 }}." - } - ] - }, - { - "id": "pt-3_gdn", - "name": "guidance", - "prose": "Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term process includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system, and individuals whose information is processed by the system, to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations, and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, [PRIVACT] statements, computer matching notices, and other applicable Federal Register notices.\nOrganizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information.\nOrganizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes arising from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks arising from changes in personally identifiable information processing purposes." - } - ] - }, - { - "id": "pt-4", - "class": "SP800-53", - "title": "Minimization", - "parameters": [ - { - "id": "pt-4_prm_1", - "label": "organization-defined processes" - } - ], - "properties": [ - { - "name": "label", - "value": "PT-4" - }, - { - "name": "sort-id", - "value": "PT-04" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#pm-25", - "rel": "related", - "text": "PM-25" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sc-42", - "rel": "related", - "text": "SC-42" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "pt-4_smt", - "name": "statement", - "prose": "Implement the privacy principle of minimization using {{ pt-4_prm_1 }}." - }, - { - "id": "pt-4_gdn", - "name": "guidance", - "prose": "The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose, and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization." - } - ] - }, - { - "id": "pt-5", - "class": "SP800-53", - "title": "Consent", - "parameters": [ - { - "id": "pt-5_prm_1", - "label": "organization-defined tools or mechanisms" - } - ], - "properties": [ - { - "name": "label", - "value": "PT-5" - }, - { - "name": "sort-id", - "value": "PT-05" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#549993c0-9bdd-4d49-875c-f56950cc5f30", - "rel": "reference", - "text": "[SP 800-63-3]" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - } - ], - "parts": [ - { - "id": "pt-5_smt", - "name": "statement", - "prose": "Implement {{ pt-5_prm_1 }} for individuals to consent to the processing of their personally identifiable information prior to its collection that:", - "parts": [ - { - "id": "pt-5_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Facilitate individuals’ informed decision-making; and" - }, - { - "id": "pt-5_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Provide a means for individuals to decline consent." - } - ] - }, - { - "id": "pt-5_gdn", - "name": "guidance", - "prose": "Consent allows individuals to participate in the decision-making about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting this control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks arising from their authorization. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the data actions carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon." - } - ] - }, - { - "id": "pt-6", - "class": "SP800-53", - "title": "Privacy Notice", - "parameters": [ - { - "id": "pt-6_prm_1", - "label": "organization-defined frequency" - }, - { - "id": "pt-6_prm_2", - "label": "organization-defined information" - } - ], - "properties": [ - { - "name": "label", - "value": "PT-6" - }, - { - "name": "sort-id", - "value": "PT-06" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#pm-20", - "rel": "related", - "text": "PM-20" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#pt-5", - "rel": "related", - "text": "PT-5" - }, - { - "href": "#pt-8", - "rel": "related", - "text": "PT-8" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#si-18", - "rel": "related", - "text": "SI-18" - } - ], - "parts": [ - { - "id": "pt-6_smt", - "name": "statement", - "prose": "Provide notice to individuals about the processing of personally identifiable information that:", - "parts": [ - { - "id": "pt-6_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Is available to individuals upon first interacting with an organization, and subsequently at {{ pt-6_prm_1 }};" - }, - { - "id": "pt-6_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;" - }, - { - "id": "pt-6_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Identifies the authority that authorizes the processing of personally identifiable information;" - }, - { - "id": "pt-6_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Identifies the purposes for which personally identifiable information is to be processed; and" - }, - { - "id": "pt-6_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Includes {{ pt-6_prm_2 }}." - } - ] - }, - { - "id": "pt-6_gdn", - "name": "guidance", - "prose": "Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and, other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.\nPrivacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon." - } - ], - "controls": [ - { - "id": "pt-6.2", - "class": "SP800-53-enhancement", - "title": "Privacy Act Statements", - "properties": [ - { - "name": "label", - "value": "PT-6(2)" - }, - { - "name": "sort-id", - "value": "PT-06(02)" - } - ], - "links": [ - { - "href": "#pt-7", - "rel": "related", - "text": "PT-7" - } - ], - "parts": [ - { - "id": "pt-6.2_smt", - "name": "statement", - "prose": "Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals." - }, - { - "id": "pt-6.2_gdn", - "name": "guidance", - "prose": "If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a [PRIVACT] statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a [PRIVACT] statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond.\n[PRIVACT] statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the [PRIVACT]." - } - ] - } - ] - }, - { - "id": "pt-7", - "class": "SP800-53", - "title": "System of Records Notice", - "properties": [ - { - "name": "label", - "value": "PT-7" - }, - { - "name": "sort-id", - "value": "PT-07" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#pm-20", - "rel": "related", - "text": "PM-20" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - } - ], - "parts": [ - { - "id": "pt-7_smt", - "name": "statement", - "prose": "For systems that process information that will be maintained in a Privacy Act system of records:", - "parts": [ - { - "id": "pt-7_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;" - }, - { - "id": "pt-7_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Publish system of records notices in the Federal Register; and" - }, - { - "id": "pt-7_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Keep system of records notices accurate, up-to-date, and scoped in accordance with policy." - } - ] - }, - { - "id": "pt-7_gdn", - "name": "guidance", - "prose": "The [PRIVACT] requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and/or modification of a [PRIVACT] system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system, and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in [OMB A-108]." - } - ], - "controls": [ - { - "id": "pt-7.1", - "class": "SP800-53-enhancement", - "title": "Routine Uses", - "parameters": [ - { - "id": "pt-7.1_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PT-7(1)" - }, - { - "name": "sort-id", - "value": "PT-07(01)" - } - ], - "parts": [ - { - "id": "pt-7.1_smt", - "name": "statement", - "prose": "Review all routine uses published in the system of records notice at {{ pt-7.1_prm_1 }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected." - }, - { - "id": "pt-7.1_gdn", - "name": "guidance", - "prose": "A [PRIVACT] routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the [PRIVACT] prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The [PRIVACT] requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice." - } - ] - }, - { - "id": "pt-7.2", - "class": "SP800-53-enhancement", - "title": "Exemption Rules", - "parameters": [ - { - "id": "pt-7.2_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "PT-7(2)" - }, - { - "name": "sort-id", - "value": "PT-07(02)" - } - ], - "parts": [ - { - "id": "pt-7.2_smt", - "name": "statement", - "prose": "Review all Privacy Act exemptions claimed for the system of records at {{ pt-7.2_prm_1 }} to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice." - }, - { - "id": "pt-7.2_gdn", - "name": "guidance", - "prose": "The [PRIVACT] includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. These provisions allow agencies in certain circumstances to promulgate regulations to exempt a system of records from select provisions of the [PRIVACT]. At a minimum, organizations’ [PRIVACT] exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the [PRIVACT] from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate." - } - ] - } - ] - }, - { - "id": "pt-8", - "class": "SP800-53", - "title": "Specific Categories of Personally Identifiable Information", - "parameters": [ - { - "id": "pt-8_prm_1", - "label": "organization-defined processing conditions" - } - ], - "properties": [ - { - "name": "label", - "value": "PT-8" - }, - { - "name": "sort-id", - "value": "PT-08" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - } - ], - "parts": [ - { - "id": "pt-8_smt", - "name": "statement", - "prose": "Apply {{ pt-8_prm_1 }} for specific categories of personally identifiable information." - }, - { - "id": "pt-8_gdn", - "name": "guidance", - "prose": "Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from organizational policies and determinations when an organization has determined that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary." - } - ], - "controls": [ - { - "id": "pt-8.1", - "class": "SP800-53-enhancement", - "title": "Social Security Numbers", - "properties": [ - { - "name": "label", - "value": "PT-8(1)" - }, - { - "name": "sort-id", - "value": "PT-08(01)" - } - ], - "parts": [ - { - "id": "pt-8.1_smt", - "name": "statement", - "prose": "When a system processes Social Security numbers:", - "parts": [ - { - "id": "pt-8.1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;" - }, - { - "id": "pt-8.1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and" - }, - { - "id": "pt-8.1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(c)" - } - ], - "prose": "Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it." - } - ] - }, - { - "id": "pt-8.1_gdn", - "name": "guidance", - "prose": "Federal law and policy establish specific requirements for organizations’ processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information, and observe any particular requirements that apply." - } - ] - }, - { - "id": "pt-8.2", - "class": "SP800-53-enhancement", - "title": "First Amendment Information", - "properties": [ - { - "name": "label", - "value": "PT-8(2)" - }, - { - "name": "sort-id", - "value": "PT-08(02)" - } - ], - "parts": [ - { - "id": "pt-8.2_smt", - "name": "statement", - "prose": "Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity." - }, - { - "id": "pt-8.2_gdn", - "name": "guidance", - "prose": "None.\nRelated Controls: The [PRIVACT] limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements." - } - ] - } - ] - }, - { - "id": "pt-9", - "class": "SP800-53", - "title": "Computer Matching Requirements", - "properties": [ - { - "name": "label", - "value": "PT-9" - }, - { - "name": "sort-id", - "value": "PT-09" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "rel": "reference", - "text": "[OMB A-108]" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - } - ], - "parts": [ - { - "id": "pt-9_smt", - "name": "statement", - "prose": "When a system or organization processes information for the purpose of conducting a matching program:", - "parts": [ - { - "id": "pt-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Obtain approval from the Data Integrity Board to conduct the matching program;" - }, - { - "id": "pt-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Develop and enter into a computer matching agreement;" - }, - { - "id": "pt-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Publish a matching notice in the Federal Register;" - }, - { - "id": "pt-9_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and" - }, - { - "id": "pt-9_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual." - } - ] - }, - { - "id": "pt-9_gdn", - "name": "guidance", - "prose": "The [PRIVACT] establishes a set of requirements for federal and non-federal agencies when they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. A Federal benefit match is performed for purposes of determining or verifying eligibility for payments under Federal benefit programs, or recouping payments or delinquent debts under Federal benefit programs. A matching program involves not just the matching activity itself, but also the investigative follow-up and ultimate action, if any." - } - ] - } - ] - }, - { - "id": "ra", - "class": "family", - "title": "Risk Assessment", - "controls": [ - { - "id": "ra-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "ra-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "ra-1_prm_2" - }, - { - "id": "ra-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "ra-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "ra-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-1" - }, - { - "name": "sort-id", - "value": "RA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ra-1_smt", - "name": "statement", - "parts": [ - { - "id": "ra-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ ra-1_prm_1 }}:", - "parts": [ - { - "id": "ra-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ ra-1_prm_2 }} risk assessment policy that:", - "parts": [ - { - "id": "ra-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "ra-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "ra-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" - } - ] - }, - { - "id": "ra-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" - }, - { - "id": "ra-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current risk assessment:", - "parts": [ - { - "id": "ra-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ ra-1_prm_4 }}; and" - }, - { - "id": "ra-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ ra-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "ra-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "ra-3", - "class": "SP800-53", - "title": "Risk Assessment", - "parameters": [ - { - "id": "ra-3_prm_1" - }, - { - "id": "ra-3_prm_2", - "depends-on": "ra-3_prm_1", - "label": "organization-defined document" - }, - { - "id": "ra-3_prm_3", - "label": "organization-defined frequency" - }, - { - "id": "ra-3_prm_4", - "label": "organization-defined personnel or roles" - }, - { - "id": "ra-3_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "RA-3" - }, - { - "name": "sort-id", - "value": "RA-03" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "rel": "reference", - "text": "[IR 8023]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#cp-6", - "rel": "related", - "text": "CP-6" - }, - { - "href": "#cp-7", - "rel": "related", - "text": "CP-7" - }, - { - "href": "#ia-8", - "rel": "related", - "text": "IA-8" - }, - { - "href": "#ma-5", - "rel": "related", - "text": "MA-5" - }, - { - "href": "#pe-3", - "rel": "related", - "text": "PE-3" - }, - { - "href": "#pe-18", - "rel": "related", - "text": "PE-18" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-5", - "rel": "related", - "text": "RA-5" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-9", - "rel": "related", - "text": "SA-9" - }, - { - "href": "#sc-38", - "rel": "related", - "text": "SC-38" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "ra-3_smt", - "name": "statement", - "parts": [ - { - "id": "ra-3_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Conduct a risk assessment, including:", - "parts": [ - { - "id": "ra-3_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" - }, - { - "id": "ra-3_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" - } - ] - }, - { - "id": "ra-3_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" - }, - { - "id": "ra-3_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Document risk assessment results in {{ ra-3_prm_1 }};" - }, - { - "id": "ra-3_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Review risk assessment results {{ ra-3_prm_3 }};" - }, - { - "id": "ra-3_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Disseminate risk assessment results to {{ ra-3_prm_4 }}; and" - }, - { - "id": "ra-3_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." - } - ] - }, - { - "id": "ra-3_gdn", - "name": "guidance", - "prose": "Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities.\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\nIn addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." - } - ] - }, - { - "id": "ra-7", - "class": "SP800-53", - "title": "Risk Response", - "properties": [ - { - "name": "label", - "value": "RA-7" - }, - { - "name": "sort-id", - "value": "RA-07" - } - ], - "links": [ - { - "href": "#b3e26423-0687-47c7-ba9a-a96870d58a27", - "rel": "reference", - "text": "[FIPS 199]" - }, - { - "href": "#f2163084-3287-45e2-9ee7-95f020415495", - "rel": "reference", - "text": "[FIPS 200]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ir-9", - "rel": "related", - "text": "IR-9" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-28", - "rel": "related", - "text": "PM-28" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sr-2", - "rel": "related", - "text": "SR-2" - } - ], - "parts": [ - { - "id": "ra-7_smt", - "name": "statement", - "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." - }, - { - "id": "ra-7_gdn", - "name": "guidance", - "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." - } - ] - }, - { - "id": "ra-8", - "class": "SP800-53", - "title": "Privacy Impact Assessments", - "properties": [ - { - "name": "label", - "value": "RA-8" - }, - { - "name": "sort-id", - "value": "RA-08" - } - ], - "links": [ - { - "href": "#bc2bf069-c3a5-48a4-a274-684d997be0c2", - "rel": "reference", - "text": "[EGOV]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#cm-13", - "rel": "related", - "text": "CM-13" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#pt-6", - "rel": "related", - "text": "PT-6" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#ra-7", - "rel": "related", - "text": "RA-7" - } - ], - "parts": [ - { - "id": "ra-8_smt", - "name": "statement", - "prose": "Conduct privacy impact assessments for systems, programs, or other activities before:", - "parts": [ - { - "id": "ra-8_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Developing or procuring information technology that processes personally identifiable information; and" - }, - { - "id": "ra-8_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Initiating a new collection of personally identifiable information that:", - "parts": [ - { - "id": "ra-8_smt.b.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Will be processed using information technology; and" - }, - { - "id": "ra-8_smt.b.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Includes personally identifiable information permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more persons, other than agencies, instrumentalities, or employees of the federal government." - } - ] - } - ] - }, - { - "id": "ra-8_gdn", - "name": "guidance", - "prose": "A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document detailing the process and the outcome of the analysis.\nOrganizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology.\nTo conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes which may have different labels, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by [EGOV]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision." - } - ] - } - ] - }, - { - "id": "sa", - "class": "family", - "title": "System and Services Acquisition", - "controls": [ - { - "id": "sa-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "sa-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "sa-1_prm_2" - }, - { - "id": "sa-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "sa-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "sa-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-1" - }, - { - "name": "sort-id", - "value": "SA-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#451e9636-402e-4c27-b3f5-e0e50f957f27", - "rel": "reference", - "text": "[SP 800-39]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "sa-1_smt", - "name": "statement", - "parts": [ - { - "id": "sa-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ sa-1_prm_1 }}:", - "parts": [ - { - "id": "sa-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ sa-1_prm_2 }} system and services acquisition policy that:", - "parts": [ - { - "id": "sa-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "sa-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "sa-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" - } - ] - }, - { - "id": "sa-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" - }, - { - "id": "sa-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current system and services acquisition:", - "parts": [ - { - "id": "sa-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ sa-1_prm_4 }}; and" - }, - { - "id": "sa-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ sa-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "sa-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "sa-4", - "class": "SP800-53", - "title": "Acquisition Process", - "parameters": [ - { - "id": "sa-4_prm_1" - }, - { - "id": "sa-4_prm_2", - "depends-on": "sa-4_prm_1", - "label": "organization-defined contract language" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-4" - }, - { - "name": "sort-id", - "value": "SA-04" - } - ], - "links": [ - { - "href": "#a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "rel": "reference", - "text": "[PRIVACT]" - }, - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#6ddb507b-6ddb-4e15-a8d4-0854e704446e", - "rel": "reference", - "text": "[ISO 15408-1]" - }, - { - "href": "#18abb755-c10f-407d-b0ef-4f99e5ec4a49", - "rel": "reference", - "text": "[ISO 15408-2]" - }, - { - "href": "#2ce3a8bf-7f8b-4249-bd16-808231415b14", - "rel": "reference", - "text": "[ISO 15408-3]" - }, - { - "href": "#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "rel": "reference", - "text": "[FIPS 140-3]" - }, - { - "href": "#ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "rel": "reference", - "text": "[FIPS 201-2]" - }, - { - "href": "#ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "rel": "reference", - "text": "[SP 800-35]" - }, - { - "href": "#e07d73ea-96b9-4330-aff2-e0215f455343", - "rel": "reference", - "text": "[SP 800-37]" - }, - { - "href": "#14a7d982-9747-48e0-a877-3e8fbf6ae381", - "rel": "reference", - "text": "[SP 800-70]" - }, - { - "href": "#3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "rel": "reference", - "text": "[SP 800-73-4]" - }, - { - "href": "#c3b34083-77b2-4dab-a980-73068f8933bd", - "rel": "reference", - "text": "[SP 800-137]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "rel": "reference", - "text": "[IR 7539]" - }, - { - "href": "#7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "rel": "reference", - "text": "[IR 7622]" - }, - { - "href": "#daf69edb-a0ef-4447-9880-8c4bf553181f", - "rel": "reference", - "text": "[IR 7676]" - }, - { - "href": "#197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "rel": "reference", - "text": "[IR 7870]" - }, - { - "href": "#817b4227-5857-494d-9032-915980b32f15", - "rel": "reference", - "text": "[IR 8062]" - }, - { - "href": "#5dac2312-1d0d-416f-aebb-400fa9775b74", - "rel": "reference", - "text": "[NIAP CCEVS]" - }, - { - "href": "#634dec27-df88-4c30-b1a4-b57cdfd24f20", - "rel": "reference", - "text": "[NSA CSFC]" - }, - { - "href": "#cm-6", - "rel": "related", - "text": "CM-6" - }, - { - "href": "#cm-8", - "rel": "related", - "text": "CM-8" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-11", - "rel": "related", - "text": "SA-11" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-16", - "rel": "related", - "text": "SA-16" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#sa-21", - "rel": "related", - "text": "SA-21" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-4_smt", - "name": "statement", - "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service:", - "parts": [ - { - "id": "sa-4_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Security and privacy functional requirements;" - }, - { - "id": "sa-4_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Strength of mechanism requirements;" - }, - { - "id": "sa-4_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Security and privacy assurance requirements;" - }, - { - "id": "sa-4_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Controls needed to satisfy the security and privacy requirements." - }, - { - "id": "sa-4_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Security and privacy documentation requirements;" - }, - { - "id": "sa-4_smt.f", - "name": "item", - "properties": [ - { - "name": "label", - "value": "f." - } - ], - "prose": "Requirements for protecting security and privacy documentation;" - }, - { - "id": "sa-4_smt.g", - "name": "item", - "properties": [ - { - "name": "label", - "value": "g." - } - ], - "prose": "Description of the system development environment and environment in which the system is intended to operate;" - }, - { - "id": "sa-4_smt.h", - "name": "item", - "properties": [ - { - "name": "label", - "value": "h." - } - ], - "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" - }, - { - "id": "sa-4_smt.i", - "name": "item", - "properties": [ - { - "name": "label", - "value": "i." - } - ], - "prose": "Acceptance criteria." - } - ] - }, - { - "id": "sa-4_gdn", - "name": "guidance", - "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle.\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement." - } - ] - }, - { - "id": "sa-9", - "class": "SP800-53", - "title": "External System Services", - "parameters": [ - { - "id": "sa-9_prm_1", - "label": "organization-defined controls" - }, - { - "id": "sa-9_prm_2", - "label": "organization-defined processes, methods, and techniques" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-9" - }, - { - "name": "sort-id", - "value": "SA-09" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "rel": "reference", - "text": "[SP 800-35]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#66476e76-46b4-47fb-be19-d13e6f3840df", - "rel": "reference", - "text": "[SP 800-161]" - }, - { - "href": "#ac-20", - "rel": "related", - "text": "AC-20" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-4", - "rel": "related", - "text": "IR-4" - }, - { - "href": "#ir-7", - "rel": "related", - "text": "IR-7" - }, - { - "href": "#pl-10", - "rel": "related", - "text": "PL-10" - }, - { - "href": "#pl-11", - "rel": "related", - "text": "PL-11" - }, - { - "href": "#ps-7", - "rel": "related", - "text": "PS-7" - }, - { - "href": "#sa-2", - "rel": "related", - "text": "SA-2" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sr-3", - "rel": "related", - "text": "SR-3" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - } - ], - "parts": [ - { - "id": "sa-9_smt", - "name": "statement", - "parts": [ - { - "id": "sa-9_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }};" - }, - { - "id": "sa-9_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" - }, - { - "id": "sa-9_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}." - } - ] - }, - { - "id": "sa-9_gdn", - "name": "guidance", - "prose": "External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." - } - ] - }, - { - "id": "sa-11", - "class": "SP800-53", - "title": "Developer Testing and Evaluation", - "parameters": [ - { - "id": "sa-11_prm_1" - }, - { - "id": "sa-11_prm_2", - "label": "organization-defined frequency" - }, - { - "id": "sa-11_prm_3", - "label": "organization-defined depth and coverage" - } - ], - "properties": [ - { - "name": "label", - "value": "SA-11" - }, - { - "name": "sort-id", - "value": "SA-11" - } - ], - "links": [ - { - "href": "#2ce3a8bf-7f8b-4249-bd16-808231415b14", - "rel": "reference", - "text": "[ISO 15408-3]" - }, - { - "href": "#1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "rel": "reference", - "text": "[SP 800-30]" - }, - { - "href": "#5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "rel": "reference", - "text": "[SP 800-53A]" - }, - { - "href": "#fd0f14f5-8910-45c4-b60a-0c8936e00daa", - "rel": "reference", - "text": "[SP 800-154]" - }, - { - "href": "#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "rel": "reference", - "text": "[SP 800-160 v1]" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#cm-4", - "rel": "related", - "text": "CM-4" - }, - { - "href": "#sa-3", - "rel": "related", - "text": "SA-3" - }, - { - "href": "#sa-4", - "rel": "related", - "text": "SA-4" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#sa-15", - "rel": "related", - "text": "SA-15" - }, - { - "href": "#sa-17", - "rel": "related", - "text": "SA-17" - }, - { - "href": "#si-2", - "rel": "related", - "text": "SI-2" - }, - { - "href": "#sr-5", - "rel": "related", - "text": "SR-5" - }, - { - "href": "#sr-6", - "rel": "related", - "text": "SR-6" - }, - { - "href": "#sr-7", - "rel": "related", - "text": "SR-7" - } - ], - "parts": [ - { - "id": "sa-11_smt", - "name": "statement", - "prose": "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:", - "parts": [ - { - "id": "sa-11_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop and implement a plan for ongoing security and privacy assessments;" - }, - { - "id": "sa-11_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Perform {{ sa-11_prm_1 }} testing/evaluation {{ sa-11_prm_2 }} at {{ sa-11_prm_3 }};" - }, - { - "id": "sa-11_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;" - }, - { - "id": "sa-11_smt.d", - "name": "item", - "properties": [ - { - "name": "label", - "value": "d." - } - ], - "prose": "Implement a verifiable flaw remediation process; and" - }, - { - "id": "sa-11_smt.e", - "name": "item", - "properties": [ - { - "name": "label", - "value": "e." - } - ], - "prose": "Correct flaws identified during testing and evaluation." - } - ] - }, - { - "id": "sa-11_gdn", - "name": "guidance", - "prose": "Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation." - } - ] - } - ] - }, - { - "id": "si", - "class": "family", - "title": "System and Information Integrity", - "controls": [ - { - "id": "si-1", - "class": "SP800-53", - "title": "Policy and Procedures", - "parameters": [ - { - "id": "si-1_prm_1", - "label": "organization-defined personnel or roles" - }, - { - "id": "si-1_prm_2" - }, - { - "id": "si-1_prm_3", - "label": "organization-defined official" - }, - { - "id": "si-1_prm_4", - "label": "organization-defined frequency" - }, - { - "id": "si-1_prm_5", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-1" - }, - { - "name": "sort-id", - "value": "SI-01" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130]" - }, - { - "href": "#12702585-0c72-43c9-9185-a76a59f74233", - "rel": "reference", - "text": "[SP 800-12]" - }, - { - "href": "#9183bd83-170e-4701-b32c-97e08ef8bedb", - "rel": "reference", - "text": "[SP 800-100]" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-8", - "rel": "related", - "text": "PS-8" - }, - { - "href": "#sa-8", - "rel": "related", - "text": "SA-8" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "si-1_smt", - "name": "statement", - "parts": [ - { - "id": "si-1_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Develop, document, and disseminate to {{ si-1_prm_1 }}:", - "parts": [ - { - "id": "si-1_smt.a.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "\n {{ si-1_prm_2 }} system and information integrity policy that:", - "parts": [ - { - "id": "si-1_smt.a.1.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(a)" - } - ], - "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" - }, - { - "id": "si-1_smt.a.1.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "(b)" - } - ], - "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" - } - ] - }, - { - "id": "si-1_smt.a.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" - } - ] - }, - { - "id": "si-1_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" - }, - { - "id": "si-1_smt.c", - "name": "item", - "properties": [ - { - "name": "label", - "value": "c." - } - ], - "prose": "Review and update the current system and information integrity:", - "parts": [ - { - "id": "si-1_smt.c.1", - "name": "item", - "properties": [ - { - "name": "label", - "value": "1." - } - ], - "prose": "Policy {{ si-1_prm_4 }}; and" - }, - { - "id": "si-1_smt.c.2", - "name": "item", - "properties": [ - { - "name": "label", - "value": "2." - } - ], - "prose": "Procedures {{ si-1_prm_5 }}." - } - ] - } - ] - }, - { - "id": "si-1_gdn", - "name": "guidance", - "prose": "This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure." - } - ] - }, - { - "id": "si-12", - "class": "SP800-53", - "title": "Information Management and Retention", - "properties": [ - { - "name": "label", - "value": "SI-12" - }, - { - "name": "sort-id", - "value": "SI-12" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#ac-1", - "rel": "related", - "text": "AC-1" - }, - { - "href": "#at-1", - "rel": "related", - "text": "AT-1" - }, - { - "href": "#au-1", - "rel": "related", - "text": "AU-1" - }, - { - "href": "#ca-1", - "rel": "related", - "text": "CA-1" - }, - { - "href": "#cm-1", - "rel": "related", - "text": "CM-1" - }, - { - "href": "#cp-1", - "rel": "related", - "text": "CP-1" - }, - { - "href": "#ia-1", - "rel": "related", - "text": "IA-1" - }, - { - "href": "#ir-1", - "rel": "related", - "text": "IR-1" - }, - { - "href": "#ma-1", - "rel": "related", - "text": "MA-1" - }, - { - "href": "#mp-1", - "rel": "related", - "text": "MP-1" - }, - { - "href": "#pe-1", - "rel": "related", - "text": "PE-1" - }, - { - "href": "#pl-1", - "rel": "related", - "text": "PL-1" - }, - { - "href": "#pm-1", - "rel": "related", - "text": "PM-1" - }, - { - "href": "#ps-1", - "rel": "related", - "text": "PS-1" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#ra-1", - "rel": "related", - "text": "RA-1" - }, - { - "href": "#sa-1", - "rel": "related", - "text": "SA-1" - }, - { - "href": "#sc-1", - "rel": "related", - "text": "SC-1" - }, - { - "href": "#si-1", - "rel": "related", - "text": "SI-1" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - }, - { - "href": "#ac-16", - "rel": "related", - "text": "AC-16" - }, - { - "href": "#au-5", - "rel": "related", - "text": "AU-5" - }, - { - "href": "#au-11", - "rel": "related", - "text": "AU-11" - }, - { - "href": "#ca-2", - "rel": "related", - "text": "CA-2" - }, - { - "href": "#ca-3", - "rel": "related", - "text": "CA-3" - }, - { - "href": "#ca-5", - "rel": "related", - "text": "CA-5" - }, - { - "href": "#ca-6", - "rel": "related", - "text": "CA-6" - }, - { - "href": "#ca-7", - "rel": "related", - "text": "CA-7" - }, - { - "href": "#ca-9", - "rel": "related", - "text": "CA-9" - }, - { - "href": "#cm-5", - "rel": "related", - "text": "CM-5" - }, - { - "href": "#cm-9", - "rel": "related", - "text": "CM-9" - }, - { - "href": "#cp-2", - "rel": "related", - "text": "CP-2" - }, - { - "href": "#ir-8", - "rel": "related", - "text": "IR-8" - }, - { - "href": "#mp-2", - "rel": "related", - "text": "MP-2" - }, - { - "href": "#mp-3", - "rel": "related", - "text": "MP-3" - }, - { - "href": "#mp-4", - "rel": "related", - "text": "MP-4" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pl-2", - "rel": "related", - "text": "PL-2" - }, - { - "href": "#pl-4", - "rel": "related", - "text": "PL-4" - }, - { - "href": "#pm-4", - "rel": "related", - "text": "PM-4" - }, - { - "href": "#pm-8", - "rel": "related", - "text": "PM-8" - }, - { - "href": "#pm-9", - "rel": "related", - "text": "PM-9" - }, - { - "href": "#ps-2", - "rel": "related", - "text": "PS-2" - }, - { - "href": "#ps-6", - "rel": "related", - "text": "PS-6" - }, - { - "href": "#pt-1", - "rel": "related", - "text": "PT-1" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - }, - { - "href": "#sa-5", - "rel": "related", - "text": "SA-5" - }, - { - "href": "#sr-1", - "rel": "related", - "text": "SR-1" - } - ], - "parts": [ - { - "id": "si-12_smt", - "name": "statement", - "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." - }, - { - "id": "si-12_gdn", - "name": "guidance", - "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel." - } - ], - "controls": [ - { - "id": "si-12.1", - "class": "SP800-53-enhancement", - "title": "Limit Personally Identifiable Information Elements", - "parameters": [ - { - "id": "si-12.1_prm_1", - "label": "organization-defined elements of personally identifiable information" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-12(1)" - }, - { - "name": "sort-id", - "value": "SI-12(01)" - } - ], - "links": [ - { - "href": "#pm-25", - "rel": "related", - "text": "PM-25" - }, - { - "href": "#pt-2", - "rel": "related", - "text": "PT-2" - }, - { - "href": "#pt-3", - "rel": "related", - "text": "PT-3" - }, - { - "href": "#ra-3", - "rel": "related", - "text": "RA-3" - } - ], - "parts": [ - { - "id": "si-12.1_smt", - "name": "statement", - "prose": "Limit personally identifiable information being processed in the information life cycle to the following elements of PII: {{ si-12.1_prm_1 }}." - }, - { - "id": "si-12.1_gdn", - "name": "guidance", - "prose": "Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk." - } - ] - }, - { - "id": "si-12.2", - "class": "SP800-53-enhancement", - "title": "Minimize Personally Identifiable Information in Testing, Training, and Research", - "parameters": [ - { - "id": "si-12.2_prm_1", - "label": "organization-defined techniques" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-12(2)" - }, - { - "name": "sort-id", - "value": "SI-12(02)" - } - ], - "links": [ - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pm-25", - "rel": "related", - "text": "PM-25" - }, - { - "href": "#si-19", - "rel": "related", - "text": "SI-19" - } - ], - "parts": [ - { - "id": "si-12.2_smt", - "name": "statement", - "prose": "Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: {{ si-12.2_prm_1 }}." - }, - { - "id": "si-12.2_gdn", - "name": "guidance", - "prose": "Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them." - } - ] - }, - { - "id": "si-12.3", - "class": "SP800-53-enhancement", - "title": "Information Disposal", - "parameters": [ - { - "id": "si-12.3_prm_1", - "label": "organization-defined techniques" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-12(3)" - }, - { - "name": "sort-id", - "value": "SI-12(03)" - } - ], - "links": [ - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - } - ], - "parts": [ - { - "id": "si-12.3_smt", - "name": "statement", - "prose": "Use the following techniques to dispose of, destroy, or erase information following the retention period: {{ si-12.3_prm_1 }}." - }, - { - "id": "si-12.3_gdn", - "name": "guidance", - "prose": "Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. Disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information." - } - ] - } - ] - }, - { - "id": "si-18", - "class": "SP800-53", - "title": "Personally Identifiable Information Quality Operations", - "parameters": [ - { - "id": "si-18_prm_1", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-18" - }, - { - "name": "sort-id", - "value": "SI-18" - } - ], - "links": [ - { - "href": "#eadef75e-7e4d-4554-b818-44946c1dde0e", - "rel": "reference", - "text": "[SP 800-188]" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#si-4", - "rel": "related", - "text": "SI-4" - } - ], - "parts": [ - { - "id": "si-18_smt", - "name": "statement", - "parts": [ - { - "id": "si-18_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle {{ si-18_prm_1 }}; and" - }, - { - "id": "si-18_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Correct or delete inaccurate or outdated personally identifiable information." - } - ] - }, - { - "id": "si-18_gdn", - "name": "guidance", - "prose": "Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes." - } - ], - "controls": [ - { - "id": "si-18.4", - "class": "SP800-53-enhancement", - "title": "Individual Requests", - "properties": [ - { - "name": "label", - "value": "SI-18(4)" - }, - { - "name": "sort-id", - "value": "SI-18(04)" - } - ], - "links": [ - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - } - ], - "parts": [ - { - "id": "si-18.4_smt", - "name": "statement", - "prose": "Correct or delete personally identifiable information upon request by individuals or their designated representatives." - }, - { - "id": "si-18.4_gdn", - "name": "guidance", - "prose": "Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion in determining if personally identifiable information is to be corrected or deleted, based on the scope of requests, the changes sought, the impact of the changes, and applicable laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion." - } - ] - } - ] - }, - { - "id": "si-19", - "class": "SP800-53", - "title": "De-identification", - "parameters": [ - { - "id": "si-19_prm_1", - "label": "organization-defined elements of personally identifiable information" - }, - { - "id": "si-19_prm_2", - "label": "organization-defined frequency" - } - ], - "properties": [ - { - "name": "label", - "value": "SI-19" - }, - { - "name": "sort-id", - "value": "SI-19" - } - ], - "links": [ - { - "href": "#a646d45d-775f-4887-86d3-5a00ffbc4090", - "rel": "reference", - "text": "[OMB A-130, Appendix II]" - }, - { - "href": "#eadef75e-7e4d-4554-b818-44946c1dde0e", - "rel": "reference", - "text": "[SP 800-188]" - }, - { - "href": "#mp-6", - "rel": "related", - "text": "MP-6" - }, - { - "href": "#pm-22", - "rel": "related", - "text": "PM-22" - }, - { - "href": "#pm-23", - "rel": "related", - "text": "PM-23" - }, - { - "href": "#pm-24", - "rel": "related", - "text": "PM-24" - }, - { - "href": "#ra-2", - "rel": "related", - "text": "RA-2" - }, - { - "href": "#si-12", - "rel": "related", - "text": "SI-12" - } - ], - "parts": [ - { - "id": "si-19_smt", - "name": "statement", - "parts": [ - { - "id": "si-19_smt.a", - "name": "item", - "properties": [ - { - "name": "label", - "value": "a." - } - ], - "prose": "Remove the following elements of personally identifiable information from datasets: {{ si-19_prm_1 }}; and" - }, - { - "id": "si-19_smt.b", - "name": "item", - "properties": [ - { - "name": "label", - "value": "b." - } - ], - "prose": "Evaluate {{ si-19_prm_2 }} for effectiveness of de-identification." - } - ] - }, - { - "id": "si-19_gdn", - "name": "guidance", - "prose": "De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection, since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time supports management of this residual risk." - } - ] - } - ] - } - ], - "back-matter": { - "resources": [ - { - "uuid": "a7dfa526-b81f-41d7-9875-c8b0faafe74b", - "title": "[PRIVACT]", - "citation": { - "text": "Privacy Act (P.L. 93-579), December 1974." - }, - "rlinks": [ - { - "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" - } - ] - }, - { - "uuid": "bc2bf069-c3a5-48a4-a274-684d997be0c2", - "title": "[EGOV]", - "citation": { - "text": "E-Government Act [includes FISMA] (P.L. 107-347), December 2002." - }, - "rlinks": [ - { - "href": "https://www.congress.gov/107/plaws/publ347/PLAW-107publ347.pdf" - } - ] - }, - { - "uuid": "14958422-54f6-471f-a345-802dca594dd8", - "title": "[FISMA]", - "citation": { - "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." - }, - "rlinks": [ - { - "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" - } - ] - }, - { - "uuid": "cde25174-38e0-4a00-8919-8ee3674b8088", - "title": "[HSPD 7]", - "citation": { - "text": "Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003." - }, - "rlinks": [ - { - "href": "https://www.dhs.gov/homeland-security-presidential-directive-7" - } - ] - }, - { - "uuid": "395f6bb9-bcc2-41fc-977f-04372f4a6a82", - "title": "[OMB A-108]", - "citation": { - "text": "Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf" - } - ] - }, - { - "uuid": "a646d45d-775f-4887-86d3-5a00ffbc4090", - "title": "[OMB A-130]", - "citation": { - "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016." - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" - } - ] - }, - { - "uuid": "f7d3617a-9a4f-4f1a-a688-845081b70390", - "title": "[OMB M-17-06]", - "citation": { - "text": "Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. **\n " - }, - "rlinks": [ - { - "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf" - } - ] - }, - { - "uuid": "389fe193-866e-46b1-bf1d-38904b56aa7b", - "title": "[OMB M-17-12]", - "citation": { - "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. **\n " - }, - "rlinks": [ - { - "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" - } - ] - }, - { - "uuid": "24b7b1ec-6430-41de-9353-29fdb1b488fc", - "title": "[DHS NIPP]", - "citation": { - "text": "Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009." - }, - "rlinks": [ - { - "href": "https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf" - } - ] - }, - { - "uuid": "6ddb507b-6ddb-4e15-a8d4-0854e704446e", - "title": "[ISO 15408-1]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" - } - ] - }, - { - "uuid": "18abb755-c10f-407d-b0ef-4f99e5ec4a49", - "title": "[ISO 15408-2]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" - } - ] - }, - { - "uuid": "2ce3a8bf-7f8b-4249-bd16-808231415b14", - "title": "[ISO 15408-3]", - "citation": { - "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. **\n " - }, - "rlinks": [ - { - "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" - } - ] - }, - { - "uuid": "aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b", - "title": "[FIPS 140-3]", - "citation": { - "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.140-3" - } - ] - }, - { - "uuid": "b3e26423-0687-47c7-ba9a-a96870d58a27", - "title": "[FIPS 199]", - "citation": { - "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.199" - } - ] - }, - { - "uuid": "f2163084-3287-45e2-9ee7-95f020415495", - "title": "[FIPS 200]", - "citation": { - "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.200" - } - ] - }, - { - "uuid": "ab414c48-b7a2-4ffe-b74d-4d8b8120adce", - "title": "[FIPS 201-2]", - "citation": { - "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.FIPS.201-2" - } - ] - }, - { - "uuid": "12702585-0c72-43c9-9185-a76a59f74233", - "title": "[SP 800-12]", - "citation": { - "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-12r1" - } - ] - }, - { - "uuid": "ae962073-f9bb-4210-b1ad-53ef6f6afad6", - "title": "[SP 800-18]", - "citation": { - "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-18r1" - } - ] - }, - { - "uuid": "1d9f757b-00d5-4db1-b15b-0ad641c6df7c", - "title": "[SP 800-30]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-30r1" - } - ] - }, - { - "uuid": "ed919d0d-8e21-4df6-801d-3fbc4cb8a505", - "title": "[SP 800-35]", - "citation": { - "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-35" - } - ] - }, - { - "uuid": "e07d73ea-96b9-4330-aff2-e0215f455343", - "title": "[SP 800-37]", - "citation": { - "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-37r2" - } - ] - }, - { - "uuid": "451e9636-402e-4c27-b3f5-e0e50f957f27", - "title": "[SP 800-39]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-39" - } - ] - }, - { - "uuid": "2e29c363-d5be-47ba-92f5-f8a58a69b65e", - "title": "[SP 800-50]", - "citation": { - "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-50" - } - ] - }, - { - "uuid": "5db6dfe4-788e-4183-93b9-f6fb29d75e41", - "title": "[SP 800-53A]", - "citation": { - "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" - } - ] - }, - { - "uuid": "8ba0d54e-fa16-4f5d-baa1-763ec3e33e26", - "title": "[SP 800-55]", - "citation": { - "text": "Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-55r1" - } - ] - }, - { - "uuid": "68949f14-9cf5-4116-91d8-e820b9df3ffd", - "title": "[SP 800-60 v1]", - "citation": { - "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" - } - ] - }, - { - "uuid": "e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc", - "title": "[SP 800-60 v2]", - "citation": { - "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" - } - ] - }, - { - "uuid": "7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b", - "title": "[SP 800-61]", - "citation": { - "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-61r2" - } - ] - }, - { - "uuid": "549993c0-9bdd-4d49-875c-f56950cc5f30", - "title": "[SP 800-63-3]", - "citation": { - "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-63-3" - } - ] - }, - { - "uuid": "14a7d982-9747-48e0-a877-3e8fbf6ae381", - "title": "[SP 800-70]", - "citation": { - "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-70r4" - } - ] - }, - { - "uuid": "3d6b3a16-94e7-4a43-8648-8bdeaadb271b", - "title": "[SP 800-73-4]", - "citation": { - "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-73-4" - } - ] - }, - { - "uuid": "8b0f8559-1185-45f9-b0a9-876d7b3c1c7b", - "title": "[SP 800-83]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-83r1" - } - ] - }, - { - "uuid": "20bf433b-074c-47a0-8fca-cd591772ccd6", - "title": "[SP 800-84]", - "citation": { - "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-84" - } - ] - }, - { - "uuid": "35dfd59f-eef2-4f71-bdb5-6d878267456a", - "title": "[SP 800-86]", - "citation": { - "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-86" - } - ] - }, - { - "uuid": "fed6a3b5-2b74-499f-9172-46671f7c24c8", - "title": "[SP 800-88]", - "citation": { - "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-88r1" - } - ] - }, - { - "uuid": "02d8ec60-6197-43f8-9f47-18732127963e", - "title": "[SP 800-92]", - "citation": { - "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-92" - } - ] - }, - { - "uuid": "9183bd83-170e-4701-b32c-97e08ef8bedb", - "title": "[SP 800-100]", - "citation": { - "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-100" - } - ] - }, - { - "uuid": "1e2c475a-84ae-4c60-b420-8fb2ea552b71", - "title": "[SP 800-101]", - "citation": { - "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. **\n " - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-101r1" - } - ] - }, - { - "uuid": "a6b97214-55d4-4b86-a3a4-53d5911d96f7", - "title": "[SP 800-115]", - "citation": { - "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-115" - } - ] - }, - { - "uuid": "18c6942b-95f8-414c-b548-c8e6b8d8a172", - "title": "[SP 800-124]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-124r1" - } - ] - }, - { - "uuid": "a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4", - "title": "[SP 800-128]", - "citation": { - "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-128" - } - ] - }, - { - "uuid": "c3b34083-77b2-4dab-a980-73068f8933bd", - "title": "[SP 800-137]", - "citation": { - "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-137" - } - ] - }, - { - "uuid": "ad3e8f21-07c6-4968-b002-00b64dfa70ae", - "title": "[SP 800-150]", - "citation": { - "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-150" - } - ] - }, - { - "uuid": "fd0f14f5-8910-45c4-b60a-0c8936e00daa", - "title": "[SP 800-154]", - "citation": { - "text": "Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154." - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/publications/detail/sp/800-154/draft" - } - ] - }, - { - "uuid": "8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e", - "title": "[SP 800-160 v1]", - "citation": { - "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-160v1" - } - ] - }, - { - "uuid": "8411e6e8-09bd-431d-bbcb-3423d36ad880", - "title": "[SP 800-160 v2]", - "citation": { - "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-160v2" - } - ] - }, - { - "uuid": "66476e76-46b4-47fb-be19-d13e6f3840df", - "title": "[SP 800-161]", - "citation": { - "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-161" - } - ] - }, - { - "uuid": "f4c3f657-de83-47ae-9aec-e144de8268d1", - "title": "[SP 800-181]", - "citation": { - "text": "Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-181" - } - ] - }, - { - "uuid": "08f518f7-f9b9-4bee-8986-860214f46b16", - "title": "[SP 800-184]", - "citation": { - "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.SP.800-184" - } - ] - }, - { - "uuid": "eadef75e-7e4d-4554-b818-44946c1dde0e", - "title": "[SP 800-188]", - "citation": { - "text": "Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188." - }, - "rlinks": [ - { - "href": "https://csrc.nist.gov/publications/detail/sp/800-188/draft" - } - ] - }, - { - "uuid": "d4779b49-8acc-45ef-b4f0-30f945e81d1b", - "title": "[IR 7539]", - "citation": { - "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7539" - } - ] - }, - { - "uuid": "09ac1fdb-36a9-483f-a04c-5c1e1bf104fb", - "title": "[IR 7559]", - "citation": { - "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7559" - } - ] - }, - { - "uuid": "7b03adec-4405-4aac-94a0-6a9eb3f42e31", - "title": "[IR 7622]", - "citation": { - "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7622" - } - ] - }, - { - "uuid": "daf69edb-a0ef-4447-9880-8c4bf553181f", - "title": "[IR 7676]", - "citation": { - "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7676" - } - ] - }, - { - "uuid": "197f7ba7-9af8-4a67-b3a4-5523d850e53b", - "title": "[IR 7870]", - "citation": { - "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7870" - } - ] - }, - { - "uuid": "bb22d510-54a9-4588-b725-00d37576562b", - "title": "[IR 7874]", - "citation": { - "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.7874" - } - ] - }, - { - "uuid": "851b5ba4-6aa0-4583-857c-4c360cbdf2a0", - "title": "[IR 8011 v1]", - "citation": { - "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8011-1" - } - ] - }, - { - "uuid": "7e7538d7-9c3a-4e5f-bbb4-638cec975415", - "title": "[IR 8023]", - "citation": { - "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8023" - } - ] - }, - { - "uuid": "817b4227-5857-494d-9032-915980b32f15", - "title": "[IR 8062]", - "citation": { - "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." - }, - "rlinks": [ - { - "href": "https://doi.org/10.6028/NIST.IR.8062" - } - ] - }, - { - "uuid": "5dac2312-1d0d-416f-aebb-400fa9775b74", - "title": "[NIAP CCEVS]", - "citation": { - "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." - }, - "rlinks": [ - { - "href": "https://www.niap-ccevs.org/" - } - ] - }, - { - "uuid": "634dec27-df88-4c30-b1a4-b57cdfd24f20", - "title": "[NSA CSFC]", - "citation": { - "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." - }, - "rlinks": [ - { - "href": "https://www.nsa.gov/resources/everyone/csfc" - } - ] - }, - { - "uuid": "a52271dc-11b5-423a-8b6f-14867bd94259", - "title": "[NSA MEDIA]", - "citation": { - "text": "National Security Agency, *Media Destruction Guidance*." - }, - "rlinks": [ - { - "href": "https://www.nsa.gov/resources/everyone/media-destruction" - } - ] - } - ] - } - } -} diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile-min.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile-min.json deleted file mode 100644 index 0e71679535..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile-min.json +++ /dev/null @@ -1 +0,0 @@ -{"profile":{"uuid":"fcd0e29e-74e3-4f59-9834-f72a98fa2519","metadata":{"title":"SP800-53 PRIVACY BASELINE","last-modified":"2020-08-26T16:28:37.032-04:00","version":"FPD","oscal-version":"1.0.0-milestone3","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696","type":"organization","party-name":"Joint Task Force, Transformation Initiative","addresses":[{"postal-address":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}],"email-addresses":["sec-cert@nist.gov"]}],"responsible-parties":{"creator":{"party-uuids":["d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696"]},"contact":{"party-uuids":["d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696"]}}},"imports":[{"href":"NIST_SP-800-53_rev5-FPD_catalog.xml","include":{"id-selectors":[{"control-id":"ac-1"},{"control-id":"ac-3.14"},{"control-id":"at-1"},{"control-id":"at-2"},{"control-id":"at-2.5"},{"control-id":"at-3"},{"control-id":"at-3.5"},{"control-id":"at-4"},{"control-id":"au-1"},{"control-id":"au-2"},{"control-id":"au-11"},{"control-id":"ca-1"},{"control-id":"ca-2"},{"control-id":"ca-5"},{"control-id":"ca-6"},{"control-id":"ca-7"},{"control-id":"ca-7.4"},{"control-id":"cm-1"},{"control-id":"cm-4"},{"control-id":"ir-1"},{"control-id":"ir-3"},{"control-id":"ir-4"},{"control-id":"ir-6"},{"control-id":"ir-7"},{"control-id":"ir-8"},{"control-id":"ir-8.1"},{"control-id":"mp-1"},{"control-id":"mp-6"},{"control-id":"pl-1"},{"control-id":"pl-2"},{"control-id":"pl-4"},{"control-id":"pl-4.1"},{"control-id":"pl-8"},{"control-id":"pl-9"},{"control-id":"pm-3"},{"control-id":"pm-4"},{"control-id":"pm-5.1"},{"control-id":"pm-6"},{"control-id":"pm-7"},{"control-id":"pm-8"},{"control-id":"pm-9"},{"control-id":"pm-10"},{"control-id":"pm-11"},{"control-id":"pm-13"},{"control-id":"pm-14"},{"control-id":"pm-18"},{"control-id":"pm-19"},{"control-id":"pm-20"},{"control-id":"pm-21"},{"control-id":"pm-22"},{"control-id":"pm-24"},{"control-id":"pm-25"},{"control-id":"pm-26"},{"control-id":"pm-27"},{"control-id":"pm-31"},{"control-id":"pm-33"},{"control-id":"pt-1"},{"control-id":"pt-2"},{"control-id":"pt-3"},{"control-id":"pt-4"},{"control-id":"pt-5"},{"control-id":"pt-6"},{"control-id":"pt-6.2"},{"control-id":"pt-7"},{"control-id":"pt-7.1"},{"control-id":"pt-7.2"},{"control-id":"pt-8"},{"control-id":"pt-8.1"},{"control-id":"pt-8.2"},{"control-id":"pt-9"},{"control-id":"ra-1"},{"control-id":"ra-3"},{"control-id":"ra-7"},{"control-id":"ra-8"},{"control-id":"sa-1"},{"control-id":"sa-4"},{"control-id":"sa-9"},{"control-id":"sa-11"},{"control-id":"si-1"},{"control-id":"si-12"},{"control-id":"si-12.1"},{"control-id":"si-12.2"},{"control-id":"si-12.3"},{"control-id":"si-18"},{"control-id":"si-18.4"},{"control-id":"si-19"}]}}],"merge":{"as-is":true}}} \ No newline at end of file diff --git a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.json b/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.json deleted file mode 100644 index bf4f102f68..0000000000 --- a/content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.json +++ /dev/null @@ -1,326 +0,0 @@ -{ - "profile": { - "uuid": "fcd0e29e-74e3-4f59-9834-f72a98fa2519", - "metadata": { - "title": "SP800-53 PRIVACY BASELINE", - "last-modified": "2020-08-26T16:28:37.032-04:00", - "version": "FPD", - "oscal-version": "1.0.0-milestone3", - "roles": [ - { - "id": "creator", - "title": "Document Creator" - }, - { - "id": "contact", - "title": "Contact" - } - ], - "parties": [ - { - "uuid": "d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696", - "type": "organization", - "party-name": "Joint Task Force, Transformation Initiative", - "addresses": [ - { - "postal-address": [ - "National Institute of Standards and Technology", - "Attn: Computer Security Division", - "Information Technology Laboratory", - "100 Bureau Drive (Mail Stop 8930)" - ], - "city": "Gaithersburg", - "state": "MD", - "postal-code": "20899-8930" - } - ], - "email-addresses": [ - "sec-cert@nist.gov" - ] - } - ], - "responsible-parties": { - "creator": { - "party-uuids": [ - "d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696" - ] - }, - "contact": { - "party-uuids": [ - "d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696" - ] - } - } - }, - "imports": [ - { - "href": "NIST_SP-800-53_rev5-FPD_catalog.xml", - "include": { - "id-selectors": [ - { - "control-id": "ac-1" - }, - { - "control-id": "ac-3.14" - }, - { - "control-id": "at-1" - }, - { - "control-id": "at-2" - }, - { - "control-id": "at-2.5" - }, - { - "control-id": "at-3" - }, - { - "control-id": "at-3.5" - }, - { - "control-id": "at-4" - }, - { - "control-id": "au-1" - }, - { - "control-id": "au-2" - }, - { - "control-id": "au-11" - }, - { - "control-id": "ca-1" - }, - { - "control-id": "ca-2" - }, - { - "control-id": "ca-5" - }, - { - "control-id": "ca-6" - }, - { - "control-id": "ca-7" - }, - { - "control-id": "ca-7.4" - }, - { - "control-id": "cm-1" - }, - { - "control-id": "cm-4" - }, - { - "control-id": "ir-1" - }, - { - "control-id": "ir-3" - }, - { - "control-id": "ir-4" - }, - { - "control-id": "ir-6" - }, - { - "control-id": "ir-7" - }, - { - "control-id": "ir-8" - }, - { - "control-id": "ir-8.1" - }, - { - "control-id": "mp-1" - }, - { - "control-id": "mp-6" - }, - { - "control-id": "pl-1" - }, - { - "control-id": "pl-2" - }, - { - "control-id": "pl-4" - }, - { - "control-id": "pl-4.1" - }, - { - "control-id": "pl-8" - }, - { - "control-id": "pl-9" - }, - { - "control-id": "pm-3" - }, - { - "control-id": "pm-4" - }, - { - "control-id": "pm-5.1" - }, - { - "control-id": "pm-6" - }, - { - "control-id": "pm-7" - }, - { - "control-id": "pm-8" - }, - { - "control-id": "pm-9" - }, - { - "control-id": "pm-10" - }, - { - "control-id": "pm-11" - }, - { - "control-id": "pm-13" - }, - { - "control-id": "pm-14" - }, - { - "control-id": "pm-18" - }, - { - "control-id": "pm-19" - }, - { - "control-id": "pm-20" - }, - { - "control-id": "pm-21" - }, - { - "control-id": "pm-22" - }, - { - "control-id": "pm-24" - }, - { - "control-id": "pm-25" - }, - { - "control-id": "pm-26" - }, - { - "control-id": "pm-27" - }, - { - "control-id": "pm-31" - }, - { - "control-id": "pm-33" - }, - { - "control-id": "pt-1" - }, - { - "control-id": "pt-2" - }, - { - "control-id": "pt-3" - }, - { - "control-id": "pt-4" - }, - { - "control-id": "pt-5" - }, - { - "control-id": "pt-6" - }, - { - "control-id": "pt-6.2" - }, - { - "control-id": "pt-7" - }, - { - "control-id": "pt-7.1" - }, - { - "control-id": "pt-7.2" - }, - { - "control-id": "pt-8" - }, - { - "control-id": "pt-8.1" - }, - { - "control-id": "pt-8.2" - }, - { - "control-id": "pt-9" - }, - { - "control-id": "ra-1" - }, - { - "control-id": "ra-3" - }, - { - "control-id": "ra-7" - }, - { - "control-id": "ra-8" - }, - { - "control-id": "sa-1" - }, - { - "control-id": "sa-4" - }, - { - "control-id": "sa-9" - }, - { - "control-id": "sa-11" - }, - { - "control-id": "si-1" - }, - { - "control-id": "si-12" - }, - { - "control-id": "si-12.1" - }, - { - "control-id": "si-12.2" - }, - { - "control-id": "si-12.3" - }, - { - "control-id": "si-18" - }, - { - "control-id": "si-18.4" - }, - { - "control-id": "si-19" - } - ] - } - } - ], - "merge": { - "as-is": true - } - } -} diff --git a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.xml b/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.xml deleted file mode 100644 index 6611399e67..0000000000 --- a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.xml +++ /dev/null @@ -1,13348 +0,0 @@ - - - - SP800-53 HIGH IMPACT BASELINE - 2020-08-26T16:28:38.111-04:00 - FPD - 1.0.0-milestone3 - 2020-08-31T17:39:35.488827Z - SP800-53 HIGH IMPACT BASELINE - - Document Creator - - - Contact - - - Joint Task Force, Transformation Initiative -
- National Institute of Standards and Technology - Attn: Computer Security Division - Information Technology Laboratory - 100 Bureau Drive (Mail Stop 8930) - Gaithersburg - MD - 20899-8930 -
- sec-cert@nist.gov - - - a90f4235-ab3c-4bf1-ba0a-865bbc833346 - - - a90f4235-ab3c-4bf1-ba0a-865bbc833346 - - - - Access Control - - Policy and Procedures - - - - - - - - - - - - - - AC-1 - AC-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - [IR 7874] - IA-1 - PM-9 - PM-24 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- access control policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the access control policy and the associated access controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the access control policy and procedures; and

- - - c. -

Review and update the current access control:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Account Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - AC-2 - AC-02 - [SP 800-162] - [SP 800-178] - [SP 800-192] - AC-3 - AC-5 - AC-6 - AC-17 - AC-18 - AC-20 - AC-24 - AU-2 - AU-12 - CM-5 - IA-2 - IA-4 - IA-5 - IA-8 - MA-3 - MA-5 - PE-2 - PL-4 - PS-2 - PS-4 - PS-5 - PS-7 - SC-7 - SC-13 - SC-37 - - - a. -

Define and document the types of accounts allowed for use within the system;

- - - b. -

Assign account managers;

- - - c. -

Establish conditions for group and role membership;

- - - d. -

Specify:

- - 1. -

Authorized users of the system;

- - - 2. -

Group and role membership; and

- - - 3. -

Access authorizations (i.e., privileges) and for each account;

- - - - e. -

Require approvals by for requests to create accounts;

- - - f. -

Create, enable, modify, disable, and remove accounts in accordance with ;

- - - g. -

Monitor the use of accounts;

- - - h. -

Notify account managers and within:

- - 1. -

- when accounts are no longer required;

- - - 2. -

- when users are terminated or transferred; and

- - - 3. -

- when system usage or need-to-know changes for an individual;

- - - - i. -

Authorize access to the system based on:

- - 1. -

A valid access authorization;

- - - 2. -

Intended system usage; and

- - - 3. -

- ;

- - - - j. -

Review accounts for compliance with account management requirements ;

- - - k. -

Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and

- - - l. -

Align account management processes with personnel termination and transfer processes.

- - - -

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy. -Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability. -Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.

- - - Automated System Account Management - - - - AC-2(1) - AC-02(01) - -

Support the management of system accounts using .

- - -

Automated mechanisms include using email or text messaging to automatically notify account managers when users are terminated or transferred; using the system to monitor account usage; and using telephonic notification to report atypical system account usage.

- - - - Automated Temporary and Emergency Account Management - - - - - AC-2(2) - AC-02(02) - -

Automatically temporary and emergency accounts after .

- - -

Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time-period, rather than at the convenience of the systems administrator. Automatic removal or disabling of accounts provides a more consistent implementation.

- - - - Disable Accounts - - - - AC-2(3) - AC-02(03) - -

Disable accounts when the accounts:

- - (a) -

Have expired;

- - - (b) -

Are no longer associated with a user or individual;

- - - (c) -

Are in violation of organizational policy; or

- - - (d) -

Have been inactive for .

- - - -

Disabling expired, inactive, or otherwise anomalous accounts supports the concept of least privilege and least functionality which reduces the attack surface of the system.

- - - - Automated Audit Actions - AC-2(4) - AC-02(04) - AU-2 - AU-6 - -

Automatically audit account creation, modification, enabling, disabling, and removal actions.

- - -

Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6.

- - - - Inactivity Logout - - - - AC-2(5) - AC-02(05) - AC-11 - -

Require that users log out when .

- - -

Inactivity logout is behavior or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of this control enhancement is addressed by AC-11.

- - - - Usage Conditions - - - - - - - AC-2(11) - AC-02(11) - -

Enforce for .

- - -

Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time.

- - - - Account Monitoring for Atypical Usage - - - - - - - AC-2(12) - AC-02(12) - AU-6 - AU-7 - CA-7 - IR-8 - SI-4 - - - (a) -

Monitor system accounts for ; and

- - - (b) -

Report atypical usage of system accounts to .

- - - -

Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals working in organizations. Account monitoring may inadvertently create privacy risks. Data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.

- - - - Disable Accounts for High-risk Individuals - - - - - - - AC-2(13) - AC-02(13) - AU-6 - SI-4 - -

Disable accounts of users within of discovery of .

- - -

Users posing a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes the adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential for execution of this control enhancement.

- - - - - Access Enforcement - AC-3 - AC-03 - [OMB A-130] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-162] - [SP 800-178] - [IR 7874] - AC-2 - AC-4 - AC-5 - AC-6 - AC-16 - AC-17 - AC-18 - AC-19 - AC-20 - AC-21 - AC-22 - AC-24 - AC-25 - AT-2 - AT-3 - AU-9 - CA-9 - CM-5 - CM-11 - IA-2 - IA-5 - IA-6 - IA-7 - IA-11 - MA-3 - MA-4 - MA-5 - MP-4 - PM-2 - PS-3 - SA-17 - SC-2 - SC-3 - SC-4 - SC-13 - SC-28 - SC-31 - SC-34 - SI-4 - -

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

- - -

Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family.

- - - - Information Flow Enforcement - - - - AC-4 - AC-04 - [SP 800-160 v1] - [SP 800-162] - [SP 800-178] - AC-3 - AC-6 - AC-16 - AC-17 - AC-19 - AC-21 - AU-10 - CA-3 - CA-9 - CM-7 - PM-24 - SA-17 - SC-4 - SC-7 - SC-16 - SC-31 - -

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on .

- - -

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization; keeping export-controlled information from being transmitted in the clear to the Internet; restricting web requests that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only); verifying write permissions before accepting information from another security or privacy domain or connected system; employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and security or privacy labels. -Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. This control also applies to control plane traffic (e.g., routing and DNS).

- - - Flow Control of Encrypted Information - - - - - - - - AC-4(4) - AC-04(04) - SI-4 - -

Prevent encrypted information from bypassing by .

- - -

Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.

- - - - - Separation of Duties - - - - AC-5 - AC-05 - AC-2 - AC-3 - AC-6 - AU-9 - CM-5 - CM-11 - CP-9 - IA-2 - IA-5 - MA-3 - MA-5 - PS-2 - SA-8 - SA-17 - - - a. -

Identify and document ; and

- - - b. -

Define system access authorizations to support separation of duties.

- - - -

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles; conducting system support functions with different individuals; and ensuring security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. This control is enforced through the account management activities in AC-2 and access control mechanisms in AC-3.

- - - - Least Privilege - AC-6 - AC-06 - AC-2 - AC-3 - AC-5 - AC-16 - CM-5 - CM-11 - PL-2 - PM-12 - SA-8 - SA-15 - SA-17 - SC-38 - -

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

- - -

Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary, to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.

- - - Authorize Access to Security Functions - - - - - - - - - - AC-6(1) - AC-06(01) - AC-17 - AC-18 - AC-19 - AU-9 - PE-2 - -

Explicitly authorize access for to:

- - (a) -

- ; and

- - - (b) -

- .

- - - -

Security functions include establishing system accounts; configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Explicitly authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.

- - - - Non-privileged Access for Nonsecurity Functions - - - - AC-6(2) - AC-06(02) - AC-17 - AC-18 - AC-19 - PL-4 - -

Require that users of system accounts (or roles) with access to , use non-privileged accounts or roles, when accessing nonsecurity functions.

- - -

Requiring use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

- - - - Network Access to Privileged Commands - - - - - - - AC-6(3) - AC-06(03) - AC-17 - AC-18 - AC-19 - -

Authorize network access to only for and document the rationale for such access in the security plan for the system.

- - -

Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).

- - - - Privileged Accounts - - - - AC-6(5) - AC-06(05) - IA-2 - MA-3 - MA-4 - -

Restrict privileged accounts on the system to .

- - -

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided they retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

- - - - Review of User Privileges - - - - - - - AC-6(7) - AC-06(07) - CA-7 - - - (a) -

Review the privileges assigned to to validate the need for such privileges; and

- - - (b) -

Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

- - - -

The need for certain assigned user privileges may change over time reflecting changes in organizational missions and business functions, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.

- - - - Log Use of Privileged Functions - AC-6(9) - AC-06(09) - AU-2 - AU-3 - AU-12 - -

Audit the execution of privileged functions.

- - -

The misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Capturing the use of privileged functions in audit logs is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat.

- - - - Prohibit Non-privileged Users from Executing Privileged Functions - AC-6(10) - AC-06(10) - -

Prevent non-privileged users from executing privileged functions.

- - -

Privileged functions include disabling, circumventing, or altering implemented security or privacy controls; establishing system accounts; performing system integrity checks; and administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. This control enhancement is enforced by AC-3.

- - - - - Unsuccessful Logon Attempts - - - - - - - - - - - - - - - - - AC-7 - AC-07 - [SP 800-63-3] - [SP 800-124] - AC-2 - AC-9 - AU-2 - AU-6 - IA-5 - - - a. -

Enforce a limit of consecutive invalid logon attempts by a user during a ; and

- - - b. -

Automatically when the maximum number of unsuccessful attempts is exceeded.

- - - -

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address. -Techniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

- - - - System Use Notification - - - - - - - AC-8 - AC-08 - AC-14 - PL-4 - SI-4 - - - a. -

Display to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:

- - 1. -

Users are accessing a U.S. Government system;

- - - 2. -

System usage may be monitored, recorded, and subject to audit;

- - - 3. -

Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

- - - 4. -

Use of the system indicates consent to monitoring and recording;

- - - - b. -

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and

- - - c. -

For publicly accessible systems:

- - 1. -

Display system use information , before granting further access to the publicly accessible system;

- - - 2. -

Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

- - - 3. -

Include a description of the authorized uses of the system.

- - - - -

System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

- - - - Concurrent Session Control - - - - - - - AC-10 - AC-10 - SC-23 - -

Limit the number of concurrent sessions for each to .

- - -

Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for system accounts and does not address concurrent sessions by single users via multiple system accounts.

- - - - Device Lock - - - - - AC-11 - AC-11 - AC-2 - AC-7 - IA-11 - PL-4 - - - a. -

Prevent further access to the system by ; and

- - - b. -

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

- - - -

Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User initiated device locking is behavior or policy-based and as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, for example, if organizations require users to log out at the end of workdays.

- - - Pattern-hiding Displays - AC-11(1) - AC-11(01) - -

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

- - -

The pattern-hiding display can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the caveat that controlled unclassified information is not displayed.

- - - - - Session Termination - - - - AC-12 - AC-12 - MA-4 - SC-10 - SC-23 - -

Automatically terminate a user session after .

- - -

Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.

- - - - Permitted Actions Without Identification or Authentication - - - - AC-14 - AC-14 - AC-8 - IA-2 - PL-2 - - - a. -

Identify that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and

- - - b. -

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

- - - -

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none.

- - - - Remote Access - AC-17 - AC-17 - [SP 800-46] - [SP 800-77] - [SP 800-113] - [SP 800-114] - [SP 800-121] - [IR 7966] - AC-2 - AC-3 - AC-4 - AC-18 - AC-19 - AC-20 - CA-3 - CM-10 - IA-2 - IA-3 - IA-8 - MA-4 - PE-17 - PL-2 - PL-4 - SC-10 - SI-4 - - - a. -

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

- - - b. -

Authorize each type of remote access to the system prior to allowing such connections.

- - - -

Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3.

- - - Monitoring and Control - AC-17(1) - AC-17(01) - AU-2 - AU-6 - AU-12 - AU-14 - -

Employ automated mechanisms to monitor and control remote access methods.

- - -

Monitoring and control of remote access methods allows organizations to detect attacks and ensure compliance with remote access policies by auditing connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a.

- - - - Protection of Confidentiality and Integrity Using Encryption - AC-17(2) - AC-17(02) - SC-8 - SC-12 - SC-13 - -

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

- - -

Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions.

- - - - Managed Access Control Points - AC-17(3) - AC-17(03) - SC-7 - -

Route remote accesses through authorized and managed network access control points.

- - -

Organizations consider the Trusted Internet Connections initiative [DHS TIC] requirements for external network connections since limiting the number of access control points for remote accesses reduces attack surface.

- - - - Privileged Commands and Access - - - - AC-17(4) - AC-17(04) - AC-6 - SC-12 - SC-13 - - - (a) -

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: ; and

- - - (b) -

Document the rationale for remote access in the security plan for the system.

- - - -

Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.

- - - - - Wireless Access - AC-18 - AC-18 - [SP 800-94] - [SP 800-97] - AC-2 - AC-3 - AC-17 - AC-19 - CA-9 - CM-7 - IA-2 - IA-3 - IA-8 - PL-4 - SC-40 - SC-43 - SI-4 - - - a. -

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and

- - - b. -

Authorize each type of wireless access to the system prior to allowing such connections.

- - - -

Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication.

- - - Authentication and Encryption - - AC-18(1) - AC-18(01) - SC-8 - SC-13 - -

Protect wireless access to the system using authentication of and encryption.

- - -

Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices with encryption can reduce susceptibility to threats by adversaries involving wireless technologies.

- - - - Disable Wireless Networking - AC-18(3) - AC-18(03) - -

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

- - -

Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies.

- - - - Restrict Configurations by Users - AC-18(4) - AC-18(04) - SC-7 - SC-15 - -

Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.

- - -

Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational systems.

- - - - Antennas and Transmission Power Levels - AC-18(5) - AC-18(05) - PE-19 - -

Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.

- - -

Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization; employing measures such as emissions security to control wireless emanations; and using directional or beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area.

- - - - - Access Control for Mobile Devices - AC-19 - AC-19 - [SP 800-114] - [SP 800-124] - AC-3 - AC-4 - AC-7 - AC-11 - AC-17 - AC-18 - AC-20 - CA-9 - CM-2 - CM-6 - IA-2 - IA-3 - MP-2 - MP-4 - MP-5 - MP-7 - PL-4 - SC-7 - SC-34 - SC-43 - SI-3 - SI-4 - - - a. -

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and

- - - b. -

Authorize the connection of mobile devices to organizational systems.

- - - -

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. -Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. -Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

- - - Full Device and Container-based Encryption - - - - - AC-19(5) - AC-19(05) - SC-13 - SC-28 - -

Employ to protect the confidentiality and integrity of information on .

- - -

Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.

- - - - - Use of External Systems - - - - - - - - AC-20 - AC-20 - [FIPS 199] - [SP 800-171] - [SP 800-171B] - AC-2 - AC-3 - AC-17 - AC-19 - CA-3 - PL-2 - PL-4 - SA-9 - SC-7 - -

Establish , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:

- - a. -

Access the system from external systems; and

- - - b. -

Process, store, or transmit organization-controlled information using external systems.

- - - -

External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries. -For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. -This control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

- - - Limits on Authorized Use - AC-20(1) - AC-20(01) - CA-2 - -

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:

- - (a) -

Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or

- - - (b) -

Retention of approved system connection or processing agreements with the organizational entity hosting the external system.

- - - -

Limits on authorized use recognizes the circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.

- - - - Portable Storage Devices — Restricted Use - - - - AC-20(2) - AC-20(02) - MP-7 - SC-41 - -

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using .

- - -

Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.

- - - - - Information Sharing - - - - - - - AC-21 - AC-21 - [OMB A-130] - [SP 800-150] - [IR 8062] - AC-3 - AC-4 - AC-16 - PT-2 - PT-8 - RA-3 - SC-15 - - - a. -

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ; and

- - - b. -

Employ to assist users in making information sharing and collaboration decisions.

- - - -

Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA).

- - - - Publicly Accessible Content - - - - AC-22 - AC-22 - [PRIVACT] - AC-3 - AT-2 - AT-3 - AU-13 - - - a. -

Designate individuals authorized to make information publicly accessible;

- - - b. -

Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

- - - c. -

Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and

- - - d. -

Review the content on the publicly accessible system for nonpublic information and remove such information, if discovered.

- - - -

In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible.

- - - - - Awareness and Training - - Policy and Procedures - - - - - - - - - - - - - - AT-1 - AT-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-50] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- awareness and training policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and

- - - c. -

Review and update the current awareness and training:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Awareness Training - - - - - - - AT-2 - AT-02 - [OMB A-130] - [SP 800-50] - [SP 800-160 v2] - AC-3 - AC-17 - AC-22 - AT-3 - AT-4 - CP-3 - IA-4 - IR-2 - IR-7 - IR-9 - PL-4 - PM-13 - PM-21 - PS-7 - PT-2 - SA-8 - SA-16 - - - a. -

Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):

- - 1. -

As part of initial training for new users and thereafter; and

- - - 2. -

When required by system changes; and

- - - - b. -

Update awareness training .

- - - -

Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information. -Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective.

- - - Insider Threat - AT-2(2) - AT-02(02) - PM-12 - -

Provide awareness training on recognizing and reporting potential indicators of insider threat.

- - -

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations.

- - - - Social Engineering and Mining - AT-2(3) - AT-02(03) - -

Provide awareness training on recognizing and reporting potential and actual instances of social engineering and social mining.

- - -

Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Awareness training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures.

- - - - - Role-based Training - - - - - - - - - - AT-3 - AT-03 - [OMB A-130] - [SP 800-50] - AC-3 - AC-17 - AC-22 - AT-2 - AT-4 - CP-3 - IR-2 - IR-7 - IR-9 - IR-10 - PL-4 - PM-13 - PM-23 - PS-7 - SA-3 - SA-8 - SA-11 - SA-16 - SR-5 - SR-6 - SR-11 - - - a. -

Provide role-based security and privacy training to personnel with the following roles and responsibilities: :

- - 1. -

Before authorizing access to the system, information, or performing assigned duties, and thereafter; and

- - - 2. -

When required by system changes; and

- - - - b. -

Update role-based training .

- - - -

Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information. -Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective.

- - - - Training Records - - - - AT-4 - AT-04 - [OMB A-130] - AT-2 - AT-3 - CP-3 - IR-2 - PM-14 - SI-12 - - - a. -

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and

- - - b. -

Retain individual training records for .

- - - -

Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.

- - - - - Audit and Accountability - - Policy and Procedures - - - - - - - - - - - - - - AU-1 - AU-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- audit and accountability policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and

- - - c. -

Review and update the current audit and accountability:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Event Logging - - - - - - - - - - AU-2 - AU-02 - [OMB A-130] - [SP 800-92] - AC-2 - AC-3 - AC-6 - AC-7 - AC-8 - AC-16 - AC-17 - AU-3 - AU-4 - AU-5 - AU-6 - AU-7 - AU-11 - AU-12 - CM-3 - CM-5 - CM-6 - CM-13 - IA-3 - MA-4 - MP-4 - PE-3 - PM-21 - PT-2 - PT-8 - RA-8 - SA-8 - SC-7 - SC-18 - SI-3 - SI-4 - SI-7 - SI-10 - SI-11 - - - a. -

Identify the types of events that the system is capable of logging in support of the audit function: ;

- - - b. -

Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

- - - c. -

Specify the following event types for logging within the system: ;

- - - d. -

Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and

- - - e. -

Review and update the event types selected for logging .

- - - -

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. -To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage. -Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

- - - - Content of Audit Records - AU-3 - AU-03 - [OMB A-130] - [IR 8062] - AU-2 - AU-8 - AU-12 - AU-14 - MA-4 - SA-8 - SI-7 - SI-11 - -

Ensure that audit records contain information that establishes the following:

- - a. -

What type of event occurred;

- - - b. -

When the event occurred;

- - - c. -

Where the event occurred;

- - - d. -

Source of the event;

- - - e. -

Outcome of the event; and

- - - f. -

Identity of any individuals, subjects, or objects/entities associated with the event.

- - - -

Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage.

- - - Additional Audit Information - - - - AU-3(1) - AU-03(01) - -

Generate audit records containing the following additional information: .

- - -

The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading or that could make it more difficult to locate information of interest.

- - - - Centralized Management of Planned Audit Record Content - - - - AU-3(2) - AU-03(02) - AU-6 - AU-7 - -

Provide centralized management and configuration of the content to be captured in audit records generated by .

- - -

Centralized management of planned audit record content requires that the content to be captured in audit records be configured from a central location (necessitating an automated capability). Organizations coordinate the selection of the required audit record content to support the centralized management and configuration capability provided by the system.

- - - - - Audit Log Storage Capacity - - - - AU-4 - AU-04 - AU-2 - AU-5 - AU-6 - AU-7 - AU-9 - AU-11 - AU-12 - AU-14 - SI-4 - -

Allocate audit log storage capacity to accommodate .

- - -

Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.

- - - - Response to Audit Logging Process Failures - - - - - - - - - - AU-5 - AU-05 - AU-2 - AU-4 - AU-7 - AU-9 - AU-11 - AU-12 - AU-14 - SI-4 - SI-12 - - - a. -

Alert within in the event of an audit logging process failure; and

- - - b. -

Take the following additional actions: .

- - - -

Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

- - - Storage Capacity Warning - - - - - - - - - - AU-5(1) - AU-05(01) - -

Provide a warning to within when allocated audit log storage volume reaches of repository maximum audit log storage capacity.

- - -

Organizations may have multiple audit log storage repositories distributed across multiple system components, with each repository having different storage volume capacities.

- - - - Real-time Alerts - - - - - - - - - - AU-5(2) - AU-05(02) - -

Provide an alert within to when the following audit failure events occur: .

- - -

Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).

- - - - - Audit Record Review, Analysis, and Reporting - - - - - - - - - - AU-6 - AU-06 - [SP 800-86] - [SP 800-101] - AC-2 - AC-3 - AC-5 - AC-6 - AC-7 - AC-17 - AU-7 - AU-16 - CA-2 - CA-7 - CM-2 - CM-5 - CM-6 - CM-10 - CM-11 - IA-2 - IA-3 - IA-5 - IA-8 - IR-5 - MA-4 - MP-4 - PE-3 - PE-6 - RA-5 - SA-8 - SC-7 - SI-3 - SI-4 - SI-7 - - - a. -

Review and analyze system audit records for indications of ;

- - - b. -

Report findings to ; and

- - - c. -

Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

- - - -

Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.

- - - Automated Process Integration - - - - AU-6(1) - AU-06(01) - PM-7 - -

Integrate audit record review, analysis, and reporting processes using .

- - -

Organizational processes benefiting from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits.

- - - - Correlate Audit Record Repositories - AU-6(3) - AU-06(03) - AU-12 - IR-4 - -

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

- - -

Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness.

- - - - Integrated Analysis of Audit Records - - - - - AU-6(5) - AU-06(05) - AU-12 - IR-4 - -

Integrate analysis of audit records with analysis of to further enhance the ability to identify inappropriate or unusual activity.

- - -

Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial of service attacks or other types of attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.

- - - - Correlation with Physical Monitoring - AU-6(6) - AU-06(06) - -

Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

- - -

The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred, may be useful in investigations.

- - - - - Audit Record Reduction and Report Generation - AU-7 - AU-07 - AC-2 - AU-2 - AU-3 - AU-4 - AU-5 - AU-6 - AU-12 - AU-16 - CM-5 - IA-5 - IR-4 - PM-12 - SI-4 - -

Provide and implement an audit record reduction and report generation capability that:

- - a. -

Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and

- - - b. -

Does not alter the original content or time ordering of audit records.

- - - -

Audit record reduction is a process that manipulates collected audit log information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities conducting audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.

- - - Automatic Processing - - - - AU-7(1) - AU-07(01) - -

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: .

- - -

Events of interest can be identified by the content of audit records including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, for example, locations selectable by a general networking location or by specific system component.

- - - - - Time Stamps - - - - AU-8 - AU-08 - [IETF 5905] - AU-3 - AU-12 - AU-14 - SC-45 - - - a. -

Use internal system clocks to generate time stamps for audit records; and

- - - b. -

Record time stamps for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

- - - -

Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

- - - Synchronization with Authoritative Time Source - - - - - - - - - - AU-8(1) - AU-08(01) - - - (a) -

Compare the internal system clocks with ; and

- - - (b) -

Synchronize the internal system clocks to the authoritative time source when the time difference is greater than .

- - - -

Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.

- - - - - Protection of Audit Information - AU-9 - AU-09 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 202] - AC-3 - AC-6 - AU-6 - AU-11 - AU-14 - AU-15 - MP-2 - MP-4 - PE-2 - PE-3 - PE-6 - SA-8 - SC-8 - SI-4 - -

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

- - -

Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.

- - - Store on Separate Physical Systems or Components - - - - AU-9(2) - AU-09(02) - AU-4 - AU-5 - -

Store audit records in a repository that is part of a physically different system or system component than the system or component being audited.

- - -

Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records.

- - - - Cryptographic Protection - AU-9(3) - AU-09(03) - AU-10 - SC-12 - SC-13 - -

Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.

- - -

Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

- - - - Access by Subset of Privileged Users - - - - AU-9(4) - AU-09(04) - AC-5 - -

Authorize access to management of audit logging functionality to only .

- - -

Individuals or roles with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges, limits the number of users or roles with audit-related privileges.

- - - - - Non-repudiation - - - - AU-10 - AU-10 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 186-4] - [FIPS 202] - [SP 800-177] - AU-9 - PM-12 - SA-8 - SC-8 - SC-12 - SC-13 - SC-16 - SC-17 - SC-23 - -

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed .

- - -

Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents; senders of not having transmitted messages; receivers of not having received messages; and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, or approving a procurement request, or received specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.

- - - - Audit Record Retention - - - - AU-11 - AU-11 - [OMB A-130] - AU-2 - AU-4 - AU-5 - AU-6 - AU-9 - AU-14 - MP-6 - RA-5 - SI-12 - -

Retain audit records for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

- - -

Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

- - - - Audit Record Generation - - - - - - - AU-12 - AU-12 - AC-6 - AC-17 - AU-2 - AU-3 - AU-4 - AU-5 - AU-6 - AU-7 - AU-14 - CM-5 - MA-4 - MP-4 - PM-12 - SA-8 - SC-18 - SI-3 - SI-4 - SI-7 - SI-10 - - - a. -

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on ;

- - - b. -

Allow to select the event types that are to be logged by specific components of the system; and

- - - c. -

Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

- - - -

Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

- - - System-wide and Time-correlated Audit Trail - - - - - - - AU-12(1) - AU-12(01) - AU-8 - -

Compile audit records from into a system-wide (logical or physical) audit trail that is time-correlated to within .

- - -

Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.

- - - - Changes by Authorized Individuals - - - - - - - - - - - - - AU-12(3) - AU-12(03) - AC-3 - -

Provide and implement the capability for to change the logging to be performed on based on within .

- - -

Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed, for example, near real-time, within minutes, or within hours.

- - - - - - Assessment, Authorization, and Monitoring - - Policy and Procedures - - - - - - - - - - - - - - CA-1 - CA-01 - [OMB A-130, Appendix II] - [SP 800-12] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-100] - [SP 800-137] - [IR 8062] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- assessment, authorization, and monitoring policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and

- - - c. -

Review and update the current assessment, authorization, and monitoring:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Control Assessments - - - - - - - CA-2 - CA-02 - [OMB A-130] - [FIPS 199] - [SP 800-18] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - [IR 8062] - AC-20 - CA-5 - CA-6 - CA-7 - PM-9 - RA-5 - SA-11 - SC-38 - SI-3 - SI-12 - SR-2 - SR-3 - - - a. -

Develop a control assessment plan that describes the scope of the assessment including:

- - 1. -

Controls and control enhancements under assessment;

- - - 2. -

Assessment procedures to be used to determine control effectiveness; and

- - - 3. -

Assessment environment, assessment team, and assessment roles and responsibilities;

- - - - b. -

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

- - - c. -

Assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

- - - d. -

Produce a control assessment report that document the results of the assessment; and

- - - e. -

Provide the results of the control assessment to .

- - - -

Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes. -Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs. -Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives. -To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control.

- - - Independent Assessors - CA-2(1) - CA-02(01) - -

Employ independent assessors or assessment teams to conduct control assessments.

- - -

Independent assessors or assessment teams are individuals or groups conducting impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in positions of advocacy for the organizations acquiring their services. -Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination also includes whether contracted assessment services have sufficient independence, for example, when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, the analogy to independent assessors is having independent SMEs involved in design reviews. -When organizations that own the systems are small or the structures of the organizations require that assessments are conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions, are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments.

- - - - Specialized Assessments - - - - - - - - - CA-2(2) - CA-02(02) - PE-3 - SI-2 - -

Include as part of control assessments, , , .

- - -

Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle, for example, during design, development, and unit testing.

- - - - - Information Exchange - - - - - - - - CA-3 - CA-03 - [OMB A-130, Appendix II] - [FIPS 199] - [SP 800-47] - AC-4 - AC-20 - AU-16 - CA-6 - IA-3 - IR-4 - PL-2 - PT-8 - RA-3 - SA-9 - SC-7 - SI-12 - - - a. -

Approve and manage the exchange of information between the system and other systems using ;

- - - b. -

Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and

- - - c. -

Review and update the agreements .

- - - -

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk. -Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks.

- - - Transfer Authorizations - CA-3(6) - CA-03(06) - AC-2 - AC-3 - AC-4 - -

Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.

- - -

To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies via independent means, whether the individual or system attempting to transfer information is authorized to do so. This control enhancement also applies to control plane traffic (e.g., routing and DNS) and services such as authenticated SMTP relays.

- - - - - Plan of Action and Milestones - - - - CA-5 - CA-05 - [OMB A-130] - [SP 800-37] - CA-2 - CA-7 - PM-4 - PM-9 - RA-7 - SI-2 - SI-12 - - - a. -

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and

- - - b. -

Update existing plan of action and milestones based on the findings from control assessments, audits, and continuous monitoring activities.

- - - -

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB.

- - - - Authorization - - - - CA-6 - CA-06 - [OMB A-130] - [SP 800-37] - [SP 800-137] - CA-2 - CA-3 - CA-7 - PM-9 - PM-10 - SA-10 - SI-12 - - - a. -

Assign a senior official as the authorizing official for the system;

- - - b. -

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;

- - - c. -

Ensure that the authorizing official for the system, before commencing operations:

- - 1. -

Accepts the use of common controls inherited by the system; and

- - - 2. -

Authorizes the system to operate;

- - - - d. -

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

- - - e. -

Update the authorizations .

- - - -

Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. -Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

- - - - Continuous Monitoring - - - - - - - - - - - - - - - - CA-7 - CA-07 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - [IR 8011 v1] - [IR 8062] - AC-2 - AC-6 - AC-17 - AT-4 - AU-6 - AU-13 - CA-2 - CA-5 - CA-6 - CM-3 - CM-4 - CM-6 - CM-11 - IA-5 - IR-5 - MA-2 - MA-3 - MA-4 - PE-3 - PE-6 - PE-14 - PE-16 - PE-20 - PL-2 - PM-4 - PM-6 - PM-9 - PM-10 - PM-12 - PM-14 - PM-23 - PM-28 - PM-31 - PS-7 - PT-8 - RA-3 - RA-5 - RA-7 - SA-8 - SA-9 - SA-11 - SC-5 - SC-7 - SC-18 - SC-38 - SC-43 - SC-38 - SI-3 - SI-4 - SI-12 - SR-6 - -

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

- - a. -

Establishing the following system-level metrics to be monitored: ;

- - - b. -

Establishing for monitoring and for assessment of control effectiveness;

- - - c. -

Ongoing control assessments in accordance with the continuous monitoring strategy;

- - - d. -

Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

- - - e. -

Correlation and analysis of information generated by control assessments and monitoring;

- - - f. -

Response actions to address results of the analysis of control assessment and monitoring information; and

- - - g. -

Reporting the security and privacy status of the system to - .

- - - -

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. -Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.

- - - Independent Assessment - CA-7(1) - CA-07(01) - -

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

- - -

Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in advocacy positions for the organizations acquiring their services.

- - - - Risk Monitoring - CA-7(4) - CA-07(04) - -

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

- - (a) -

Effectiveness monitoring;

- - - (b) -

Compliance monitoring; and

- - - (c) -

Change monitoring.

- - - -

Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.

- - - - - Penetration Testing - - - - - - - CA-8 - CA-08 - SA-11 - SR-5 - SR-6 - -

Conduct penetration testing on .

- - -

Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries in carrying out attacks and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). -Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes pretest analysis based on full knowledge of the system; pretest identification of potential vulnerabilities based on pretest analysis; and testing designed to determine exploitability of vulnerabilities. All parties agree to the rules of engagement before commencement of penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.

- - - Independent Penetration Testing Agent or Team - CA-8(1) - CA-08(01) - CA-2 - -

Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.

- - -

Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. CA-2(1) provides additional information on independent assessments that can be applied to penetration testing.

- - - - - Internal System Connections - - - - - - - - - - CA-9 - CA-09 - [SP 800-124] - [IR 8023] - AC-3 - AC-4 - AC-18 - AC-19 - CM-2 - IA-3 - SC-7 - SI-12 - - - a. -

Authorize internal connections of to the system;

- - - b. -

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;

- - - c. -

Terminate internal system connections after ; and

- - - d. -

Review the continued need for each internal connection.

- - - -

Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.

- - - - - Configuration Management - - Policy and Procedures - - - - - - - - - - - - - - CM-1 - CM-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- configuration management policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

- - - c. -

Review and update the current configuration management:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Baseline Configuration - - - - - - - CM-2 - CM-02 - [SP 800-124] - [SP 800-128] - AC-19 - AU-6 - CA-9 - CM-1 - CM-3 - CM-5 - CM-6 - CM-8 - CM-9 - CP-9 - CP-10 - CP-12 - MA-2 - PL-8 - PM-5 - SA-8 - SA-10 - SA-15 - SC-18 - - - a. -

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and

- - - b. -

Review and update the baseline configuration of the system:

- - 1. -

- ;

- - - 2. -

When required due to ; and

- - - 3. -

When system components are installed or upgraded.

- - - - -

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

- - - Automation Support for Accuracy and Currency - - - - CM-2(2) - CM-02(02) - CM-7 - IA-3 - RA-5 - -

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using .

- - -

Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, and firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission/business process level or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities.

- - - - Retention of Previous Configurations - - - - CM-2(3) - CM-02(03) - -

Retain of previous versions of baseline configurations of the system to support rollback.

- - -

Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, and configuration records.

- - - - Configure Systems and Components for High-risk Areas - - - - - - - - - - CM-2(7) - CM-02(07) - MP-4 - MP-5 - - - (a) -

Issue with to individuals traveling to locations that the organization deems to be of significant risk; and

- - - (b) -

Apply the following controls to the systems or components when the individuals return from travel: .

- - - -

When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family.

- - - - - Configuration Change Control - - - - - - - - - - - - - - CM-3 - CM-03 - [SP 800-124] - [SP 800-128] - [IR 8062] - CA-7 - CM-2 - CM-4 - CM-5 - CM-6 - CM-9 - CM-11 - IA-3 - MA-2 - PE-16 - PT-7 - RA-8 - SA-8 - SA-10 - SC-28 - SC-34 - SC-37 - SI-2 - SI-3 - SI-4 - SI-7 - SI-10 - SR-11 - - - a. -

Determine and document the types of changes to the system that are configuration-controlled;

- - - b. -

Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;

- - - c. -

Document configuration change decisions associated with the system;

- - - d. -

Implement approved configuration-controlled changes to the system;

- - - e. -

Retain records of configuration-controlled changes to the system for ;

- - - f. -

Monitor and review activities associated with configuration-controlled changes to the system; and

- - - g. -

Coordinate and provide oversight for configuration change control activities through that convenes .

- - - -

Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations and configuration items of systems; changes to operational procedures; changes to configuration settings for system components; unscheduled or unauthorized changes; and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes impacting privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.

- - - Automated Documentation, Notification, and Prohibition of Changes - - - - - - - - - - - - - CM-3(1) - CM-03(01) - -

Use to:

- - (a) -

Document proposed changes to the system;

- - - (b) -

Notify of proposed changes to the system and request change approval;

- - - (c) -

Highlight proposed changes to the system that have not been approved or disapproved within ;

- - - (d) -

Prohibit changes to the system until designated approvals are received;

- - - (e) -

Document all changes to the system; and

- - - (f) -

Notify when approved changes to the system are completed.

- - - -

None.

- - - - Testing, Validation, and Documentation of Changes - CM-3(2) - CM-03(02) - -

Test, validate, and document changes to the system before finalizing the implementation of the changes.

- - -

Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with system operations supporting organizational missions and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls.

- - - - Security and Privacy Representatives - - - - - - - CM-3(4) - CM-03(04) - -

Require to be members of the .

- - -

Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3.

- - - - Cryptography Management - - - - CM-3(6) - CM-03(06) - SC-12 - -

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: .

- - -

The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates.

- - - - - Impact Analyses - CM-4 - CM-04 - [SP 800-128] - CA-7 - CM-3 - CM-8 - CM-9 - MA-2 - RA-3 - RA-5 - SA-5 - SA-8 - SA-10 - SI-2 - -

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

- - -

Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required.

- - - Separate Test Environments - CM-4(1) - CM-04(01) - SA-11 - SC-7 - -

Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice.

- - -

A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation.

- - - - Verification of Controls - CM-4(2) - CM-04(02) - SA-11 - SC-3 - SI-6 - -

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

- - -

Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls.

- - - - - Access Restrictions for Change - CM-5 - CM-05 - [FIPS 140-3] - [FIPS 186-4] - AC-3 - AC-5 - AC-6 - CM-9 - PE-3 - SC-28 - SC-34 - SC-37 - SI-2 - SI-10 - -

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

- - -

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

- - - Automated Access Enforcement and Audit Records - - - - CM-5(1) - CM-05(01) - AU-2 - AU-6 - AU-7 - AU-12 - CM-6 - CM-11 - SI-12 - - - (a) -

Enforce access restrictions using ; and

- - - (b) -

Automatically generate audit records of the enforcement actions.

- - - -

Organizations log access records associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes.

- - - - Signed Components - - - - CM-5(3) - CM-05(03) - CM-7 - SC-13 - SI-7 - -

Prevent the installation of without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

- - -

Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.

- - - - - Configuration Settings - - - - - - - - - - CM-6 - CM-06 - [SP 800-70] - [SP 800-126] - [SP 800-128] - [USGCB] - [NCPR] - [DOD STIG] - AC-3 - AC-19 - AU-2 - AU-6 - CA-9 - CM-2 - CM-3 - CM-5 - CM-7 - CM-11 - CP-7 - CP-9 - CP-10 - IA-3 - IA-5 - PL-8 - RA-5 - SA-4 - SA-5 - SA-8 - SA-9 - SC-18 - SC-28 - SC-43 - SI-2 - SI-4 - SI-6 - - - a. -

Establish and document configuration settings for components employed within the system using that reflect the most restrictive mode consistent with operational requirements;

- - - b. -

Implement the configuration settings;

- - - c. -

Identify, document, and approve any deviations from established configuration settings for based on ; and

- - - d. -

Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

- - - -

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. -Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. -Implementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

- - - Automated Management, Application, and Verification - - - - - - - CM-6(1) - CM-06(01) - CA-7 - -

Centrally manage, apply, and verify configuration settings for using .

- - -

Automated tools (e.g., security information and event management tools or enterprise security monitoring tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision making within the organization.

- - - - Respond to Unauthorized Changes - - - - - - - CM-6(2) - CM-06(02) - IR-4 - IR-6 - SI-7 - -

Take the following actions in response to unauthorized changes to : .

- - -

Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected system processing.

- - - - - Least Functionality - - - - - - - CM-7 - CM-07 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 186-4] - [FIPS 202] - [SP 800-167] - AC-3 - AC-4 - CM-2 - CM-5 - CM-6 - CM-11 - RA-5 - SA-4 - SA-5 - SA-8 - SA-9 - SA-15 - SC-2 - SC-3 - SC-7 - SC-37 - SI-4 - - - a. -

Configure the system to provide only ; and

- - - b. -

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: .

- - - -

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3).

- - - Periodic Review - - - - - - - CM-7(1) - CM-07(01) - AC-18 - - - (a) -

Review the system to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and

- - - (b) -

Disable or remove .

- - - -

Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking.

- - - - Prevent Program Execution - - - - - CM-7(2) - CM-07(02) - CM-8 - PL-4 - PM-5 - PS-6 - -

Prevent program execution in accordance with .

- - -

Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements restricting software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features; restricting roles allowed to approve program execution; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time.

- - - - Authorized Software — Whitelisting - - - - - - - CM-7(5) - CM-07(05) - CM-2 - CM-6 - CM-8 - CM-10 - PM-5 - SA-10 - SC-34 - SI-7 - - - (a) -

Identify ;

- - - (b) -

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and

- - - (c) -

Review and update the list of authorized software programs .

- - - -

The process used to identify specific software programs or entire categories of software programs that are authorized to execute on organizational systems is commonly referred to as whitelisting. Software programs identified can be limited to specific versions or from a specific source. To facilitate comprehensive whitelisting and increase the strength of protection for attacks that bypass application level whitelisting, software programs may be decomposed into and monitored at different levels of detail. Software program levels of detail include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of whitelisting may also be applied to user actions, ports, IP addresses, and media access control (MAC) addresses. Organizations consider verifying the integrity of white-listed software programs using, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Whitelisting of URLs for websites is addressed in CA-3(5) and SC-7.

- - - - - System Component Inventory - - - - - - - CM-8 - CM-08 - [OMB A-130] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-128] - CM-2 - CM-7 - CM-9 - CM-10 - CM-11 - CM-13 - CP-2 - CP-9 - MA-2 - MA-6 - PE-20 - PM-5 - SA-4 - SA-5 - SI-2 - SR-4 - - - a. -

Develop and document an inventory of system components that:

- - 1. -

Accurately reflects the system;

- - - 2. -

Includes all components within the system;

- - - 3. -

Is at the level of granularity deemed necessary for tracking and reporting; and

- - - 4. -

Includes the following information to achieve system component accountability: ; and

- - - - b. -

Review and update the system component inventory .

- - - -

System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.

- - - Updates During Installation and Removal - CM-8(1) - CM-08(01) - PM-16 - -

Update the inventory of system components as part of component installations, removals, and system updates.

- - -

Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated routinely as part of component installations or removals, or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components.

- - - - Automated Maintenance - - - - CM-8(2) - CM-08(02) - -

Maintain the currency, completeness, accuracy, and availability of the inventory of system components using .

- - -

Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of CM-2(2) for organizations that combine system component inventory and baseline configuration activities.

- - - - Automated Unauthorized Component Detection - - - - - - - - - - - CM-8(3) - CM-08(03) - AC-19 - CA-7 - RA-5 - SC-3 - SC-39 - SC-44 - SI-3 - SI-4 - SI-7 - - - (a) -

Detect the presence of unauthorized hardware, software, and firmware components within the system using - ; and

- - - (b) -

Take the following actions when unauthorized components are detected: .

- - - -

Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices). Isolation can be achieved, for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing.

- - - - Accountability Information - - CM-8(4) - CM-08(04) - -

Include in the system component inventory information, a means for identifying by , individuals responsible and accountable for administering those components.

- - -

Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required, for example, the component is determined to be the source of a breach; the component needs to be recalled or replaced; or the component needs to be relocated.

- - - - - Configuration Management Plan - - - - CM-9 - CM-09 - [SP 800-128] - CM-2 - CM-3 - CM-4 - CM-5 - CM-8 - PL-2 - SA-10 - SI-12 - -

Develop, document, and implement a configuration management plan for the system that:

- - a. -

Addresses roles, responsibilities, and configuration management processes and procedures;

- - - b. -

Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;

- - - c. -

Defines the configuration items for the system and places the configuration items under configuration management;

- - - d. -

Is reviewed and approved by ; and

- - - e. -

Protects the configuration management plan from unauthorized disclosure and modification.

- - - -

Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities. -Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes, how to update configuration settings and baselines, how to maintain component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. -Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Templates can represent a master configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, for example, the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control.

- - - - Software Usage Restrictions - CM-10 - CM-10 - AC-17 - AU-6 - CM-7 - CM-8 - SC-7 - - - a. -

Use software and associated documentation in accordance with contract agreements and copyright laws;

- - - b. -

Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

- - - c. -

Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

- - - -

Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement.

- - - - User-installed Software - - - - - - - - - - CM-11 - CM-11 - AC-3 - AU-6 - CM-2 - CM-3 - CM-5 - CM-6 - CM-7 - CM-8 - PL-4 - SI-7 - - - a. -

Establish governing the installation of software by users;

- - - b. -

Enforce software installation policies through the following methods: ; and

- - - c. -

Monitor policy compliance .

- - - -

If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

- - - - Information Location - - - - CM-12 - CM-12 - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - AC-2 - AC-3 - AC-4 - AC-6 - AC-23 - CM-8 - PM-5 - RA-2 - SA-4 - SA-8 - SA-17 - SC-4 - SC-16 - SC-28 - SI-4 - SI-7 - - - a. -

Identify and document the location of and the specific system components on which the information is processed and stored;

- - - b. -

Identify and document the users who have access to the system and system components where the information is processed and stored; and

- - - c. -

Document changes to the location (i.e., system or system components) where the information is processed and stored.

- - - -

Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and associated information reside in the system components; and how information is being processed so that information flow can be understood, and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).

- - - Automated Tools to Support Information Location - - - - - - - CM-12(1) - CM-12(01) - -

Use automated tools to identify on to ensure controls are in place to protect organizational information and individual privacy.

- - -

The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information organization-wide. The output of automated information location tools can be used to guide and inform system architecture and design decisions.

- - - - - - Contingency Planning - - Policy and Procedures - - - - - - - - - - - - - - CP-1 - CP-01 - [SP 800-12] - [SP 800-30] - [SP 800-34] - [SP 800-39] - [SP 800-50] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- contingency planning policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and

- - - c. -

Review and update the current contingency planning:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Contingency Plan - - - - - - - - - - - - - CP-2 - CP-02 - [SP 800-34] - [IR 8179] - CP-3 - CP-4 - CP-6 - CP-7 - CP-8 - CP-9 - CP-10 - CP-11 - CP-13 - IR-4 - IR-6 - IR-8 - IR-9 - MA-6 - MP-2 - MP-4 - MP-5 - PL-2 - PM-8 - PM-11 - SA-15 - SA-20 - SC-7 - SC-23 - SI-12 - - - a. -

Develop a contingency plan for the system that:

- - 1. -

Identifies essential missions and business functions and associated contingency requirements;

- - - 2. -

Provides recovery objectives, restoration priorities, and metrics;

- - - 3. -

Addresses contingency roles, responsibilities, assigned individuals with contact information;

- - - 4. -

Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure;

- - - 5. -

Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and

- - - 6. -

Is reviewed and approved by ;

- - - - b. -

Distribute copies of the contingency plan to ;

- - - c. -

Coordinate contingency planning activities with incident handling activities;

- - - d. -

Review the contingency plan for the system ;

- - - e. -

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

- - - f. -

Communicate contingency plan changes to ; and

- - - g. -

Protect the contingency plan from unauthorized disclosure and modification.

- - - -

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. -In addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

- - - Coordinate with Related Plans - CP-2(1) - CP-02(01) - -

Coordinate contingency plan development with organizational elements responsible for related plans.

- - -

Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Cyber Incident Response Plans, and Occupant Emergency Plans.

- - - - Capacity Planning - CP-2(2) - CP-02(02) - PE-11 - PE-12 - PE-13 - PE-14 - PE-18 - SC-5 - -

Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

- - -

Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential missions and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance.

- - - - Resume Missions and Business Functions - - - - - CP-2(3) - CP-02(03) - -

Plan for the resumption of missions and business functions within of contingency plan activation.

- - -

Organizations may choose to conduct contingency planning activities to resume missions and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of missions and business functions. The time-period for the resumption of missions and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure.

- - - - Continue Missions and Business Functions - - CP-2(5) - CP-02(05) - -

Plan for the continuance of missions and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.

- - -

Organizations may choose to conduct the contingency planning activities to continue missions and business functions as part of business continuity planning or as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency.

- - - - Identify Critical Assets - - CP-2(8) - CP-02(08) - CM-8 - RA-9 - -

Identify critical system assets supporting missions and business functions.

- - -

Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational missions and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (manually executed operations) and personnel (individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement.

- - - - - Contingency Training - - - - - - - CP-3 - CP-03 - [SP 800-50] - AT-2 - AT-3 - AT-4 - CP-2 - CP-4 - CP-8 - IR-2 - IR-4 - IR-9 - -

Provide contingency training to system users consistent with assigned roles and responsibilities:

- - a. -

Within of assuming a contingency role or responsibility;

- - - b. -

When required by system changes; and

- - - c. -

- thereafter.

- - - -

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan.

- - - Simulated Events - CP-3(1) - CP-03(01) - -

Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

- - -

The use of simulated events creates an environment for personnel to experience actual threat events including cyber-attacks that disable web sites, ransom-ware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures.

- - - - - Contingency Plan Testing - - - - - - - CP-4 - CP-04 - [FIPS 199] - [SP 800-34] - [SP 800-84] - AT-3 - CP-2 - CP-3 - CP-8 - CP-9 - IR-3 - IR-4 - PL-2 - PM-14 - SR-2 - - - a. -

Test the contingency plan for the system using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: .

- - - b. -

Review the contingency plan test results; and

- - - c. -

Initiate corrective actions, if needed.

- - - -

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

- - - Coordinate with Related Plans - CP-4(1) - CP-04(01) - IR-8 - PM-8 - -

Coordinate contingency plan testing with organizational elements responsible for related plans.

- - -

Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations coordinate with those elements.

- - - - Alternate Processing Site - CP-4(2) - CP-04(02) - CP-7 - -

Test the contingency plan at the alternate processing site:

- - (a) -

To familiarize contingency personnel with the facility and available resources; and

- - - (b) -

To evaluate the capabilities of the alternate processing site to support contingency operations.

- - - -

Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience, firsthand, the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational missions and functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing.

- - - - - Alternate Storage Site - CP-6 - CP-06 - [SP 800-34] - CP-2 - CP-7 - CP-8 - CP-9 - CP-10 - MP-4 - MP-5 - PE-3 - SC-36 - SI-13 - - - a. -

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and

- - - b. -

Ensure that the alternate storage site provides controls equivalent to that of the primary site.

- - - -

Alternate storage sites are sites that are geographically distinct from primary storage sites and that maintain duplicate copies of information and data if the primary storage site is not available. In contrast to alternate storage sites, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may also be considered as alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems.

- - - Separation from Primary Site - CP-6(1) - CP-06(01) - RA-3 - -

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

- - -

Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.

- - - - Recovery Time and Recovery Point Objectives - CP-6(2) - CP-06(02) - -

Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

- - -

Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations ensuring accessibility and correct execution.

- - - - Accessibility - CP-6(3) - CP-06(03) - RA-3 - -

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

- - -

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.

- - - - - Alternate Processing Site - - - - - - - CP-7 - CP-07 - [SP 800-34] - CP-2 - CP-6 - CP-8 - CP-9 - CP-10 - MA-6 - PE-3 - PE-11 - PE-12 - PE-17 - SC-36 - SI-13 - - - a. -

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential missions and business functions within when the primary processing capabilities are unavailable;

- - - b. -

Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time-period for transfer and resumption; and

- - - c. -

Provide controls at the alternate processing site that are equivalent to those at the primary site.

- - - -

Alternate processing sites are sites that are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives such as failover to a cloud-based service provider or other internally- or externally-provided processing service. Geographically distributed architectures that support contingency requirements may also be considered as alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites; access rules; physical and environmental protection requirements; and the coordination for the transfer and assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems.

- - - Separation from Primary Site - CP-7(1) - CP-07(01) - RA-3 - -

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

- - -

Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.

- - - - Accessibility - CP-7(2) - CP-07(02) - RA-3 - -

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

- - -

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk.

- - - - Priority of Service - CP-7(3) - CP-07(03) - -

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

- - -

Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning.

- - - - Preparation for Use - CP-7(4) - CP-07(04) - CM-2 - CM-6 - CP-4 - -

Prepare the alternate processing site so that the site can serve as the operational site supporting essential missions and business functions.

- - -

Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place.

- - - - - Telecommunications Services - - - - - - - CP-8 - CP-08 - [SP 800-34] - CP-2 - CP-6 - CP-7 - CP-11 - SC-7 - -

Establish alternate telecommunications services, including necessary agreements to permit the resumption of for essential missions and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

- - -

This control applies to telecommunications services (for data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions and business functions despite the loss of primary telecommunications services. Organizations may specify different time-periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines or the use of satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

- - - Priority of Service Provisions - CP-8(1) - CP-08(01) - - - (a) -

Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and

- - - (b) -

Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

- - - -

Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program and the Department of Homeland Security, manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program.

- - - - Single Points of Failure - CP-8(2) - CP-08(02) - -

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

- - -

In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services.

- - - - Separation of Primary and Alternate Providers - CP-8(3) - CP-08(03) - -

Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

- - -

Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment.

- - - - Provider Contingency Plan - - - - CP-8(4) - CP-08(04) - CP-3 - CP-4 - - - (a) -

Require primary and alternate telecommunications service providers to have contingency plans;

- - - (b) -

Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and

- - - (c) -

Obtain evidence of contingency testing and training by providers .

- - - -

Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.

- - - - - System Backup - - - - - - - - - - - - - CP-9 - CP-09 - [FIPS 140-3] - [FIPS 186-4] - [SP 800-34] - [SP 800-130] - [SP 800-152] - CP-2 - CP-6 - CP-10 - MP-4 - MP-5 - SC-13 - SI-4 - SI-13 - - - a. -

Conduct backups of user-level information contained in - ;

- - - b. -

Conduct backups of system-level information contained in the system ;

- - - c. -

Conduct backups of system documentation, including security and privacy-related documentation ; and

- - - d. -

Protect the confidentiality, integrity, and availability of backup information.

- - - -

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

- - - Testing for Reliability and Integrity - - - - CP-9(1) - CP-09(01) - CP-4 - -

Test backup information to verify media reliability and information integrity.

- - -

Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance.

- - - - Test Restoration Using Sampling - CP-9(2) - CP-09(02) - CP-4 - -

Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.

- - -

Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is used to determine if the functions operate as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed.

- - - - Separate Storage for Critical Information - - - - CP-9(3) - CP-09(03) - CM-2 - CM-6 - CM-8 - -

Store backup copies of in a separate facility or in a fire-rated container that is not collocated with the operational system.

- - -

Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire-rated containers.

- - - - Transfer to Alternate Storage Site - - - - CP-9(5) - CP-09(05) - CP-7 - MP-3 - MP-4 - MP-5 - -

Transfer system backup information to the alternate storage site .

- - -

System backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media.

- - - - Cryptographic Protection - - - - CP-9(8) - CP-09(08) - SC-12 - SC-13 - SC-28 - -

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of .

- - -

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. This control enhancement applies to system backup information in storage at primary and alternate locations. Organizations implementing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.

- - - - - System Recovery and Reconstitution - - - - CP-10 - CP-10 - [SP 800-34] - CP-2 - CP-4 - CP-6 - CP-7 - CP-9 - IR-4 - SA-8 - SC-24 - SI-13 - -

Provide for the recovery and reconstitution of the system to a known state within after a disruption, compromise, or failure.

- - -

Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.

- - - Transaction Recovery - CP-10(2) - CP-10(02) - -

Implement transaction recovery for systems that are transaction-based.

- - -

Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling.

- - - - Restore Within Time-period - - - - CP-10(4) - CP-10(04) - CM-2 - CM-6 - -

Provide the capability to restore system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components.

- - -

Restoration of system components includes reimaging which restores the components to known, operational states.

- - - - - - Identification and Authentication - - Policy and Procedures - - - - - - - - - - - - - - IA-1 - IA-01 - [OMB A-130] - [FIPS 201-2] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [SP 800-100] - [IR 7874] - AC-1 - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- identification and authentication policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and

- - - c. -

Review and update the current identification and authentication:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Identification and Authentication (organizational Users) - IA-2 - IA-02 - [FIPS 140-3] - [FIPS 201-2] - [FIPS 202] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [SP 800-79-2] - [SP 800-156] - [SP 800-166] - [IR 7539] - [IR 7676] - [IR 7817] - [IR 7849] - [IR 7870] - [IR 7874] - [IR 7966] - AC-2 - AC-3 - AC-4 - AC-14 - AC-17 - AC-18 - AU-1 - AU-6 - IA-4 - IA-5 - IA-8 - MA-4 - MA-5 - PE-2 - PL-4 - SA-4 - SA-8 - -

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

- - -

Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. -Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks. -The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

- - - Multifactor Authentication to Privileged Accounts - IA-2(1) - IA-02(01) - AC-5 - AC-6 - -

Implement multifactor authentication for access to privileged accounts.

- - -

Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

- - - - Multifactor Authentication to Non-privileged Accounts - IA-2(2) - IA-02(02) - AC-5 - -

Implement multifactor authentication for access to non-privileged accounts.

- - -

Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

- - - - Individual Authentication with Group Authentication - IA-2(5) - IA-02(05) - -

When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.

- - -

Individual authentication prior to shared group authentication helps to mitigate the risk of using group accounts or authenticators.

- - - - Access to Accounts — Replay Resistant - - IA-2(8) - IA-02(08) - -

Implement replay-resistant authentication mechanisms for access to .

- - -

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators.

- - - - Acceptance of PIV Credentials - IA-2(12) - IA-02(12) - -

Accept and electronically verify Personal Identity Verification-compliant credentials.

- - -

Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential.

- - - - - Device Identification and Authentication - - - - - IA-3 - IA-03 - AC-17 - AC-18 - AC-19 - AU-6 - CA-3 - CA-9 - IA-4 - IA-5 - IA-9 - IA-11 - SI-4 - -

Uniquely identify and authenticate before establishing a connection.

- - -

Devices that require unique device-to-device identification and authentication are defined by type, by device, or by a combination of type and device. Organization-defined device types can include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on large scale, organizations can restrict the application of the control to a limited number (and type) of devices based on need.

- - - - Identifier Management - - - - - - - IA-4 - IA-04 - [FIPS 201-2] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - IA-2 - IA-3 - IA-5 - IA-8 - IA-9 - MA-4 - PE-2 - PE-3 - PE-4 - PL-4 - PM-12 - PS-3 - PS-4 - PS-5 - SC-37 - -

Manage system identifiers by:

- - a. -

Receiving authorization from to assign an individual, group, role, service, or device identifier;

- - - b. -

Selecting an identifier that identifies an individual, group, role, service, or device;

- - - c. -

Assigning the identifier to the intended individual, group, role, service, or device; and

- - - d. -

Preventing reuse of identifiers for .

- - - -

Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.

- - - Identify User Status - - - - IA-4(4) - IA-04(04) - -

Manage individual identifiers by uniquely identifying each individual as .

- - -

Characteristics identifying the status of individuals include contractors and foreign nationals. Identifying the status of individuals by characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor.

- - - - - Authenticator Management - - - - IA-5 - IA-05 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 201-2] - [FIPS 202] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [IR 7539] - [IR 7817] - [IR 7849] - [IR 7870] - [IR 8040] - AC-3 - AC-6 - CM-6 - IA-2 - IA-4 - IA-7 - IA-8 - IA-9 - MA-4 - PE-2 - PL-4 - -

Manage system authenticators by:

- - a. -

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

- - - b. -

Establishing initial authenticator content for any authenticators issued by the organization;

- - - c. -

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

- - - d. -

Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

- - - e. -

Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

- - - f. -

Changing default authenticators prior to first use;

- - - g. -

Changing or refreshing authenticators ;

- - - h. -

Protecting authenticator content from unauthorized disclosure and modification;

- - - i. -

Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

- - - j. -

Changing authenticators for group or role accounts when membership to those accounts changes.

- - - -

Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. -Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.

- - - Password-based Authentication - - - - - - - IA-5(1) - IA-05(01) - IA-6 - -

For password-based authentication:

- - (a) -

Maintain a list of commonly-used, expected, or compromised passwords and update the list and when organizational passwords are suspected to have been compromised directly or indirectly;

- - - (b) -

Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords;

- - - (c) -

Transmit only cryptographically-protected passwords;

- - - (d) -

Store passwords using an approved hash algorithm and salt, preferably using a keyed hash;

- - - (e) -

Require immediate selection of a new password upon account recovery;

- - - (f) -

Allow user selection of long passwords and passphrases, including spaces and all printable characters;

- - - (g) -

Employ automated tools to assist the user in selecting strong password authenticators; and

- - - (h) -

Enforce the following composition and complexity rules: .

- - - -

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof.

- - - - Implement a local cache of revocation data to support path discovery and validation. - IA-5(2) - IA-05(02) - IA-3 - SC-17 - -

Discussion: Public key cryptography is a valid authentication mechanism for individuals and machines or devices. When PKI is implemented, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation supports system availability in situations where organizations are unable to access revocation information via the network.

- - - - - Protection of Authenticators - IA-5(6) - IA-05(06) - RA-2 - -

Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

- - -

For systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process.

- - - - - Authenticator Feedback - IA-6 - IA-06 - AC-3 - -

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

- - -

Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it.

- - - - Cryptographic Module Authentication - IA-7 - IA-07 - [FIPS 140-3] - AC-3 - IA-5 - SA-4 - SC-12 - SC-13 - -

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

- - -

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

- - - - Identification and Authentication (non-organizational Users) - IA-8 - IA-08 - [OMB A-130] - [FIPS 201-2] - [SP 800-63-3] - [SP 800-79-2] - [SP 800-116] - [IR 8062] - AC-2 - AC-6 - AC-14 - AC-17 - AC-18 - AU-6 - IA-2 - IA-4 - IA-5 - IA-10 - IA-11 - MA-4 - RA-3 - SA-4 - SC-8 - -

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

- - -

Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

- - - Acceptance of PIV Credentials from Other Agencies - IA-8(1) - IA-08(01) - PE-3 - -

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

- - -

Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2].

- - - - Acceptance of External Credentials - IA-8(2) - IA-08(02) - -

Accept only external credentials that are NIST-compliant.

- - -

Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels.

- - - - Use of Nist-issued Profiles - IA-8(4) - IA-08(04) - -

Conform to NIST-issued profiles for identity management.

- - -

Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols.

- - - - - Re-authentication - - - - IA-11 - IA-11 - AC-3 - AC-11 - IA-2 - IA-3 - IA-8 - -

Require users to re-authenticate when .

- - -

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically.

- - - - Identity Proofing - IA-12 - IA-12 - [FIPS 201-2] - [SP 800-63-3] - [SP 800-63A] - [SP 800-79-2] - IA-1 - IA-2 - IA-3 - IA-4 - IA-5 - IA-6 - IA-8 - - - a. -

Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;

- - - b. -

Resolve user identities to a unique individual; and

- - - c. -

Collect, validate, and verify identity evidence.

- - - -

Identity proofing is the process of collecting, validating, and verifying user’s identity information for the purposes of issuing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3] and [SP 800-63A].

- - - Identity Evidence - IA-12(2) - IA-12(02) - -

Require evidence of individual identification be presented to the registration authority.

- - -

Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risk to the systems, roles, and privileges associated with the user’s account.

- - - - Identity Evidence Validation and Verification - - - - IA-12(3) - IA-12(03) - -

Require that the presented identity evidence be validated and verified through .

- - -

Validating and verifying identity evidence increases the assurance that accounts, identifiers, and authenticators are being issued to the correct user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an actual person or individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risk to the systems, roles, and privileges associated with the users account

- - - - In-person Validation and Verification - IA-12(4) - IA-12(04) - -

Require that the validation and verification of identity evidence be conducted in person before a designated registration authority.

- - -

In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities.

- - - - Address Confirmation - - IA-12(5) - IA-12(05) - IA-12 - -

Require that a be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

- - -

To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to increase assurance that the individual associated with an address of record is the same person that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts are obtained from records and not self-asserted by the user. The address can include a physical or a digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses.

- - - - - - Incident Response - - Policy and Procedures - - - - - - - - - - - - - - IR-1 - IR-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-50] - [SP 800-61] - [SP 800-83] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- incident response policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the incident response policy and procedures; and

- - - c. -

Review and update the current incident response:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Incident Response Training - - - - - - - IR-2 - IR-02 - [SP 800-50] - AT-2 - AT-3 - AT-4 - CP-3 - IR-3 - IR-4 - IR-8 - IR-9 - -

Provide incident response training to system users consistent with assigned roles and responsibilities:

- - a. -

Within of assuming an incident response role or responsibility or acquiring system access;

- - - b. -

When required by system changes; and

- - - c. -

- thereafter.

- - - -

Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3.

- - - Simulated Events - IR-2(1) - IR-02(01) - -

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

- - -

Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations.

- - - - Automated Training Environments - - - - IR-2(2) - IR-02(02) - -

Provide an incident response training environment using .

- - -

Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues; by selecting more realistic training scenarios and training environments; and by stressing the response capability.

- - - - - Incident Response Testing - - - - - - - IR-3 - IR-03 - [OMB A-130] - [SP 800-84] - [SP 800-115] - CP-3 - CP-4 - IR-2 - IR-4 - IR-8 - PM-14 - -

Test the effectiveness of the incident response capability for the system using the following tests: .

- - -

Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.

- - - Coordination with Related Plans - IR-3(2) - IR-03(02) - -

Coordinate incident response testing with organizational elements responsible for related plans.

- - -

Organizational plans related to incident response testing include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Contingency Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans.

- - - - - Incident Handling - IR-4 - IR-04 - [SP 800-61] - [SP 800-86] - [SP 800-101] - [SP 800-150] - [SP 800-160 v2] - [SP 800-184] - [IR 7559] - AC-19 - AU-6 - AU-7 - CM-6 - CP-2 - CP-3 - CP-4 - IR-2 - IR-3 - IR-6 - IR-8 - IR-10 - PE-6 - PL-2 - PM-12 - SA-8 - SC-5 - SC-7 - SI-3 - SI-4 - SI-7 - - - a. -

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;

- - - b. -

Coordinate incident handling activities with contingency planning activities;

- - - c. -

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and

- - - d. -

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

- - - -

Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk.

- - - Automated Incident Handling Processes - - - - IR-4(1) - IR-04(01) - -

Support the incident handling process using .

- - -

Automated mechanisms supporting incident handling processes include online incident management systems; and tools that support the collection of live response data, full network packet capture, and forensic analysis.

- - - - Information Correlation - IR-4(4) - IR-04(04) - -

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

- - -

Sometimes a threat event, for example, a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations.

- - - - - Incident Monitoring - IR-5 - IR-05 - [SP 800-61] - AU-6 - AU-7 - IR-8 - PE-6 - PM-5 - SC-5 - SC-7 - SI-3 - SI-4 - SI-7 - -

Track and document security, privacy, and supply chain incidents.

- - -

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports.

- - - Automated Tracking, Data Collection, and Analysis - - - - IR-5(1) - IR-05(01) - AU-7 - IR-4 - -

Track security and privacy incidents and collect and analyze incident information using .

- - -

Automated mechanisms for tracking incidents and for collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices.

- - - - - Incident Reporting - - - - - - - IR-6 - IR-06 - [SP 800-61] - CM-6 - CP-2 - IR-4 - IR-5 - IR-8 - IR-9 - - - a. -

Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within ; and

- - - b. -

Report security, privacy, and supply chain incident information to .

- - - -

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - Automated Reporting - - - - IR-6(1) - IR-06(01) - IR-7 - -

Report incidents using .

- - -

Reporting recipients are as specified in IR-6b. Automated reporting mechanisms include email, posting on web sites, and automated incident response tools and programs.

- - - - Supply Chain Coordination - IR-6(3) - IR-06(03) - SR-8 - -

Provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident.

- - -

Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents including the ability to improve processes or to identify the root cause of an incident.

- - - - - Incident Response Assistance - IR-7 - IR-07 - [OMB A-130] - [IR 7559] - AT-2 - AT-3 - IR-4 - IR-6 - IR-8 - PM-22 - PM-26 - SA-9 - SI-18 - -

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents.

- - -

Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.

- - - Automation Support for Availability of Information and Support - - - - IR-7(1) - IR-07(01) - -

Increase the availability of incident response information and support using .

- - -

Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

- - - - - Incident Response Plan - - - - - - - - - - - - - - - - IR-8 - IR-08 - [OMB A-130] - [SP 800-61] - [OMB M-17-12] - AC-2 - CP-2 - CP-4 - IR-4 - IR-7 - IR-9 - PE-6 - PL-2 - SA-15 - SI-12 - SR-8 - - - a. -

Develop an incident response plan that:

- - 1. -

Provides the organization with a roadmap for implementing its incident response capability;

- - - 2. -

Describes the structure and organization of the incident response capability;

- - - 3. -

Provides a high-level approach for how the incident response capability fits into the overall organization;

- - - 4. -

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

- - - 5. -

Defines reportable incidents;

- - - 6. -

Provides metrics for measuring the incident response capability within the organization;

- - - 7. -

Defines the resources and management support needed to effectively maintain and mature an incident response capability;

- - - 8. -

Is reviewed and approved by - ; and

- - - 9. -

Explicitly designates responsibility for incident response to .

- - - - b. -

Distribute copies of the incident response plan to ;

- - - c. -

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

- - - d. -

Communicate incident response plan changes to ; and

- - - e. -

Protect the incident response plan from unauthorized disclosure and modification.

- - - -

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

- - - - Incident Analysis - IR-10 - Withdrawn - IR-10 - IR-4(11) - - - - Maintenance - - Policy and Procedures - - - - - - - - - - - - - - MA-1 - MA-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- maintenance policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the maintenance policy and procedures; and

- - - c. -

Review and update the current maintenance:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Controlled Maintenance - - - - - - - - - - MA-2 - MA-02 - [OMB A-130] - [IR 8023] - CM-2 - CM-3 - CM-4 - CM-5 - CM-8 - MA-4 - MP-6 - PE-16 - SI-2 - SR-3 - SR-4 - SR-11 - - - a. -

Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

- - - b. -

Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;

- - - c. -

Require that explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

- - - d. -

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ;

- - - e. -

Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and

- - - f. -

Include the following information in organizational maintenance records: .

- - - -

Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems.

- - - Automated Maintenance Activities - - - - MA-2(2) - MA-02(02) - MA-3 - - - (a) -

Schedule, conduct, and document maintenance, repair, and replacement actions for the system using ; and

- - - (b) -

Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed.

- - - -

The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records.

- - - - - Maintenance Tools - - - - MA-3 - MA-03 - [SP 800-88] - MA-2 - PE-16 - - - a. -

Approve, control, and monitor the use of system maintenance tools; and

- - - b. -

Review previously approved system maintenance tools .

- - - -

Approving, controlling, monitoring, and reviewing maintenance tools are intended to address security-related issues associated with maintenance tools that are not within system boundaries but are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for approval of maintenance tools and how that approval is documented. Periodic review of maintenance tools facilitates withdrawal of the approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items. Such tools can be vehicles for transporting malicious code, intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support system maintenance and are a part of the system, including the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch, are not addressed by maintenance tools.

- - - Inspect Tools - MA-3(1) - MA-03(01) - SI-7 - -

Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

- - -

Maintenance tools can be brought into a facility directly by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.

- - - - Inspect Media - MA-3(2) - MA-03(02) - SI-3 - -

Check media containing diagnostic and test programs for malicious code before the media are used in the system.

- - -

If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.

- - - - Prevent Unauthorized Removal - - - - MA-3(3) - MA-03(03) - MP-6 - -

Prevent the removal of maintenance equipment containing organizational information by:

- - (a) -

Verifying that there is no organizational information contained on the equipment;

- - - (b) -

Sanitizing or destroying the equipment;

- - - (c) -

Retaining the equipment within the facility; or

- - - (d) -

Obtaining an exemption from explicitly authorizing removal of the equipment from the facility.

- - - -

Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.

- - - - - Nonlocal Maintenance - MA-4 - MA-04 - [FIPS 140-3] - [FIPS 197] - [FIPS 201-2] - [SP 800-63-3] - [SP 800-88] - AC-2 - AC-3 - AC-6 - AC-17 - AU-2 - AU-3 - IA-2 - IA-4 - IA-5 - IA-8 - MA-2 - MA-5 - PL-2 - SC-7 - SC-10 - - - a. -

Approve and monitor nonlocal maintenance and diagnostic activities;

- - - b. -

Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;

- - - c. -

Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

- - - d. -

Maintain records for nonlocal maintenance and diagnostic activities; and

- - - e. -

Terminate session and network connections when nonlocal maintenance is completed.

- - - -

Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

- - - Comparable Security and Sanitization - MA-4(3) - MA-04(03) - MP-6 - SI-3 - SI-7 - - - (a) -

Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or

- - - (b) -

Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system.

- - - -

Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced.

- - - - - Maintenance Personnel - MA-5 - MA-05 - AC-2 - AC-3 - AC-5 - AC-6 - IA-2 - IA-8 - MA-4 - MP-2 - PE-2 - PE-3 - PS-7 - RA-3 - - - a. -

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;

- - - b. -

Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

- - - c. -

Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

- - - -

Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods.

- - - Individuals Without Appropriate Access - - - - MA-5(1) - MA-05(01) - MP-6 - PL-2 - - - (a) -

Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

- - (1) -

Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;

- - - (2) -

Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and

- - - - (b) -

Develop and implement in the event a system component cannot be sanitized, removed, or disconnected from the system.

- - - -

Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems.

- - - - - Timely Maintenance - - - - - - - MA-6 - MA-06 - CM-8 - CP-2 - CP-7 - RA-7 - SA-15 - SI-13 - SR-2 - SR-3 - SR-4 - -

Obtain maintenance support and/or spare parts for within of failure.

- - -

Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.

- - - - - Media Protection - - Policy and Procedures - - - - - - - - - - - - - - MP-1 - MP-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- media protection policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the media protection policy and procedures; and

- - - c. -

Review and update the current media protection:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Media Access - - - - - - - MP-2 - MP-02 - [OMB A-130] - [FIPS 199] - [SP 800-111] - AC-19 - AU-9 - CP-2 - CP-9 - CP-10 - MA-5 - MP-4 - MP-6 - PE-2 - PE-3 - SC-13 - SC-34 - SI-12 - -

Restrict access to to .

- - -

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media.

- - - - Media Marking - - - - - - - MP-3 - MP-03 - [32 CFR 2002] - [FIPS 199] - AC-16 - CP-9 - MP-5 - PE-22 - SI-12 - - - a. -

Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

- - - b. -

Exempt from marking if the media remain within .

- - - -

Security marking refers to the application or use of human-readable security attributes. Security labeling refers to the application or use of security attributes regarding internal data structures within systems. System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002]. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

- - - - Media Storage - - - - - - - MP-4 - MP-04 - [FIPS 199] - [SP 800-56A] - [SP 800-56B] - [SP 800-56C] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-111] - AC-19 - CP-2 - CP-6 - CP-9 - CP-10 - MP-2 - MP-7 - PE-3 - PL-2 - SC-13 - SC-28 - SC-34 - SI-12 - - - a. -

Physically control and securely store within ; and

- - - b. -

Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

- - - -

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet; or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. For media containing information determined to be in the public domain, to be publicly releasable, or to have limited adverse impact on organizations, operations, or individuals if accessed by other than authorized personnel, fewer controls may be needed. In these situations, physical access controls provide adequate protection.

- - - - Media Transport - - - - - - - MP-5 - MP-05 - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - AC-7 - AC-19 - CP-2 - CP-9 - MP-3 - MP-4 - PE-16 - PL-2 - SC-13 - SC-28 - SC-34 - - - a. -

Protect and control during transport outside of controlled areas using ;

- - - b. -

Maintain accountability for system media during transport outside of controlled areas;

- - - c. -

Document activities associated with the transport of system media; and

- - - d. -

Restrict the activities associated with the transport of system media to authorized personnel.

- - - -

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state and magnetic), compact disks, and digital video disks. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel, and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.

- - - - Media Sanitization - - - - - - - MP-6 - MP-06 - [OMB A-130] - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-88] - [SP 800-124] - [IR 8023] - [NSA MEDIA] - AC-3 - AC-7 - AU-11 - MA-2 - MA-3 - MA-4 - MA-5 - PM-22 - SI-12 - SI-18 - SI-19 - SR-11 - - - a. -

Sanitize prior to disposal, release out of organizational control, or release for reuse using ; and

- - - b. -

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

- - - -

Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information.

- - - Review, Approve, Track, Document, and Verify - MP-6(1) - MP-06(01) - -

Review, approve, track, document, and verify media sanitization and disposal actions.

- - -

Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions; types of media sanitized; files stored on the media; sanitization methods used; date and time of the sanitization actions; personnel who performed the sanitization; verification actions taken and personnel who performed the verification; and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal.

- - - - Equipment Testing - - - - MP-6(2) - MP-06(02) - -

Test sanitization equipment and procedures to verify that the intended sanitization is being achieved.

- - -

Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers.

- - - - Nondestructive Techniques - - - - MP-6(3) - MP-06(03) - -

Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: .

- - -

Portable storage devices include external or removable hard disk drives (solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and can contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.

- - - - - Media Use - - - - - - - - - - - MP-7 - MP-07 - [FIPS 199] - [SP 800-111] - AC-19 - AC-20 - PL-4 - PM-12 - SC-34 - SC-41 - - - a. -

- the use of on using ; and

- - - b. -

Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

- - - -

System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

- - - - - Physical and Environmental Protection - - Policy and Procedures - - - - - - - - - - - - - - PE-1 - PE-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - AT-3 - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- physical and environmental protection policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

- - - c. -

Review and update the current physical and environmental protection:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Physical Access Authorizations - - - - PE-2 - PE-02 - [FIPS 201-2] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - AT-3 - AU-9 - IA-4 - MA-5 - MP-2 - PE-3 - PE-4 - PE-5 - PE-8 - PM-12 - PS-3 - PS-4 - PS-5 - PS-6 - - - a. -

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;

- - - b. -

Issue authorization credentials for facility access;

- - - c. -

Review the access list detailing authorized facility access by individuals ; and

- - - d. -

Remove individuals from the facility access list when access is no longer required.

- - - -

Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible.

- - - - Physical Access Control - - - - - - - - - - - - - - - - - - - - - - - - - - PE-3 - PE-03 - [FIPS 201-2] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [SP 800-116] - AT-3 - AU-2 - AU-6 - AU-9 - AU-13 - CP-10 - IA-3 - IA-8 - MA-5 - MP-2 - MP-4 - PE-2 - PE-4 - PE-5 - PE-8 - PS-2 - PS-3 - PS-6 - PS-7 - RA-3 - SC-28 - SI-4 - SR-3 - - - a. -

Enforce physical access authorizations at by:

- - 1. -

Verifying individual access authorizations before granting access to the facility; and

- - - 2. -

Controlling ingress and egress to the facility using ;

- - - - b. -

Maintain physical access audit logs for ;

- - - c. -

Control access to areas within the facility designated as publicly accessible by implementing the following controls: ;

- - - d. -

Escort visitors and monitor visitor activity ;

- - - e. -

Secure keys, combinations, and other physical access devices;

- - - f. -

Inventory every ; and

- - - g. -

Change combinations and keys and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

- - - -

Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

- - - System Access - - - - PE-3(1) - PE-03(01) - -

Enforce physical access authorizations to the system in addition to the physical access controls for the facility at .

- - -

Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components.

- - - - - Access Control for Transmission - - - - - - - PE-4 - PE-04 - AT-3 - IA-4 - MP-2 - MP-4 - PE-2 - PE-3 - PE-5 - PE-9 - SC-7 - SC-8 - -

Control physical access to within organizational facilities using .

- - -

Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors.

- - - - Access Control for Output Devices - - - - PE-5 - PE-05 - [IR 8023] - PE-2 - PE-3 - PE-4 - PE-18 - -

Control physical access to output from to prevent unauthorized individuals from obtaining the output.

- - -

Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only; placing output devices in locations that can be monitored by personnel; installing monitor or screen filters; and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.

- - - - Monitoring Physical Access - - - - - - - PE-6 - PE-06 - AU-2 - AU-6 - AU-9 - AU-12 - CA-7 - CP-10 - IR-4 - IR-8 - - - a. -

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;

- - - b. -

Review physical access logs and upon occurrence of ; and

- - - c. -

Coordinate results of reviews and investigations with the organizational incident response capability.

- - - -

Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses.

- - - Intrusion Alarms and Surveillance Equipment - PE-6(1) - PE-06(01) - -

Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.

- - -

Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards, triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, for example, motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility.

- - - - Monitoring Physical Access to Systems - - - - PE-6(4) - PE-06(04) - -

Monitor physical access to the system in addition to the physical access monitoring of the facility at .

- - -

Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization.

- - - - - Visitor Access Records - - - - - - - - - - PE-8 - PE-08 - PE-2 - PE-3 - PE-6 - - - a. -

Maintain visitor access records to the facility where the system resides for ;

- - - b. -

Review visitor access records ; and

- - - c. -

Report anomalies in visitor access records to .

- - - -

Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas.

- - - Automated Records Maintenance and Review - - - - PE-8(1) - PE-08(01) - -

Maintain and review visitor access records using .

- - -

Visitor access records can be stored and maintained, for example, in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on regular basis to determine if access authorizations are current and still required to support organizational missions and business functions.

- - - - - Power Equipment and Cabling - PE-9 - PE-09 - PE-4 - -

Protect power equipment and power cabling for the system from damage and destruction.

- - -

Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. Power equipment and cabling includes generators and power cabling outside of buildings; internal cabling and uninterruptable power sources in offices or data centers; and power sources for self-contained components such as satellites, vehicles, and other deployable systems.

- - - - Emergency Shutoff - - - - - - - PE-10 - PE-10 - PE-15 - - - a. -

Provide the capability of shutting off power to in emergency situations;

- - - b. -

Place emergency shutoff switches or devices in to facilitate access for authorized personnel; and

- - - c. -

Protect emergency power shutoff capability from unauthorized activation.

- - - -

Emergency power shutoff applies primarily to organizational facilities containing concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.

- - - - Emergency Power - - PE-11 - PE-11 - AT-3 - CP-2 - CP-7 - -

Provide an uninterruptible power supply to facilitate in the event of a primary power source loss.

- - -

An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of most UPS is relatively short but provides sufficient time to start a standby power source such as a backup generator or properly shut down the system.

- - - Alternate Power Supply — Minimal Operational Capability - - PE-11(1) - PE-11(01) - -

Provide an alternate power supply for the system that is activated and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.

- - -

Provision of an alternate power supply with minimal operating capability can be satisfied, for example, by accessing a secondary commercial power supply or other external power supply.

- - - - - Emergency Lighting - PE-12 - PE-12 - CP-2 - CP-7 - -

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

- - -

The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites.

- - - - Fire Protection - PE-13 - PE-13 - AT-3 - -

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

- - -

The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors.

- - - Detection Systems – Automatic Activation and Notification - - - - - - - PE-13(1) - PE-13(01) - -

Employ fire detection systems that activate automatically and notify and in the event of a fire.

- - -

Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances, for example, to enter to facilities where access is restricted due to the classification or impact level of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire.

- - - - Suppression Systems – Automatic Activation and Notification - - - - - - - PE-13(2) - PE-13(02) - - - (a) -

Employ fire suppression systems that activate automatically and notify and ; and

- - - (b) -

Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis.

- - - -

Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances, for example, to enter to facilities where access is restricted due to the impact level or classification of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire.

- - - - - Environmental Controls - - - - - - - - - - - PE-14 - PE-14 - AT-3 - CP-2 - PE-21 - - - a. -

Maintain levels within the facility where the system resides at ; and

- - - b. -

Monitor environmental control levels .

- - - -

The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure.

- - - - Water Damage Protection - PE-15 - PE-15 - AT-3 - PE-10 - -

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

- - -

The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.

- - - Automation Support - - - - - - - PE-15(1) - PE-15(01) - -

Detect the presence of water near the system and alert using .

- - -

Automated mechanisms include notification systems, water detection sensors, and alarms.

- - - - - Delivery and Removal - - - - PE-16 - PE-16 - CM-3 - CM-8 - MA-2 - MA-3 - MP-5 - PE-20 - SR-2 - SR-3 - SR-4 - SR-6 - - - a. -

Authorize and control entering and exiting the facility; and

- - - b. -

Maintain records of the system components.

- - - -

Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.

- - - - Alternate Work Site - - - - - - - PE-17 - PE-17 - [SP 800-46] - AC-17 - AC-18 - CP-7 - - - a. -

Determine and document the allowed for use by employees;

- - - b. -

Employ the following controls at alternate work sites: ;

- - - c. -

Assess the effectiveness of controls at alternate work sites; and

- - - d. -

Provide a means for employees to communicate with information security and privacy personnel in case of incidents.

- - - -

Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations.

- - - - Location of System Components - - - - PE-18 - PE-18 - CP-2 - PE-5 - PE-19 - PE-20 - RA-3 - -

Position system components within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access.

- - -

Physical and environmental hazards include floods, fires, tornados, earthquakes, hurricanes, terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications, including using wireless sniffers or microphones.

- - - - - Planning - - Policy and Procedures - - - - - - - - - - - - - - PL-1 - PL-01 - [OMB A-130] - [SP 800-12] - [SP 800-18] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- planning policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the planning policy and the associated planning controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the planning policy and procedures; and

- - - c. -

Review and update the current planning:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - System Security and Privacy Plans - - - - - - - - - - PL-2 - PL-02 - [OMB A-130, Appendix II] - [SP 800-18] - [SP 800-37] - [SP 800-160 v1] - [SP 800-160 v2] - AC-2 - AC-6 - AC-14 - AC-17 - AC-20 - CA-2 - CA-3 - CA-7 - CM-9 - CM-13 - CP-2 - CP-4 - IR-4 - IR-8 - MA-4 - MA-5 - MP-4 - MP-5 - PL-7 - PL-8 - PL-10 - PL-11 - PM-1 - PM-7 - PM-8 - PM-9 - PM-10 - PM-11 - RA-3 - RA-8 - RA-9 - SA-5 - SA-17 - SA-22 - SI-12 - SR-2 - SR-4 - - - a. -

Develop security and privacy plans for the system that:

- - 1. -

Are consistent with the organization’s enterprise architecture;

- - - 2. -

Explicitly define the constituent system components;

- - - 3. -

Describe the operational context of the system in terms of missions and business processes;

- - - 4. -

Provide the security categorization of the system, including supporting rationale;

- - - 5. -

Describe any specific threats to the system that are of concern to the organization;

- - - 6. -

Provide the results of a privacy risk assessment for systems processing personally identifiable information;

- - - 7. -

Describe the operational environment for the system and any dependencies on or connections to other systems or system components;

- - - 8. -

Provide an overview of the security and privacy requirements for the system;

- - - 9. -

Identify any relevant control baselines or overlays, if applicable;

- - - 10. -

Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;

- - - 11. -

Include risk determinations for security and privacy architecture and design decisions;

- - - 12. -

Include security- and privacy-related activities affecting the system that require planning and coordination with ; and

- - - 13. -

Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

- - - - b. -

Distribute copies of the plans and communicate subsequent changes to the plans to ;

- - - c. -

Review the plans ;

- - - d. -

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and

- - - e. -

Protect the plans from unauthorized disclosure and modification.

- - - -

System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls. -Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation. -Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. -Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate.

- - - - Rules of Behavior - - - - - - - - PL-4 - PL-04 - [OMB A-130] - [SP 800-18] - AC-2 - AC-6 - AC-8 - AC-9 - AC-17 - AC-18 - AC-19 - AC-20 - AT-2 - AT-3 - CM-11 - IA-2 - IA-4 - IA-5 - MP-7 - PS-6 - PS-8 - SA-5 - SI-12 - - - a. -

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

- - - b. -

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;

- - - c. -

Review and update the rules of behavior ; and

- - - d. -

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge .

- - - -

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons.

- - - Social Media and External Site/application Usage Restrictions - PL-4(1) - PL-04(01) - AC-22 - AU-13 - -

Include in the rules of behavior, restrictions on:

- - (a) -

Use of social media, social networking sites, and external sites/applications;

- - - (b) -

Posting organizational information on public websites; and

- - - (c) -

Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications.

- - - -

Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information.

- - - - - Security and Privacy Architectures - - - - PL-8 - PL-08 - [OMB A-130] - [SP 800-160 v1] - [SP 800-160 v2] - CM-2 - CM-6 - PL-2 - PL-7 - PL-9 - PM-5 - PM-7 - RA-9 - SA-3 - SA-5 - SA-8 - SA-17 - - - a. -

Develop security and privacy architectures for the system that:

- - 1. -

Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

- - - 2. -

Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

- - - 3. -

Describe how the architectures are integrated into and support the enterprise architecture; and

- - - 4. -

Describe any assumptions about, and dependencies on, external systems and services;

- - - - b. -

Review and update the architectures to reflect changes in the enterprise architecture; and

- - - c. -

Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions.

- - - -

The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs. -[SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews). -In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented. -PL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.

- - - - Baseline Selection - PL-10 - PL-10 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-53B] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - [CNSSI 1253] - PL-2 - PL-11 - RA-2 - RA-3 - SA-8 - -

Select a control baseline for the system.

- - -

Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments.

- - - - Baseline Tailoring - PL-11 - PL-11 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-53B] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - [CNSSI 1253] - PL-10 - RA-2 - RA-3 - RA-9 - SA-8 - -

Tailor the selected control baseline by applying specified tailoring actions.

- - -

The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities.

- - - - - Program Management - - Information Security Program Plan - - - - PM-1 - PM-01 - [FISMA] - [OMB A-130] - PL-2 - PM-8 - PM-12 - RA-9 - SI-12 - SR-2 - - - a. -

Develop and disseminate an organization-wide information security program plan that:

- - 1. -

Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;

- - - 2. -

Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;

- - - 3. -

Reflects the coordination among organizational entities responsible for information security; and

- - - 4. -

Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

- - - - b. -

Review the organization-wide information security program plan ;

- - - c. -

Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and

- - - d. -

Protect the information security program plan from unauthorized disclosure and modification.

- - - -

An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents. -Information security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended. -Program management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization. -Common controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls.

- - - - Information Security Program Leadership Role - PM-2 - PM-02 - [OMB M-17-25] - [SP 800-37] - [SP 800-39] - -

Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

- - -

The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer.

- - - - Information Security and Privacy Resources - PM-3 - PM-03 - [OMB A-130] - PM-4 - SA-2 - - - a. -

Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;

- - - b. -

Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and

- - - c. -

Make available for expenditure, the planned information security and privacy resources.

- - - -

Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process.

- - - - Plan of Action and Milestones Process - PM-4 - PM-04 - [PRIVACT] - [OMB A-130] - [SP 800-37] - CA-5 - CA-7 - PM-3 - RA-7 - SI-12 - - - a. -

Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:

- - 1. -

Are developed and maintained;

- - - 2. -

Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and

- - - 3. -

Are reported in accordance with established reporting requirements.

- - - - b. -

Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

- - - -

The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5.

- - - - System Inventory - - - - PM-5 - PM-05 - [IR 8062] - -

Develop and update an inventory of organizational systems.

- - -

[OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8.

- - - Inventory of Personally Identifiable Information - - - - PM-5(1) - PM-05(01) - CM-8 - CM-12 - CM-13 - PL-8 - PM-22 - PT-3 - PT-6 - SI-12 - SI-18 - -

Establish, maintain, and update an inventory of all systems, applications, and projects that process personally identifiable information.

- - -

An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein.

- - - - - Measures of Performance - PM-6 - PM-06 - [OMB A-130] - [SP 800-55] - [SP 800-137] - CA-7 - -

Develop, monitor, and report on the results of information security and privacy measures of performance.

- - -

Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program.

- - - - Enterprise Architecture - PM-7 - PM-07 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-160 v1] - [SP 800-160 v2] - AU-6 - PL-2 - PL-8 - PM-11 - RA-2 - SA-3 - SA-8 - SA-17 - -

Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.

- - -

The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines.

- - - Offloading - - - - PM-7(1) - PM-07(01) - SA-8 - -

Offload to other systems, system components, or an external provider.

- - -

Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services.

- - - - - Critical Infrastructure Plan - PM-8 - PM-08 - [OMB A-130] - [HSPD 7] - [DHS NIPP] - CP-2 - CP-4 - PE-18 - PL-2 - PM-9 - PM-11 - PM-18 - RA-3 - SI-12 - -

Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

- - -

Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

- - - - Risk Management Strategy - - - - PM-9 - PM-09 - [OMB A-130] - [SP 800-30] - [SP 800-39] - [SP 800-161] - [IR 8023] - AC-1 - AU-1 - AT-1 - CA-1 - CA-2 - CA-5 - CA-6 - CA-7 - CM-1 - CP-1 - IA-1 - IR-1 - MA-1 - MP-1 - PE-1 - PL-1 - PL-2 - PM-2 - PM-8 - PM-18 - PM-28 - PM-30 - PS-1 - PT-1 - PT-2 - PT-3 - RA-1 - RA-3 - RA-9 - SA-1 - SA-4 - SC-1 - SC-38 - SI-1 - SI-12 - SR-1 - SR-2 - - - a. -

Develops a comprehensive strategy to manage:

- - 1. -

Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and

- - - 2. -

Privacy risk to individuals resulting from the authorized processing of personally identifiable information;

- - - - b. -

Implement the risk management strategy consistently across the organization; and

- - - c. -

Review and update the risk management strategy or as required, to address organizational changes.

- - - -

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive.

- - - - Authorization Process - PM-10 - PM-10 - [SP 800-37] - [SP 800-39] - CA-6 - CA-7 - PL-2 - - - a. -

Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;

- - - b. -

Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and

- - - c. -

Integrate the authorization processes into an organization-wide risk management program.

- - - -

Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation.

- - - - Mission and Business Process Definition - - - - PM-11 - PM-11 - [OMB A-130] - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - CP-2 - PL-2 - PM-7 - PM-8 - RA-2 - RA-3 - SA-2 - - - a. -

Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and

- - - b. -

Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and

- - - c. -

Review and revise the mission and business processes .

- - - -

Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures.

- - - - Insider Threat Program - PM-12 - PM-12 - [EO 13587] - [ODNI NITP] - AC-6 - AT-2 - AU-6 - AU-7 - AU-10 - AU-12 - AU-13 - CA-7 - IA-4 - IR-4 - MP-7 - PE-2 - PM-16 - PS-3 - PS-4 - PS-5 - PS-7 - PS-8 - SC-7 - SC-38 - SI-4 - PM-14 - -

Implement an insider threat program that includes a cross-discipline insider threat incident handling team.

- - -

Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture. -Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - - Security and Privacy Workforce - PM-13 - PM-13 - [OMB A-130] - [SP 800-181] - AT-2 - AT-3 - -

Establish a security and privacy workforce development and improvement program.

- - -

Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals.

- - - - Testing, Training, and Monitoring - PM-14 - PM-14 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - AT-2 - AT-3 - CA-7 - CP-4 - IR-3 - PM-12 - SI-4 - - - a. -

Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:

- - 1. -

Are developed and maintained; and

- - - 2. -

Continue to be executed; and

- - - - b. -

Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

- - - -

This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.

- - - - Security and Privacy Groups and Associations - PM-15 - PM-15 - [OMB A-130] - SA-11 - SI-5 - -

Establish and institutionalize contact with selected groups and associations within the security and privacy communities:

- - a. -

To facilitate ongoing security and privacy education and training for organizational personnel;

- - - b. -

To maintain currency with recommended security and privacy practices, techniques, and technologies; and

- - - c. -

To share current security and privacy information, including threats, vulnerabilities, and incidents.

- - - -

Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

- - - - Threat Awareness Program - PM-16 - PM-16 - IR-4 - PM-12 - -

Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.

- - -

Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared.

- - - Automated Means for Sharing Threat Intelligence - PM-16(1) - PM-16(01) - -

Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.

- - -

To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures.

- - - - - Protecting Controlled Unclassified Information on External Systems - - - - PM-17 - PM-17 - [32 CFR 2002] - [SP 800-171] - [NARA CUI] - CA-6 - PM-10 - - - a. -

Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards.

- - - b. -

Update the policy and procedures .

- - - -

Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.

- - - - Privacy Program Plan - PM-18 - PM-18 - [PRIVACT] - [OMB A-130] - PM-8 - PM-9 - PM-19 - - - a. -

Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:

- - 1. -

Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;

- - - 2. -

Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;

- - - 3. -

Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;

- - - 4. -

Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;

- - - 5. -

Reflects coordination among organizational entities responsible for the different aspects of privacy; and

- - - 6. -

Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and

- - - - b. -

Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.

- - - -

A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents. -The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended. -Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization. -Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls.

- - - - Privacy Program Leadership Role - PM-19 - PM-19 - [OMB A-130] - PM-18 - PM-20 - PM-23 - PM-24 - -

Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.

- - -

The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24).

- - - - Dissemination of Privacy Program Information - PM-20 - PM-20 - [PRIVACT] - [OMB A-130] - [OMB M-17-06] - PM-19 - PT-6 - PT-7 - RA-8 - -

Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:

- - a. -

Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;

- - - b. -

Ensures that organizational privacy practices and reports are publicly available; and

- - - c. -

Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.

- - - -

Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications.

- - - - Accounting of Disclosures - PM-21 - PM-21 - [PRIVACT] - [OMB A-130] - AU-2 - PT-2 - - - a. -

Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:

- - 1. -

Date, nature, and purpose of each disclosure; and

- - - 2. -

Name and address, or other contact information of the person or organization to which the disclosure was made;

- - - - b. -

Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and

- - - c. -

Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.

- - - -

The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision. -Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions.

- - - - Personally Identifiable Information Quality Management - PM-22 - PM-22 - [OMB A-130] - [SP 800-188] - PM-23 - SI-18 - -

Develop and document policies and procedures for:

- - a. -

Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;

- - - b. -

Correcting or deleting inaccurate or outdated personally identifiable information;

- - - c. -

Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and

- - - d. -

Appeals of adverse decisions on correction or deletion requests.

- - - -

Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information. -The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations. -Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem.

- - - - Data Governance Body - - - - - - - PM-23 - PM-23 - [EVIDACT] - [OMB A-130] - [OMB M-19-23] - [SP 800-188] - AT-2 - AT-3 - PM-19 - PM-22 - PM-24 - PT-8 - SI-4 - SI-19 - -

Establish a Data Governance Body consisting of with .

- - -

A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23].

- - - - Data Integrity Board - PM-24 - PM-24 - [PRIVACT] - [OMB A-130, Appendix II] - [OMB A-108] - AC-4 - PM-19 - PM-23 - PT-8 - -

Establish a Data Integrity Board to:

- - a. -

Review proposals to conduct or participate in a matching program; and

- - - b. -

Conduct an annual review of all matching programs in which the agency has participated.

- - - -

A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy.

- - - - Minimization of Pii Used in Testing, Training, and Research - - - - PM-25 - PM-25 - [OMB A-130, Appendix II] - PM-23 - PT-3 - SA-3 - - - a. -

Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;

- - - b. -

Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;

- - - c. -

Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and

- - - d. -

Review and update policies and procedures .

- - - -

The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2).

- - - - Complaint Management - - - - - - - - - - PM-26 - PM-26 - [OMB A-130] - IR-7 - IR-9 - PM-22 - SI-18 - -

Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:

- - a. -

Mechanisms that are easy to use and readily accessible by the public;

- - - b. -

All information necessary for successfully filing complaints;

- - - c. -

Tracking mechanisms to ensure all complaints received are reviewed and addressed within ;

- - - d. -

Acknowledgement of receipt of complaints, concerns, or questions from individuals within ; and

- - - e. -

Response to complaints, concerns, or questions from individuals within .

- - - -

Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information.

- - - - Privacy Reporting - - - - - - - - - - PM-27 - PM-27 - [FISMA] - [OMB A-130] - [OMB A-108] - IR-9 - PM-19 - - - a. -

Develop and disseminate to:

- - 1. -

OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and

- - - 2. -

- and other personnel with responsibility for monitoring privacy program compliance; and

- - - - b. -

Review and update privacy reports .

- - - -

Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements.

- - - - Risk Framing - - - - - - - PM-28 - PM-28 - [OMB A-130] - [SP 800-39] - CA-7 - PM-9 - RA-3 - RA-7 - - - a. -

Identify and document:

- - 1. -

Assumptions affecting risk assessments, risk responses, and risk monitoring;

- - - 2. -

Constraints affecting risk assessments, risk responses, and risk monitoring;

- - - 3. -

Priorities and trade-offs considered by the organization for managing risk; and

- - - 4. -

Organizational risk tolerance; and

- - - - b. -

Distribute the results of risk framing activities to ;

- - - c. -

Review and update risk framing considerations .

- - - -

Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management.

- - - - Risk Management Program Leadership Roles - PM-29 - PM-29 - [SP 800-37] - PM-2 - PM-19 - - - a. -

Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and

- - - b. -

Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.

- - - -

The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities.

- - - - Supply Chain Risk Management Strategy - - - - PM-30 - PM-30 - [SP 800-161] - PM-9 - SR-1 - SR-2 - SR-3 - SR-4 - SR-5 - SR-6 - SR-7 - SR-8 - SR-9 - SR-11 - - - a. -

Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;

- - - b. -

Implement the supply chain risk management strategy consistently across the organization; and

- - - c. -

Review and update the supply chain risk management strategy on or as required, to address organizational changes.

- - - -

An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level.

- - - - Continuous Monitoring Strategy - - - - - - - - - - - - - - - - PM-31 - PM-31 - [SP 800-37] - [SP 800-137] - AC-2 - AC-6 - AC-17 - AT-4 - AU-6 - AU-13 - CA-2 - CA-5 - CA-6 - CA-7 - CM-3 - CM-4 - CM-6 - CM-11 - IA-5 - IR-5 - MA-2 - MA-3 - MA-4 - PE-3 - PE-6 - PE-14 - PE-16 - PE-20 - PL-2 - PM-4 - PM-6 - PM-9 - PM-10 - PM-12 - PM-14 - PM-23 - PM-28 - PS-7 - PT-8 - RA-3 - RA-5 - RA-7 - SA-9 - SA-11 - SC-5 - SC-7 - SC-18 - SC-38 - SC-43 - SC-38 - SI-3 - SI-4 - SI-12 - SR-2 - SR-4 - -

Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:

- - a. -

Establishing the following organization-wide metrics to be monitored: ;

- - - b. -

Establishing for monitoring and for assessment of control effectiveness;

- - - c. -

Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;

- - - d. -

Correlation and analysis of information generated by control assessments and monitoring;

- - - e. -

Response actions to address results of the analysis of control assessment and monitoring information; and

- - - f. -

Reporting the security and privacy status of organizational systems to - .

- - - -

Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.

- - - - Purposing - - - - PM-32 - PM-32 - [SP 800-137] - CA-7 - PL-2 - RA-3 - RA-9 - -

Analyze supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.

- - -

Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures.

- - - - - Personnel Security - - Policy and Procedures - - - - - - - - - - - - - - PS-1 - PS-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- personnel security policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the personnel security policy and procedures; and

- - - c. -

Review and update the current personnel security:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Position Risk Designation - - - - PS-2 - PS-02 - [5 CFR 731] - AC-5 - AT-3 - PE-2 - PE-3 - PL-2 - PS-3 - PS-6 - SA-5 - SA-21 - SI-12 - - - a. -

Assign a risk designation to all organizational positions;

- - - b. -

Establish screening criteria for individuals filling those positions; and

- - - c. -

Review and update position risk designations .

- - - -

Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.

- - - - Personnel Screening - - - - PS-3 - PS-03 - [EO 13526] - [EO 13587] - [FIPS 199] - [FIPS 201-2] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - AC-2 - IA-4 - MA-5 - PE-2 - PM-12 - PS-2 - PS-6 - PS-7 - SA-21 - - - a. -

Screen individuals prior to authorizing access to the system; and

- - - b. -

Rescreen individuals in accordance with .

- - - -

Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

- - - - Personnel Termination - - - - - - - PS-4 - PS-04 - AC-2 - IA-4 - PE-2 - PM-12 - PS-6 - PS-7 - -

Upon termination of individual employment:

- - a. -

Disable system access within ;

- - - b. -

Terminate or revoke any authenticators and credentials associated with the individual;

- - - c. -

Conduct exit interviews that include a discussion of ;

- - - d. -

Retrieve all security-related organizational system-related property; and

- - - e. -

Retain access to organizational information and systems formerly controlled by terminated individual.

- - - -

System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified.

- - - Automated Notification - - - - - - - PS-4(2) - PS-04(02) - -

Notify of individual termination actions using .

- - -

In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications—or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including telephonically, via electronic mail, via text message, or via websites.

- - - - - Personnel Transfer - - - - - - - - - - - - - PS-5 - PS-05 - AC-2 - IA-4 - PE-2 - PM-12 - PS-4 - PS-7 - - - a. -

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;

- - - b. -

Initiate within ;

- - - c. -

Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

- - - d. -

Notify within .

- - - -

Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

- - - - Access Agreements - - - - - - - PS-6 - PS-06 - AC-17 - PE-2 - PL-4 - PS-2 - PS-3 - PS-6 - PS-7 - PS-8 - SA-21 - SI-12 - - - a. -

Develop and document access agreements for organizational systems;

- - - b. -

Review and update the access agreements ; and

- - - c. -

Verify that individuals requiring access to organizational information and systems:

- - 1. -

Sign appropriate access agreements prior to being granted access; and

- - - 2. -

Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

- - - - -

Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

- - - - External Personnel Security - - - - - - - PS-7 - PS-07 - [SP 800-35] - AT-2 - AT-3 - MA-5 - PE-3 - PS-2 - PS-3 - PS-4 - PS-5 - PS-6 - SA-5 - SA-9 - SA-21 - - - a. -

Establish personnel security requirements, including security roles and responsibilities for external providers;

- - - b. -

Require external providers to comply with personnel security policies and procedures established by the organization;

- - - c. -

Document personnel security requirements;

- - - d. -

Require external providers to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ; and

- - - e. -

Monitor provider compliance with personnel security requirements.

- - - -

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated.

- - - - Personnel Sanctions - - - - - - - PS-8 - PS-08 - AC-1 - AT-1 - AU-1 - CA-1 - CM-1 - CP-1 - IA-1 - IR-1 - MA-1 - MP-1 - PE-1 - PL-1 - PM-1 - PS-1 - PT-1 - RA-1 - SA-1 - SC-1 - SI-1 - SR-1 - PL-4 - PM-12 - PS-6 - PT-1 - - - a. -

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and

- - - b. -

Notify within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

- - - -

Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

- - - - - Risk Assessment - - Policy and Procedures - - - - - - - - - - - - - - RA-1 - RA-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- risk assessment policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and

- - - c. -

Review and update the current risk assessment:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Security Categorization - RA-2 - RA-02 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - CM-8 - MP-4 - PL-2 - PL-10 - PL-11 - PM-7 - RA-3 - RA-5 - RA-7 - RA-8 - SA-8 - SC-7 - SC-38 - SI-12 - - - a. -

Categorize the system and information it processes, stores, and transmits;

- - - b. -

Document the security categorization results, including supporting rationale, in the security plan for the system; and

- - - c. -

Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

- - - -

Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. -Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts. -Security categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant.

- - - - Risk Assessment - - - - - - - - - - - - - - RA-3 - RA-03 - [OMB A-130] - [SP 800-30] - [SP 800-39] - [SP 800-161] - [IR 8023] - [IR 8062] - CA-3 - CM-4 - CM-13 - CP-6 - CP-7 - IA-8 - MA-5 - PE-3 - PE-18 - PL-2 - PL-10 - PL-11 - PM-8 - PM-9 - PM-28 - RA-2 - RA-5 - RA-7 - SA-8 - SA-9 - SC-38 - SI-12 - - - a. -

Conduct a risk assessment, including:

- - 1. -

The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and

- - - 2. -

The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

- - - - b. -

Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

- - - c. -

Document risk assessment results in ;

- - - d. -

Review risk assessment results ;

- - - e. -

Disseminate risk assessment results to ; and

- - - f. -

Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

- - - -

Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities. -Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. -In addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

- - - Supply Chain Risk Assessment - - - - - - - RA-3(1) - RA-03(01) - RA-2 - RA-9 - PM-17 - SR-2 - - - (a) -

Assess supply chain risks associated with ; and

- - - (b) -

Update the supply chain risk assessment , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

- - - -

Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

- - - - - Vulnerability Monitoring and Scanning - - - - - - - - - - RA-5 - RA-05 - [SP 800-40] - [SP 800-53A] - [SP 800-70] - [SP 800-115] - [SP 800-126] - [IR 7788] - [IR 8023] - CA-2 - CA-7 - CM-2 - CM-4 - CM-6 - CM-8 - RA-2 - RA-3 - SA-11 - SA-15 - SC-38 - SI-2 - SI-3 - SI-4 - SI-7 - SR-11 - - - a. -

Monitor and scan for vulnerabilities in the system and hosted applications and when new vulnerabilities potentially affecting the system are identified and reported;

- - - b. -

Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

- - 1. -

Enumerating platforms, software flaws, and improper configurations;

- - - 2. -

Formatting checklists and test procedures; and

- - - 3. -

Measuring vulnerability impact;

- - - - c. -

Analyze vulnerability scan reports and results from vulnerability monitoring;

- - - d. -

Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

- - - e. -

Share information obtained from the vulnerability monitoring process and control assessments with to help eliminate similar vulnerabilities in other systems; and

- - - f. -

Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

- - - -

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers. -Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). -Vulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation. -Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

- - - Update System Vulnerabilities - - - - - RA-5(2) - RA-05(02) - SI-5 - -

Update the system vulnerabilities to be scanned .

- - -

Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.

- - - - Discoverable Information - - - - RA-5(4) - RA-05(04) - AU-13 - SC-26 - -

Determine information about the system that is discoverable and take .

- - -

Discoverable information includes information that adversaries could obtain without compromising or breaching the system, for example, by collecting information the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization.

- - - - Privileged Access - - - - - - - RA-5(5) - RA-05(05) - -

Implement privileged access authorization to for .

- - -

In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.

- - - - - Risk Response - RA-7 - RA-07 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-160 v1] - CA-5 - IR-9 - PM-4 - PM-28 - RA-2 - RA-3 - SR-2 - -

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

- - -

Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.

- - - - Criticality Analysis - - - - - - - RA-9 - RA-09 - [IR 8179] - CP-2 - PL-2 - PL-8 - PL-11 - PM-1 - RA-2 - SA-8 - SA-15 - SA-20 - -

Identify critical system components and functions by performing a criticality analysis for at .

- - -

Not all system components, functions, or services necessarily require significant protections. Criticality analysis is a key tenet of, for example, supply chain risk management, and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders regulations, directives, policies, and standards; system functionality requirements; system and component interfaces; and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system; decomposition into the specific functions to perform those missions; and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system. -The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system containing the components and functions. Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, for example, by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.

- - - - - System and Services Acquisition - - Policy and Procedures - - - - - - - - - - - - - - SA-1 - SA-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - [SP 800-160 v1] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- system and services acquisition policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and

- - - c. -

Review and update the current system and services acquisition:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Allocation of Resources - SA-2 - SA-02 - [OMB A-130] - [SP 800-160 v1] - PL-7 - PM-3 - PM-11 - SA-9 - SR-3 - SR-5 - - - a. -

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;

- - - b. -

Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and

- - - c. -

Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

- - - -

Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle.

- - - - System Development Life Cycle - - - - SA-3 - SA-03 - [OMB A-130] - [SP 800-30] - [SP 800-37] - [SP 800-160 v1] - [SP 800-171] - [SP 800-171B] - AT-3 - PL-8 - PM-7 - SA-4 - SA-5 - SA-8 - SA-11 - SA-15 - SA-17 - SA-22 - SR-3 - SR-5 - SR-9 - - - a. -

Acquire, develop, and manage the system using that incorporates information security and privacy considerations;

- - - b. -

Define and document information security and privacy roles and responsibilities throughout the system development life cycle;

- - - c. -

Identify individuals having information security and privacy roles and responsibilities; and

- - - d. -

Integrate the organizational information security and privacy risk management process into system development life cycle activities.

- - - -

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities. -The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle.

- - - - Acquisition Process - - - - - SA-4 - SA-04 - [PRIVACT] - [OMB A-130] - [ISO 15408-1] - [ISO 15408-2] - [ISO 15408-3] - [FIPS 140-3] - [FIPS 201-2] - [SP 800-35] - [SP 800-37] - [SP 800-70] - [SP 800-73-4] - [SP 800-137] - [SP 800-160 v1] - [SP 800-161] - [IR 7539] - [IR 7622] - [IR 7676] - [IR 7870] - [IR 8062] - [NIAP CCEVS] - [NSA CSFC] - CM-6 - CM-8 - PS-7 - SA-3 - SA-5 - SA-8 - SA-11 - SA-15 - SA-16 - SA-17 - SA-21 - SR-3 - SR-5 - -

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service:

- - a. -

Security and privacy functional requirements;

- - - b. -

Strength of mechanism requirements;

- - - c. -

Security and privacy assurance requirements;

- - - d. -

Controls needed to satisfy the security and privacy requirements.

- - - e. -

Security and privacy documentation requirements;

- - - f. -

Requirements for protecting security and privacy documentation;

- - - g. -

Description of the system development environment and environment in which the system is intended to operate;

- - - h. -

Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and

- - - i. -

Acceptance criteria.

- - - -

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle. -Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle. -Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement.

- - - Functional Properties of Controls - SA-4(1) - SA-04(01) - -

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

- - -

Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.

- - - - Design and Implementation Information for Controls - - - - - - - - SA-4(2) - SA-04(02) - -

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: at .

- - -

Organizations may require different levels of detail in the documentation for the design and implementation for controls in organizational systems, system components, or system services based on mission and business requirements; requirements for resiliency and trustworthiness; and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system.

- - - - System, Component, and Service Configurations - - - - SA-4(5) - SA-04(05) - -

Require the developer of the system, system component, or system service to:

- - (a) -

Deliver the system, component, or service with implemented; and

- - - (b) -

Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

- - - -

Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed.

- - - - Functions, Ports, Protocols, and Services in Use - SA-4(9) - SA-04(09) - CM-7 - SA-9 - -

Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.

- - -

The identification of functions, ports, protocols, and services early in the system development life cycle, for example, during the initial requirements definition and design stages, allows organizations to influence the design of the system, system component, or system service. This early involvement in the system life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or when requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources.

- - - - Use of Approved PIV Products - SA-4(10) - SA-04(10) - IA-2 - IA-8 - PM-9 - -

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

- - -

Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations.

- - - - - System Documentation - - - - - - - SA-5 - SA-05 - [SP 800-160 v1] - CM-4 - CM-6 - CM-7 - CM-8 - PL-2 - PL-4 - PL-8 - PS-2 - SA-3 - SA-4 - SA-8 - SA-9 - SA-10 - SA-11 - SA-15 - SA-16 - SA-17 - SI-12 - SR-3 - - - a. -

Obtain administrator documentation for the system, system component, or system service that describes:

- - 1. -

Secure configuration, installation, and operation of the system, component, or service;

- - - 2. -

Effective use and maintenance of security and privacy functions and mechanisms; and

- - - 3. -

Known vulnerabilities regarding configuration and use of administrative or privileged functions;

- - - - b. -

Obtain user documentation for the system, system component, or system service that describes:

- - 1. -

User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;

- - - 2. -

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and

- - - 3. -

User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;

- - - - c. -

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes in response;

- - - d. -

Protect documentation as required, in accordance with the organizational risk management strategy; and

- - - e. -

Distribute documentation to .

- - - -

System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.

- - - - Security and Privacy Engineering Principles - - - - SA-8 - SA-08 - [FIPS 199] - [FIPS 200] - [SP 800-53A] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - [IR 8062] - PL-8 - PM-7 - RA-2 - RA-3 - RA-9 - SA-3 - SA-4 - SA-15 - SA-17 - SA-20 - SC-2 - SC-3 - SC-32 - SC-39 - SR-2 - SR-3 - SR-5 - -

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: .

- - -

Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. -The application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. -Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design.

- - - - External System Services - - - - - - - SA-9 - SA-09 - [OMB A-130] - [SP 800-35] - [SP 800-160 v1] - [SP 800-161] - AC-20 - CA-3 - CP-2 - IR-4 - IR-7 - PL-10 - PL-11 - PS-7 - SA-2 - SA-4 - SR-3 - SR-5 - - - a. -

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: ;

- - - b. -

Define and document organizational oversight and user roles and responsibilities with regard to external system services; and

- - - c. -

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: .

- - - -

External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

- - - Identification of Functions, Ports, Protocols, and Services - - - - SA-9(2) - SA-09(02) - CM-6 - CM-7 - -

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: .

- - -

Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols.

- - - - - Developer Configuration Management - - - - - - - - SA-10 - SA-10 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 202] - [SP 800-128] - [SP 800-160 v1] - CM-2 - CM-3 - CM-4 - CM-7 - CM-9 - SA-4 - SA-5 - SA-8 - SA-15 - SI-2 - SR-3 - SR-4 - SR-5 - SR-6 - -

Require the developer of the system, system component, or system service to:

- - a. -

Perform configuration management during system, component, or service ;

- - - b. -

Document, manage, and control the integrity of changes to ;

- - - c. -

Implement only organization-approved changes to the system, component, or service;

- - - d. -

Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and

- - - e. -

Track security flaws and flaw resolution within the system, component, or service and report findings to .

- - - -

Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting from unauthorized modification or destruction, the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes. -The configuration items that are placed under configuration management include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle.

- - - - Developer Testing and Evaluation - - - - - - - - SA-11 - SA-11 - [ISO 15408-3] - [SP 800-30] - [SP 800-53A] - [SP 800-154] - [SP 800-160 v1] - CA-2 - CA-7 - CM-4 - SA-3 - SA-4 - SA-5 - SA-8 - SA-15 - SA-17 - SI-2 - SR-5 - SR-6 - SR-7 - -

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:

- - a. -

Develop and implement a plan for ongoing security and privacy assessments;

- - - b. -

Perform testing/evaluation at ;

- - - c. -

Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;

- - - d. -

Implement a verifiable flaw remediation process; and

- - - e. -

Correct flaws identified during testing and evaluation.

- - - -

Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches. -Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.

- - - - Development Process, Standards, and Tools - - - - - - - SA-15 - SA-15 - [SP 800-160 v1] - [IR 8179] - MA-6 - SA-3 - SA-4 - SA-8 - SA-10 - SA-11 - SR-3 - SR-4 - SR-5 - SR-6 - SR-9 - - - a. -

Require the developer of the system, system component, or system service to follow a documented development process that:

- - 1. -

Explicitly addresses security and privacy requirements;

- - - 2. -

Identifies the standards and tools used in the development process;

- - - 3. -

Documents the specific tool options and tool configurations used in the development process; and

- - - 4. -

Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

- - - - b. -

Review the development process, standards, tools, tool options, and tool configurations to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: .

- - - -

Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes.

- - - Criticality Analysis - - - - - - - SA-15(3) - SA-15(03) - RA-9 - -

Require the developer of the system, system component, or system service to perform a criticality analysis:

- - (a) -

At the following decision points in the system development life cycle: ; and

- - - (b) -

At the following level of rigor: .

- - - -

Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, and source code and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses.

- - - - - Developer-provided Training - - - - SA-16 - SA-16 - AT-2 - AT-3 - PE-3 - SA-4 - SA-5 - -

Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: .

- - -

Developer-provided training applies to external and internal (in-house) developers. Training of personnel is an essential element to help ensure the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training; classroom-style training; and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms.

- - - - Developer Security Architecture and Design - SA-17 - SA-17 - [ISO 15408-2] - [ISO 15408-3] - [SP 800-160 v1] - PL-2 - PL-8 - PM-7 - SA-3 - SA-4 - SA-8 - -

Require the developer of the system, system component, or system service to produce a design specification and security architecture that:

- - a. -

Is consistent with the organization’s security architecture that is an integral part the organization’s enterprise architecture;

- - - b. -

Accurately and completely describes the required security functionality, and the allocation of controls among physical and logical components; and

- - - c. -

Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

- - - -

Developer security architecture and design is directed at external developers, although it could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security architecture and that the architecture is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services, and when there is a requirement to demonstrate consistency with the enterprise architecture and security architecture of the organization. [ISO 15408-2], [ISO 15408-3], and [SP 800-160 v1] provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.

- - - - Developer Screening - - - - - - - - - - SA-21 - SA-21 - PS-2 - PS-3 - PS-6 - PS-7 - SA-4 - -

Require that the developer of :

- - a. -

Has appropriate access authorizations as determined by assigned ;

- - - b. -

Satisfies the following additional personnel screening criteria: ; and

- - - c. -

Provides information that the access authorizations and screening criteria are satisfied.

- - - -

Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals accessing the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships the company has with entities potentially affecting the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements.

- - - - Unsupported System Components - - - - - SA-22 - SA-22 - PL-2 - SA-3 - - - a. -

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or

- - - b. -

Provide the following options for alternative sources for continued support for unsupported components .

- - - -

Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. -Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors.

- - - - - System and Communications Protection - - Policy and Procedures - - - - - - - - - - - - - - SC-1 - SC-01 - [OMB A-130] - [SP 800-12] - [SP 800-100] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- system and communications protection policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and

- - - c. -

Review and update the current system and communications protection:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Separation of System and User Functionality - SC-2 - SC-02 - AC-6 - SA-4 - SA-8 - SC-3 - SC-7 - SC-22 - SC-32 - SC-39 - -

Separate user functionality, including user interface services, from system management functionality.

- - -

System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations implement separation of system management functions from user functions, for example, by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18).

- - - - Security Function Isolation - SC-3 - SC-03 - AC-3 - AC-6 - AC-25 - CM-2 - CM-4 - SA-4 - SA-5 - SA-8 - SA-15 - SA-17 - SC-2 - SC-7 - SC-32 - SC-39 - SI-16 - -

Isolate security functions from nonsecurity functions.

- - -

Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Systems implement code separation in many ways, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18).

- - - - Information in Shared System Resources - SC-4 - SC-04 - AC-3 - AC-4 - SA-8 - -

Prevent unauthorized and unintended information transfer via shared system resources.

- - -

Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This control also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. This control does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.

- - - - Denial of Service Protection - - - - - - - - SC-5 - SC-05 - [SP 800-189] - CP-2 - IR-4 - SC-6 - SC-7 - SC-40 - - - a. -

- the effects of the following types of denial of service events: ; and

- - - b. -

Employ the following controls to achieve the denial of service objective: .

- - - -

Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events.

- - - - Boundary Protection - - SC-7 - SC-07 - [OMB A-130] - [FIPS 199] - [SP 800-37] - [SP 800-41] - [SP 800-77] - [SP 800-189] - AC-4 - AC-17 - AC-18 - AC-19 - AC-20 - AU-13 - CA-3 - CM-2 - CM-4 - CM-7 - CM-10 - CP-8 - CP-10 - IR-4 - MA-4 - PE-3 - PM-12 - SA-8 - SC-5 - SC-32 - SC-43 - - - a. -

Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system;

- - - b. -

Implement subnetworks for publicly accessible system components that are separated from internal organizational networks; and

- - - c. -

Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

- - - -

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions.

- - - Access Points - SC-7(3) - SC-07(03) - -

Limit the number of external network connections to the system.

- - -

Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline requiring limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.

- - - - External Telecommunications Services - - - - SC-7(4) - SC-07(04) - AC-3 - SC-8 - - - (a) -

Implement a managed interface for each external telecommunication service;

- - - (b) -

Establish a traffic flow policy for each managed interface;

- - - (c) -

Protect the confidentiality and integrity of the information being transmitted across each interface;

- - - (d) -

Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;

- - - (e) -

Review exceptions to the traffic flow policy and remove exceptions that are no longer supported by an explicit mission or business need;

- - - (f) -

Prevent unauthorized exchange of control plane traffic with external networks;

- - - (g) -

Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and

- - - (h) -

Filter unauthorized control plane traffic from external networks.

- - - -

External commercial telecommunications services may provide data or voice communications services. Examples of control plane traffic include routing, domain name system (DNS), and management. Unauthorized control plane traffic can occur for example, through a technique known as “spoofing.”

- - - - Deny by Default — Allow by Exception - - - - - SC-7(5) - SC-07(05) - -

Deny network communications traffic by default and allow network communications traffic by exception .

- - -

Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.

- - - - Prevent Split Tunneling for Remote Devices - SC-7(7) - SC-07(07) - -

Prevent a remote device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

- - -

Prevention of split tunneling is implemented in remote devices through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being configurable by users. Prevention of split tunneling is implemented within the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information.

- - - - Route Traffic to Authenticated Proxy Servers - - - - - - - SC-7(8) - SC-07(08) - AC-3 - -

Route to through authenticated proxy servers at managed interfaces.

- - -

External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers can support logging of Transmission Control Protocol sessions and blocking specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for “man-in-the-middle” attacks (depending on the implementation).

- - - - Fail Secure - SC-7(18) - SC-07(18) - CP-2 - CP-12 - SC-24 - -

Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.

- - -

Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases.

- - - - Isolation of System Components - - - - - - - SC-7(21) - SC-07(21) - CA-9 - SC-3 - -

Employ boundary protection mechanisms to isolate supporting .

- - -

Organizations can isolate system components performing different missions or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls separating system components into physically separate networks or subnetworks; virtualization techniques; cross-domain devices separating subnetworks; and encrypting information flows among system components using distinct encryption keys.

- - - - - Transmission Confidentiality and Integrity - - SC-8 - SC-08 - [FIPS 140-3] - [FIPS 197] - [SP 800-52] - [SP 800-77] - [SP 800-81-2] - [SP 800-113] - [SP 800-177] - [IR 8023] - AC-17 - AC-18 - AU-10 - IA-3 - IA-8 - IA-9 - MA-4 - PE-4 - SA-4 - SA-8 - SC-7 - SC-16 - SC-20 - SC-23 - SC-28 - -

Protect the of transmitted information.

- - -

Protecting the confidentiality and integrity of transmitted information applies to internal and external networks, and any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical means or by logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a term for wireline or fiber-optics telecommunication system that includes terminals and adequate acoustical, electrical, electromagnetic, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques. -Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services, may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunication service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.

- - - Cryptographic Protection - - SC-8(1) - SC-08(01) - SC-13 - -

Implement cryptographic mechanisms to during transmission.

- - -

Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have application in digital signatures, checksums, and message authentication codes. SC-13 is used to specify the specific protocols, algorithms, and algorithm parameters to be implemented on each transmission path.

- - - - - Network Disconnect - - - - SC-10 - SC-10 - AC-17 - SC-23 - -

Terminate the network connection associated with a communications session at the end of the session or after of inactivity.

- - -

Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time-periods by type of network access or for specific network accesses.

- - - - Cryptographic Key Establishment and Management - - - - SC-12 - SC-12 - [FIPS 140-3] - [SP 800-56A] - [SP 800-56B] - [SP 800-56C] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-63-3] - [IR 7956] - [IR 7966] - AC-17 - AU-9 - AU-10 - CM-3 - IA-3 - IA-7 - SA-4 - SA-8 - SA-9 - SC-8 - SC-11 - SC-13 - SC-17 - SC-20 - SC-37 - SC-40 - SI-3 - SI-7 - -

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: .

- - -

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

- - - Availability - SC-12(1) - SC-12(01) - -

Maintain availability of information in the event of the loss of cryptographic keys by users.

- - -

Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys. A forgotten passphrase is an example of losing a cryptographic key.

- - - - - Cryptographic Protection - - - - - - - SC-13 - SC-13 - [FIPS 140-3] - AC-2 - AC-3 - AC-7 - AC-17 - AC-18 - AC-19 - AU-9 - AU-10 - CM-11 - CP-9 - IA-3 - IA-7 - MA-4 - MP-2 - MP-4 - MP-5 - SA-4 - SA-8 - SA-9 - SC-8 - SC-12 - SC-20 - SC-23 - SC-28 - SC-40 - SI-3 - SI-7 - - - a. -

Determine the ; and

- - - b. -

Implement the following types of cryptography required for each specified cryptographic use: .

- - - -

Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - - Collaborative Computing Devices and Applications - - - - SC-15 - SC-15 - AC-21 - SC-42 - - - a. -

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: ; and

- - - b. -

Provide an explicit indication of use to users physically present at the devices.

- - - -

Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated.

- - - - Public Key Infrastructure Certificates - - - - SC-17 - SC-17 - [SP 800-32] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-63-3] - AU-10 - IA-5 - SC-12 - - - a. -

Issue public key certificates under an or obtain public key certificates from an approved service provider; and

- - - b. -

Include only approved trust anchors in trust stores or certificate stores managed by the organization.

- - - -

This control addresses certificates with visibility external to organizational systems and certificates related to internal operations of systems, for example, application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.

- - - - Mobile Code - SC-18 - SC-18 - [SP 800-28] - AU-2 - AU-12 - CM-2 - CM-6 - SI-3 - - - a. -

Define acceptable and unacceptable mobile code and mobile code technologies; and

- - - b. -

Authorize, monitor, and control the use of mobile code within the system.

- - - -

Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java, JavaScript, Flash animations, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.

- - - - Secure Name/address Resolution Service (authoritative Source) - SC-20 - SC-20 - [FIPS 140-3] - [FIPS 186-4] - [SP 800-81-2] - AU-10 - SC-8 - SC-12 - SC-13 - SC-21 - SC-22 - - - a. -

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

- - - b. -

Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

- - - -

This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.

- - - - Secure Name/address Resolution Service (recursive or Caching Resolver) - SC-21 - SC-21 - [SP 800-81-2] - SC-20 - SC-22 - -

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

- - -

Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.

- - - - Architecture and Provisioning for Name/address Resolution Service - SC-22 - SC-22 - [SP 800-81-2] - SC-2 - SC-20 - SC-21 - SC-24 - -

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

- - -

Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists.

- - - - Session Authenticity - SC-23 - SC-23 - [SP 800-52] - [SP 800-77] - [SP 800-95] - [SP 800-113] - AU-10 - SC-8 - SC-10 - SC-11 - -

Protect the authenticity of communications sessions.

- - -

Protecting session authenticity addresses communications protection at the session, level; not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of information transmitted. Authenticity protection includes protecting against man-in-the-middle attacks and session hijacking, and the insertion of false information into sessions.

- - - - Fail in Known State - - - - - - - - - - SC-24 - SC-24 - CP-2 - CP-4 - CP-10 - CP-12 - SA-8 - SC-7 - SC-22 - SI-13 - -

Fail to a for the following failures on the indicated components while preserving in failure: .

- - -

Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes.

- - - - Protection of Information at Rest - - - - - SC-28 - SC-28 - [OMB A-130] - [SP 800-56A] - [SP 800-56B] - [SP 800-56C] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-111] - [SP 800-124] - AC-3 - AC-4 - AC-6 - AC-19 - CA-7 - CM-3 - CM-5 - CM-6 - CP-9 - MP-4 - MP-5 - PE-3 - SC-8 - SC-12 - SC-13 - SC-34 - SI-3 - SI-7 - SI-16 - -

Protect the of the following information at rest: .

- - -

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information requiring protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure off-line storage in lieu of online storage.

- - - Cryptographic Protection - - - - - - - SC-28(1) - SC-28(01) - AC-19 - -

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on : .

- - -

Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. Organizations using cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13).

- - - - - Process Isolation - SC-39 - SC-39 - [SP 800-160 v1] - AC-3 - AC-4 - AC-6 - AC-25 - SA-8 - SC-2 - SC-3 - SI-16 - -

Maintain a separate execution domain for each executing system process.

- - -

Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.

- - - - - System and Information Integrity - - Policy and Procedures - - - - - - - - - - - - - - SI-1 - SI-01 - [OMB A-130] - [SP 800-12] - [SP 800-100] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- system and information integrity policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

- - - c. -

Review and update the current system and information integrity:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Flaw Remediation - - - - SI-2 - SI-02 - [OMB A-130] - [FIPS 140-3] - [FIPS 186-4] - [SP 800-40] - [SP 800-128] - [IR 7788] - CA-5 - CM-3 - CM-4 - CM-5 - CM-6 - CM-8 - MA-2 - RA-5 - SA-8 - SA-10 - SA-11 - SI-3 - SI-5 - SI-7 - SI-11 - - - a. -

Identify, report, and correct system flaws;

- - - b. -

Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

- - - c. -

Install security-relevant software and firmware updates within of the release of the updates; and

- - - d. -

Incorporate flaw remediation into the organizational configuration management process.

- - - -

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. -Organization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

- - - Central Management - SI-2(1) - SI-02(01) - PL-9 - -

Centrally manage the flaw remediation process.

- - -

Central management is the organization-wide management and implementation of flaw remediation processes. It includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation controls.

- - - - Automated Flaw Remediation Status - - - - - - - SI-2(2) - SI-02(02) - CA-7 - SI-4 - -

Determine if system components have applicable security-relevant software and firmware updates installed using - .

- - -

Automated mechanisms can track and determine the status of known flaws for system components.

- - - - - Malicious Code Protection - - - - - - - - - - - - - SI-3 - SI-03 - [SP 800-83] - [SP 800-125B] - [SP 800-177] - AC-4 - AC-19 - CM-3 - CM-8 - IR-4 - MA-3 - MA-4 - RA-5 - SC-7 - SC-23 - SC-26 - SC-28 - SC-44 - SI-2 - SI-4 - SI-7 - SI-8 - SI-15 - - - a. -

Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

- - - b. -

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

- - - c. -

Configure malicious code protection mechanisms to:

- - 1. -

Perform periodic scans of the system and real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy; and

- - - 2. -

- ; and send alert to in response to malicious code detection.

- - - - d. -

Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

- - - -

System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. -Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions. -In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files.

- - - Central Management - SI-3(1) - SI-03(01) - PL-9 - -

Centrally manage malicious code protection mechanisms.

- - -

Central management addresses the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw and malicious code protection controls.

- - - - - System Monitoring - - - - - - - - - - - - - - - - - SI-4 - SI-04 - [OMB A-130] - [SP 800-61] - [SP 800-83] - [SP 800-92] - [SP 800-94] - [SP 800-137] - AC-2 - AC-3 - AC-4 - AC-8 - AC-17 - AU-2 - AU-6 - AU-7 - AU-9 - AU-12 - AU-13 - AU-14 - CA-7 - CM-3 - CM-6 - CM-8 - CM-11 - IA-10 - IR-4 - MA-3 - MA-4 - PM-12 - RA-5 - SC-5 - SC-7 - SC-18 - SC-26 - SC-31 - SC-35 - SC-36 - SC-37 - SC-43 - SI-3 - SI-6 - SI-7 - SR-9 - SR-10 - - - a. -

Monitor the system to detect:

- - 1. -

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: ; and

- - - 2. -

Unauthorized local, network, and remote connections;

- - - - b. -

Identify unauthorized use of the system through the following techniques and methods: ;

- - - c. -

Invoke internal monitoring capabilities or deploy monitoring devices:

- - 1. -

Strategically within the system to collect organization-determined essential information; and

- - - 2. -

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

- - - - d. -

Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

- - - e. -

Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

- - - f. -

Obtain legal opinion regarding system monitoring activities; and

- - - g. -

Provide to - .

- - - -

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. -Depending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - Automated Tools and Mechanisms for Real-time Analysis - SI-4(2) - SI-04(02) - PM-23 - PM-25 - -

Employ automated tools and mechanisms to support near real-time analysis of events.

- - -

Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or Security Information and Event Management technologies that provide real time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.

- - - - Inbound and Outbound Communications Traffic - - - - SI-4(4) - SI-04(04) - -

Monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions.

- - -

Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code within organizational systems or propagating among system components; the unauthorized exporting of information; or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components.

- - - - System-generated Alerts - - - - - - - SI-4(5) - SI-04(05) - AU-4 - AU-5 - PE-6 - -

Alert when the following system-generated indications of compromise or potential compromise occur: .

- - -

Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. This control enhancement addresses the security alerts generated by the system. Alternatively, alerts generated by organizations in SI-4(12) focus on information sources external to the system such as suspicious activity reports and reports on potential insider threats.

- - - - Visibility of Encrypted Communications - - - - - - - SI-4(10) - SI-04(10) - -

Make provisions so that is visible to .

- - -

Organizations balance the need for encrypting communications traffic to protect data confidentiality with the need for having visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.

- - - - Automated Organization-generated Alerts - - - - - - - - - - SI-4(12) - SI-04(12) - -

Alert using when the following indications of inappropriate or unusual activities with security or privacy implications occur: .

- - -

Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by systems in SI-4(5) that focus on information sources that are internal to the systems such as audit records, the sources of information for this enhancement focus on other entities such as suspicious activity reports and reports on potential insider threats.

- - - - Wireless Intrusion Detection - SI-4(14) - SI-04(14) - AC-18 - IA-3 - -

Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.

- - -

Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems, but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems.

- - - - Privileged Users - - - - SI-4(20) - SI-04(20) - AC-18 - -

Implement the following additional monitoring of privileged users: .

- - -

Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions.

- - - - Unauthorized Network Services - - - - - - - - SI-4(22) - SI-04(22) - CM-7 - - - (a) -

Detect network services that have not been authorized or approved by ; and

- - - (b) -

- when detected.

- - - -

Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.

- - - - - Security Alerts, Advisories, and Directives - - - - - - - - - - - - - - SI-5 - SI-05 - [SP 800-40] - PM-15 - RA-5 - SI-2 - - - a. -

Receive system security alerts, advisories, and directives from on an ongoing basis;

- - - b. -

Generate internal security alerts, advisories, and directives as deemed necessary;

- - - c. -

Disseminate security alerts, advisories, and directives to: ; and

- - - d. -

Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

- - - -

The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.

- - - Automated Alerts and Advisories - - - - SI-5(1) - SI-05(01) - -

Broadcast security alert and advisory information throughout the organization using .

- - -

The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of information security and privacy risk, including the governance level, mission and business process level, and the information system level.

- - - - - Security and Privacy Function Verification - - - - - - - - - - - - - - - - - - SI-6 - SI-06 - [OMB A-130] - CA-7 - CM-4 - CM-6 - SI-7 - - - a. -

Verify the correct operation of ;

- - - b. -

Perform the verification of the functions specified in SI-6a ;

- - - c. -

Notify of failed security and privacy verification tests; and

- - - d. -

- when anomalies are discovered.

- - - -

Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy, or that privacy attributes are applied or used as expected.

- - - - Software, Firmware, and Information Integrity - - - - - - - SI-7 - SI-07 - [OMB A-130] - [FIPS 140-3] - [FIPS 180-4] - [FIPS 186-4] - [FIPS 202] - [SP 800-70] - [SP 800-147] - AC-4 - CM-3 - CM-7 - CM-8 - MA-3 - MA-4 - RA-5 - SA-8 - SA-9 - SA-10 - SC-8 - SC-12 - SC-13 - SC-28 - SC-37 - SI-3 - SR-3 - SR-4 - SR-5 - SR-6 - SR-9 - SR-10 - SR-11 - - - a. -

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: ; and

- - - b. -

Take the following actions when unauthorized changes to the software, firmware, and information are detected: .

- - - -

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes the Basic Input Output System (BIOS). Information includes personally identifiable information and metadata containing security and privacy attributes associated with information. Integrity-checking mechanisms, including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools can automatically monitor the integrity of systems and hosted applications.

- - - Integrity Checks - - - - - - - - - - - SI-7(1) - SI-07(01) - -

Perform an integrity check of - .

- - -

Security-relevant events include the identification of a new threat to which organizational systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort.

- - - - Automated Notifications of Integrity Violations - - - - SI-7(2) - SI-07(02) - -

Employ automated tools that provide notification to upon discovering discrepancies during integrity verification.

- - -

The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel having an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, systems administrators, software developers, systems integrators, and information security officers, and privacy officers.

- - - - Automated Response to Integrity Violations - - - - - SI-7(5) - SI-07(05) - -

Automatically when integrity violations are discovered.

- - -

Organizations may define different integrity checking responses by type of information, by specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur.

- - - - Integration of Detection and Response - - - - SI-7(7) - SI-07(07) - AU-2 - AU-6 - IR-4 - IR-5 - SI-4 - -

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: .

- - -

This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended time-period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or unauthorized elevation of system privileges.

- - - - Code Authentication - - - - SI-7(15) - SI-07(15) - CM-5 - -

Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: .

- - -

Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations employing cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13).

- - - - - Spam Protection - SI-8 - SI-08 - [SP 800-45] - [SP 800-177] - SC-5 - SC-7 - SC-38 - SI-3 - SI-4 - - - a. -

Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and

- - - b. -

Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

- - - -

System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.

- - - Central Management - SI-8(1) - SI-08(01) - AU-3 - CM-6 - SI-2 - SI-7 - -

Centrally manage spam protection mechanisms.

- - -

Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection controls.

- - - - Automatic Updates - - - - SI-8(2) - SI-08(02) - -

Automatically update spam protection mechanisms .

- - -

Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capability.

- - - - - Information Input Validation - - - - SI-10 - SI-10 - [OMB A-130, Appendix II] - -

Check the validity of the following information inputs: .

- - -

Checking the valid syntax and semantics of system inputs, including character set, length, numerical range, and acceptable values, verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.

- - - - Error Handling - - - - SI-11 - SI-11 - AU-2 - AU-3 - SC-31 - SI-2 - - - a. -

Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and

- - - b. -

Reveal error messages only to .

- - - -

Organizations consider the structure and the content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.

- - - - Information Management and Retention - SI-12 - SI-12 - [OMB A-130, Appendix II] - AC-1 - AT-1 - AU-1 - CA-1 - CM-1 - CP-1 - IA-1 - IR-1 - MA-1 - MP-1 - PE-1 - PL-1 - PM-1 - PS-1 - PT-1 - RA-1 - SA-1 - SC-1 - SI-1 - SR-1 - AC-16 - AU-5 - AU-11 - CA-2 - CA-3 - CA-5 - CA-6 - CA-7 - CA-9 - CM-5 - CM-9 - CP-2 - IR-8 - MP-2 - MP-3 - MP-4 - MP-6 - PL-2 - PL-4 - PM-4 - PM-8 - PM-9 - PS-2 - PS-6 - PT-1 - PT-2 - PT-3 - RA-2 - RA-3 - SA-5 - SR-1 - -

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

- - -

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel.

- - - - Memory Protection - - - - SI-16 - SI-16 - AC-25 - SC-3 - -

Implement the following controls to protect the system memory from unauthorized code execution: .

- - -

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.

- - - - - Supply Chain Risk Management - - Policy and Procedures - - - - - - - - - - - - - - SR-1 - SR-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - [SP 800-161] - PM-9 - PM-30 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- supply chain risk management policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

- - - c. -

Review and update the current supply chain risk management:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Supply Chain Risk Management Plan - - - - - - - SR-2 - SR-02 - [SP 800-30] - [SP 800-39] - [SP 800-160 v1] - [SP 800-161] - [IR 7622] - CA-2 - CP-4 - IR-4 - MA-2 - MA-6 - PE-16 - PL-2 - PM-9 - PM-30 - RA-3 - RA-7 - SA-8 - - - a. -

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: ;

- - - b. -

Implement the supply chain risk management plan consistently across the organization; and

- - - c. -

Review and update the supply chain risk management plan or as required, to address threat, organizational or environmental changes.

- - - -

The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans. -Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

- - - Establish Scrm Team - - - - - - - SR-2(1) - SR-02(01) - -

Establish a supply chain risk management team consisting of to lead and support the following SCRM activities: .

- - -

To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team.

- - - - - Supply Chain Controls and Processes - - - - - - - - - - - - - - SR-3 - SR-03 - [SP 800-30] - [SP 800-161] - [IR 7622] - CA-2 - MA-2 - MA-6 - PE-3 - PE-16 - PL-8 - PM-30 - SA-2 - SA-3 - SA-4 - SA-5 - SA-8 - SA-9 - SA-10 - SA-15 - SC-7 - SC-29 - SC-30 - SC-38 - SI-7 - SR-6 - SR-9 - SR-11 - - - a. -

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of in coordination with ;

- - - b. -

Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: ; and

- - - c. -

Document the selected and implemented supply chain processes and controls in .

- - - -

Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

- - - - Acquisition Strategies, Tools, and Methods - - - - SR-5 - SR-05 - [SP 800-30] - [SP 800-161] - [IR 7622] - AT-3 - SA-2 - SA-3 - SA-4 - SA-5 - SA-8 - SA-9 - SA-10 - SA-15 - SR-6 - SR-9 - SR-10 - SR-11 - -

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: .

- - -

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

- - - - Supplier Reviews - - - - SR-6 - SR-06 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 186-4] - [FIPS 202] - [SP 800-30] - [SP 800-161] - [IR 7622] - SR-3 - SR-5 - -

Review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide .

- - -

A review of supplier risk includes security processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess any subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate to share review results with other organizations in accordance with any applicable inter-organizational agreements or contracts.

- - - - Notification Agreements - - - - - SR-8 - SR-08 - [SP 800-30] - [SP 800-161] - [IR 7622] - IR-4 - IR-6 - IR-8 - -

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the .

- - -

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

- - - - Tamper Resistance and Detection - SR-9 - SR-09 - PE-3 - PM-30 - SA-15 - SI-4 - SI-7 - SR-3 - SR-4 - SR-5 - SR-10 - SR-11 - -

Implement a tamper protection program for the system, system component, or system service.

- - -

Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use.

- - - Multiple Stages of System Development Life Cycle - SR-9(1) - SR-09(01) - SA-3 - -

Employ anti-tamper technologies, tools, and techniques during multiple stages in the system development life cycle, including design, development, integration, operations, and maintenance.

- - -

Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations employ obfuscation and self-checking, for example, to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage.

- - - - - Inspection of Systems or Components - - - - - - - - - - - SR-10 - SR-10 - AT-3 - PM-30 - SI-4 - SI-7 - SR-3 - SR-4 - SR-5 - SR-9 - SR-11 - -

Inspect the following systems or system components to detect tampering: .

- - -

Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations.

- - - - Component Authenticity - - - - - - - - SR-11 - SR-11 - PE-3 - SA-4 - SI-7 - SR-9 - SR-10 - - - a. -

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

- - - b. -

Report counterfeit system components to .

- - - -

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

- - - Anti-counterfeit Training - - - - SR-11(1) - SR-11(01) - AT-3 - -

Train to detect counterfeit system components (including hardware, software, and firmware).

- - -

None.

- - - - Configuration Control for Component Service and Repair - - - - SR-11(2) - SR-11(02) - CM-3 - MA-2 - MA-4 - SA-10 - -

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: .

- - -

None.

- - - - Component Disposal - - - - SR-11(3) - SR-11(03) - MP-6 - -

Dispose of system components using the following techniques and methods: .

- - -

Proper disposal of system components helps to prevent such components from entering the gray market.

- - - - - - - [PRIVACT] - - Privacy Act (P.L. 93-579), December 1974. - - - - - [EVIDACT] - - Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019. - - - - - [EO 13526] - - Executive Order 13526, Classified National Security Information, December 2009. - - - - - [FISMA] - - Federal Information Security Modernization Act (P.L. 113-283), December 2014. - - - - - [EO 13587] - - Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, October 2011. - - - - - [HSPD 7] - - Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection, December 2003. - - - - - [5 CFR 731] - - Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106, Designation of Public Trust Positions and Investigative Requirements(5 C.F.R. 731.106). - - - - - [32 CFR 2002] - - Code of Federal Regulations, Title 32, Controlled Unclassified Information(32 C.F.R 2002). - - - - - [ODNI NITP] - - Office of the Director National Intelligence, National Insider Threat Policy - - - - - - [OMB A-108] - - Office of Management and Budget Memorandum Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, December 2016. - - - - - - [OMB A-130] - - Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016. - - - - - [OMB M-17-06] - - Office of Management and Budget Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services, November 2016. - - - - - - [OMB M-17-12] - - Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 2017. - - - - - - [OMB M-17-25] - - Office of Management and Budget Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 2017. - - - - - - [OMB M-19-23] - - Office of Management and Budget Memorandum M-19-23, Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance, July 2019. - - - - - - [CNSSI 1253] - - Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems, March 2014. - - - - - [DHS NIPP] - - Department of Homeland Security, National Infrastructure Protection Plan (NIPP), 2009. - - - - - [ISO 15408-1] - - International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model, April 2017. - - - - - - [ISO 15408-2] - - International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements, April 2017. - - - - - - [ISO 15408-3] - - International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements, April 2017. - - - - - - [FIPS 140-3] - - National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. - - - - - [FIPS 180-4] - - National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. - - - - - [FIPS 186-4] - - National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4. - - - - - [FIPS 197] - - National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197. - - - - - [FIPS 199] - - National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. - - - - - [FIPS 200] - - National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. - - - - - [FIPS 201-2] - - National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. - - - - - [FIPS 202] - - National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. - - - - - [SP 800-12] - - Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. - - - - - - [SP 800-18] - - Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. - - - - - - [SP 800-28] - - Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. - - - - - - [SP 800-30] - - Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. - - - - - [SP 800-32] - - Kuhn R, Hu VC, Polk T, Chang S-jH (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32. - - - - - [SP 800-34] - - Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. - - - - - [SP 800-35] - - Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. - - - - - [SP 800-37] - - Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. - - - - - [SP 800-39] - - Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. - - - - - [SP 800-40] - - Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3. - - - - - [SP 800-41] - - Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. - - - - - [SP 800-45] - - Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2. - - - - - [SP 800-46] - - Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. - - - - - [SP 800-47] - - Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47. - - - - - [SP 800-50] - - Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. - - - - - [SP 800-52] - - McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2. - - - - - [SP 800-53A] - - Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. - - - - - [SP 800-53B] - - National Institute of Standards and Technology Special Publication 800-53B, Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. Projected for publication in 2020. - - - - [SP 800-55] - - Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1. - - - - - [SP 800-56A] - - Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. - - - - - [SP 800-56B] - - Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. - - - - - [SP 800-56C] - - Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1. - - - - - [SP 800-57-1] - - Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4. - - - - - [SP 800-57-2] - - Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. - - - - - [SP 800-57-3] - - Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. - - - - - [SP 800-60 v1] - - Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. - - - - - [SP 800-60 v2] - - Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. - - - - - [SP 800-61] - - Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. - - - - - [SP 800-63-3] - - Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. - - - - - [SP 800-63A] - - Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020. - - - - - [SP 800-70] - - Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. - - - - - [SP 800-73-4] - - Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. - - - - - [SP 800-76-2] - - Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. - - - - - - [SP 800-77] - - Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77. - - - - - [SP 800-78-4] - - Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. - - - - - - [SP 800-79-2] - - Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. - - - - - - [SP 800-81-2] - - Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. - - - - - - [SP 800-83] - - Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. - - - - - [SP 800-84] - - Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. - - - - - [SP 800-86] - - Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. - - - - - [SP 800-88] - - Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. - - - - - [SP 800-92] - - Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. - - - - - [SP 800-94] - - Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. - - - - - [SP 800-95] - - Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95. - - - - - [SP 800-97] - - Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. - - - - - [SP 800-100] - - Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. - - - - - [SP 800-101] - - Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. - - - - - - [SP 800-111] - - Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. - - - - - - [SP 800-113] - - Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. - - - - - [SP 800-114] - - Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. - - - - - [SP 800-115] - - Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. - - - - - [SP 800-116] - - Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1. - - - - - [SP 800-121] - - Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2. - - - - - [SP 800-124] - - Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. - - - - - [SP 800-125B] - - Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. - - - - - [SP 800-126] - - Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. - - - - - [SP 800-128] - - Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128. - - - - - [SP 800-130] - - Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. - - - - - [SP 800-137] - - Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. - - - - - [SP 800-147] - - Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147. - - - - - [SP 800-150] - - Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. - - - - - [SP 800-152] - - Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. - - - - - [SP 800-154] - - Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154. - - - - - [SP 800-156] - - Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156. - - - - - [SP 800-160 v1] - - Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. - - - - - [SP 800-160 v2] - - Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. - - - - - [SP 800-161] - - Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. - - - - - [SP 800-162] - - Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019. - - - - - [SP 800-166] - - Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166. - - - - - [SP 800-167] - - Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. - - - - - [SP 800-171] - - Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2. - - - - - [SP 800-171B] - - Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B. - - - - - [SP 800-177] - - Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. - - - - - [SP 800-178] - - Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. - - - - - [SP 800-181] - - Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181. - - - - - [SP 800-184] - - Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. - - - - - [SP 800-188] - - Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188. - - - - - [SP 800-189] - - Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. - - - - - [SP 800-192] - - Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. - - - - - [IR 7539] - - Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. - - - - - [IR 7559] - - Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. - - - - - [IR 7622] - - Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. - - - - - [IR 7676] - - Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. - - - - - [IR 7788] - - Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788. - - - - - [IR 7817] - - Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. - - - - - [IR 7849] - - Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849. - - - - - [IR 7870] - - Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. - - - - - [IR 7874] - - Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. - - - - - [IR 7956] - - Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956. - - - - - [IR 7966] - - Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. - - - - - [IR 8011 v1] - - Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1. - - - - - [IR 8023] - - Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. - - - - - [IR 8040] - - Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040. - - - - - [IR 8062] - - Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. - - - - - [IR 8179] - - Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179. - - - - - [DOD STIG] - - Defense Information Systems Agency, Security Technical Implementation Guides (STIG). - - - - - [IETF 5905] - - - - - - [NARA CUI] - - National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. - - - - - [NIAP CCEVS] - - National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme. - - - - - [NCPR] - - National Institute of Standards and Technology (2020) National Checklist Program Repository. Available at - - - - - [NSA CSFC] - - National Security Agency, Commercial Solutions for Classified Program (CSfC). - - - - - [NSA MEDIA] - - National Security Agency, Media Destruction Guidance. - - - - - [USGCB] - - National Institute of Standards and Technology (2020) United States Government Configuration Baseline. Available at - - - - - diff --git a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml b/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml deleted file mode 100644 index 0cd7b1e0f5..0000000000 --- a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml +++ /dev/null @@ -1,451 +0,0 @@ - - - - SP800-53 HIGH IMPACT BASELINE - 2020-08-26T16:28:38.111-04:00 - FPD - 1.0.0-milestone3 - - Document Creator - - - Contact - - - Joint Task Force, Transformation Initiative -
- National Institute of Standards and Technology - Attn: Computer Security Division - Information Technology Laboratory - 100 Bureau Drive (Mail Stop 8930) - Gaithersburg - MD - 20899-8930 -
- sec-cert@nist.gov - - - a90f4235-ab3c-4bf1-ba0a-865bbc833346 - - - a90f4235-ab3c-4bf1-ba0a-865bbc833346 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - true - - diff --git a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.xml b/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.xml deleted file mode 100644 index aa5f480d0d..0000000000 --- a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.xml +++ /dev/null @@ -1,8727 +0,0 @@ - - - - SP800-53 LOW IMPACT BASELINE - 2020-08-26T16:28:37.432-04:00 - FPD - 1.0.0-milestone3 - 2020-08-31T17:39:43.230651Z - SP800-53 LOW IMPACT BASELINE - - Document Creator - - - Contact - - - Joint Task Force, Transformation Initiative -
- National Institute of Standards and Technology - Attn: Computer Security Division - Information Technology Laboratory - 100 Bureau Drive (Mail Stop 8930) - Gaithersburg - MD - 20899-8930 -
- sec-cert@nist.gov - - - fcba95f8-df3b-47cd-ae6f-57089a2b7174 - - - fcba95f8-df3b-47cd-ae6f-57089a2b7174 - - - - Access Control - - Policy and Procedures - - - - - - - - - - - - - - AC-1 - AC-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - [IR 7874] - IA-1 - PM-9 - PM-24 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- access control policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the access control policy and the associated access controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the access control policy and procedures; and

- - - c. -

Review and update the current access control:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Account Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - AC-2 - AC-02 - [SP 800-162] - [SP 800-178] - [SP 800-192] - AC-3 - AC-5 - AC-6 - AC-17 - AC-18 - AC-20 - AC-24 - AU-2 - AU-12 - CM-5 - IA-2 - IA-4 - IA-5 - IA-8 - MA-3 - MA-5 - PE-2 - PL-4 - PS-2 - PS-4 - PS-5 - PS-7 - SC-7 - SC-13 - SC-37 - - - a. -

Define and document the types of accounts allowed for use within the system;

- - - b. -

Assign account managers;

- - - c. -

Establish conditions for group and role membership;

- - - d. -

Specify:

- - 1. -

Authorized users of the system;

- - - 2. -

Group and role membership; and

- - - 3. -

Access authorizations (i.e., privileges) and for each account;

- - - - e. -

Require approvals by for requests to create accounts;

- - - f. -

Create, enable, modify, disable, and remove accounts in accordance with ;

- - - g. -

Monitor the use of accounts;

- - - h. -

Notify account managers and within:

- - 1. -

- when accounts are no longer required;

- - - 2. -

- when users are terminated or transferred; and

- - - 3. -

- when system usage or need-to-know changes for an individual;

- - - - i. -

Authorize access to the system based on:

- - 1. -

A valid access authorization;

- - - 2. -

Intended system usage; and

- - - 3. -

- ;

- - - - j. -

Review accounts for compliance with account management requirements ;

- - - k. -

Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and

- - - l. -

Align account management processes with personnel termination and transfer processes.

- - - -

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy. -Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability. -Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.

- - - - Access Enforcement - AC-3 - AC-03 - [OMB A-130] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-162] - [SP 800-178] - [IR 7874] - AC-2 - AC-4 - AC-5 - AC-6 - AC-16 - AC-17 - AC-18 - AC-19 - AC-20 - AC-21 - AC-22 - AC-24 - AC-25 - AT-2 - AT-3 - AU-9 - CA-9 - CM-5 - CM-11 - IA-2 - IA-5 - IA-6 - IA-7 - IA-11 - MA-3 - MA-4 - MA-5 - MP-4 - PM-2 - PS-3 - SA-17 - SC-2 - SC-3 - SC-4 - SC-13 - SC-28 - SC-31 - SC-34 - SI-4 - -

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

- - -

Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family.

- - - - Unsuccessful Logon Attempts - - - - - - - - - - - - - - - - - AC-7 - AC-07 - [SP 800-63-3] - [SP 800-124] - AC-2 - AC-9 - AU-2 - AU-6 - IA-5 - - - a. -

Enforce a limit of consecutive invalid logon attempts by a user during a ; and

- - - b. -

Automatically when the maximum number of unsuccessful attempts is exceeded.

- - - -

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address. -Techniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

- - - - System Use Notification - - - - - - - AC-8 - AC-08 - AC-14 - PL-4 - SI-4 - - - a. -

Display to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:

- - 1. -

Users are accessing a U.S. Government system;

- - - 2. -

System usage may be monitored, recorded, and subject to audit;

- - - 3. -

Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

- - - 4. -

Use of the system indicates consent to monitoring and recording;

- - - - b. -

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and

- - - c. -

For publicly accessible systems:

- - 1. -

Display system use information , before granting further access to the publicly accessible system;

- - - 2. -

Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

- - - 3. -

Include a description of the authorized uses of the system.

- - - - -

System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

- - - - Permitted Actions Without Identification or Authentication - - - - AC-14 - AC-14 - AC-8 - IA-2 - PL-2 - - - a. -

Identify that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and

- - - b. -

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

- - - -

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none.

- - - - Remote Access - AC-17 - AC-17 - [SP 800-46] - [SP 800-77] - [SP 800-113] - [SP 800-114] - [SP 800-121] - [IR 7966] - AC-2 - AC-3 - AC-4 - AC-18 - AC-19 - AC-20 - CA-3 - CM-10 - IA-2 - IA-3 - IA-8 - MA-4 - PE-17 - PL-2 - PL-4 - SC-10 - SI-4 - - - a. -

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

- - - b. -

Authorize each type of remote access to the system prior to allowing such connections.

- - - -

Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3.

- - - - Wireless Access - AC-18 - AC-18 - [SP 800-94] - [SP 800-97] - AC-2 - AC-3 - AC-17 - AC-19 - CA-9 - CM-7 - IA-2 - IA-3 - IA-8 - PL-4 - SC-40 - SC-43 - SI-4 - - - a. -

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and

- - - b. -

Authorize each type of wireless access to the system prior to allowing such connections.

- - - -

Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication.

- - - - Access Control for Mobile Devices - AC-19 - AC-19 - [SP 800-114] - [SP 800-124] - AC-3 - AC-4 - AC-7 - AC-11 - AC-17 - AC-18 - AC-20 - CA-9 - CM-2 - CM-6 - IA-2 - IA-3 - MP-2 - MP-4 - MP-5 - MP-7 - PL-4 - SC-7 - SC-34 - SC-43 - SI-3 - SI-4 - - - a. -

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and

- - - b. -

Authorize the connection of mobile devices to organizational systems.

- - - -

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. -Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. -Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

- - - - Use of External Systems - - - - - - - - AC-20 - AC-20 - [FIPS 199] - [SP 800-171] - [SP 800-171B] - AC-2 - AC-3 - AC-17 - AC-19 - CA-3 - PL-2 - PL-4 - SA-9 - SC-7 - -

Establish , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:

- - a. -

Access the system from external systems; and

- - - b. -

Process, store, or transmit organization-controlled information using external systems.

- - - -

External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries. -For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. -This control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

- - - - Publicly Accessible Content - - - - AC-22 - AC-22 - [PRIVACT] - AC-3 - AT-2 - AT-3 - AU-13 - - - a. -

Designate individuals authorized to make information publicly accessible;

- - - b. -

Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

- - - c. -

Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and

- - - d. -

Review the content on the publicly accessible system for nonpublic information and remove such information, if discovered.

- - - -

In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible.

- - - - - Awareness and Training - - Policy and Procedures - - - - - - - - - - - - - - AT-1 - AT-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-50] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- awareness and training policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and

- - - c. -

Review and update the current awareness and training:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Awareness Training - - - - - - - AT-2 - AT-02 - [OMB A-130] - [SP 800-50] - [SP 800-160 v2] - AC-3 - AC-17 - AC-22 - AT-3 - AT-4 - CP-3 - IA-4 - IR-2 - IR-7 - IR-9 - PL-4 - PM-13 - PM-21 - PS-7 - PT-2 - SA-8 - SA-16 - - - a. -

Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):

- - 1. -

As part of initial training for new users and thereafter; and

- - - 2. -

When required by system changes; and

- - - - b. -

Update awareness training .

- - - -

Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information. -Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective.

- - - Insider Threat - AT-2(2) - AT-02(02) - PM-12 - -

Provide awareness training on recognizing and reporting potential indicators of insider threat.

- - -

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations.

- - - - - Role-based Training - - - - - - - - - - AT-3 - AT-03 - [OMB A-130] - [SP 800-50] - AC-3 - AC-17 - AC-22 - AT-2 - AT-4 - CP-3 - IR-2 - IR-7 - IR-9 - IR-10 - PL-4 - PM-13 - PM-23 - PS-7 - SA-3 - SA-8 - SA-11 - SA-16 - SR-5 - SR-6 - SR-11 - - - a. -

Provide role-based security and privacy training to personnel with the following roles and responsibilities: :

- - 1. -

Before authorizing access to the system, information, or performing assigned duties, and thereafter; and

- - - 2. -

When required by system changes; and

- - - - b. -

Update role-based training .

- - - -

Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information. -Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective.

- - - - Training Records - - - - AT-4 - AT-04 - [OMB A-130] - AT-2 - AT-3 - CP-3 - IR-2 - PM-14 - SI-12 - - - a. -

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and

- - - b. -

Retain individual training records for .

- - - -

Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.

- - - - - Audit and Accountability - - Policy and Procedures - - - - - - - - - - - - - - AU-1 - AU-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- audit and accountability policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and

- - - c. -

Review and update the current audit and accountability:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Event Logging - - - - - - - - - - AU-2 - AU-02 - [OMB A-130] - [SP 800-92] - AC-2 - AC-3 - AC-6 - AC-7 - AC-8 - AC-16 - AC-17 - AU-3 - AU-4 - AU-5 - AU-6 - AU-7 - AU-11 - AU-12 - CM-3 - CM-5 - CM-6 - CM-13 - IA-3 - MA-4 - MP-4 - PE-3 - PM-21 - PT-2 - PT-8 - RA-8 - SA-8 - SC-7 - SC-18 - SI-3 - SI-4 - SI-7 - SI-10 - SI-11 - - - a. -

Identify the types of events that the system is capable of logging in support of the audit function: ;

- - - b. -

Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

- - - c. -

Specify the following event types for logging within the system: ;

- - - d. -

Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and

- - - e. -

Review and update the event types selected for logging .

- - - -

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. -To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage. -Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

- - - - Content of Audit Records - AU-3 - AU-03 - [OMB A-130] - [IR 8062] - AU-2 - AU-8 - AU-12 - AU-14 - MA-4 - SA-8 - SI-7 - SI-11 - -

Ensure that audit records contain information that establishes the following:

- - a. -

What type of event occurred;

- - - b. -

When the event occurred;

- - - c. -

Where the event occurred;

- - - d. -

Source of the event;

- - - e. -

Outcome of the event; and

- - - f. -

Identity of any individuals, subjects, or objects/entities associated with the event.

- - - -

Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage.

- - - - Audit Log Storage Capacity - - - - AU-4 - AU-04 - AU-2 - AU-5 - AU-6 - AU-7 - AU-9 - AU-11 - AU-12 - AU-14 - SI-4 - -

Allocate audit log storage capacity to accommodate .

- - -

Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.

- - - - Response to Audit Logging Process Failures - - - - - - - - - - AU-5 - AU-05 - AU-2 - AU-4 - AU-7 - AU-9 - AU-11 - AU-12 - AU-14 - SI-4 - SI-12 - - - a. -

Alert within in the event of an audit logging process failure; and

- - - b. -

Take the following additional actions: .

- - - -

Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

- - - - Audit Record Review, Analysis, and Reporting - - - - - - - - - - AU-6 - AU-06 - [SP 800-86] - [SP 800-101] - AC-2 - AC-3 - AC-5 - AC-6 - AC-7 - AC-17 - AU-7 - AU-16 - CA-2 - CA-7 - CM-2 - CM-5 - CM-6 - CM-10 - CM-11 - IA-2 - IA-3 - IA-5 - IA-8 - IR-5 - MA-4 - MP-4 - PE-3 - PE-6 - RA-5 - SA-8 - SC-7 - SI-3 - SI-4 - SI-7 - - - a. -

Review and analyze system audit records for indications of ;

- - - b. -

Report findings to ; and

- - - c. -

Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

- - - -

Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.

- - - - Time Stamps - - - - AU-8 - AU-08 - [IETF 5905] - AU-3 - AU-12 - AU-14 - SC-45 - - - a. -

Use internal system clocks to generate time stamps for audit records; and

- - - b. -

Record time stamps for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

- - - -

Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

- - - - Protection of Audit Information - AU-9 - AU-09 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 202] - AC-3 - AC-6 - AU-6 - AU-11 - AU-14 - AU-15 - MP-2 - MP-4 - PE-2 - PE-3 - PE-6 - SA-8 - SC-8 - SI-4 - -

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

- - -

Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.

- - - - Audit Record Retention - - - - AU-11 - AU-11 - [OMB A-130] - AU-2 - AU-4 - AU-5 - AU-6 - AU-9 - AU-14 - MP-6 - RA-5 - SI-12 - -

Retain audit records for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

- - -

Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

- - - - Audit Record Generation - - - - - - - AU-12 - AU-12 - AC-6 - AC-17 - AU-2 - AU-3 - AU-4 - AU-5 - AU-6 - AU-7 - AU-14 - CM-5 - MA-4 - MP-4 - PM-12 - SA-8 - SC-18 - SI-3 - SI-4 - SI-7 - SI-10 - - - a. -

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on ;

- - - b. -

Allow to select the event types that are to be logged by specific components of the system; and

- - - c. -

Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

- - - -

Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

- - - - - Assessment, Authorization, and Monitoring - - Policy and Procedures - - - - - - - - - - - - - - CA-1 - CA-01 - [OMB A-130, Appendix II] - [SP 800-12] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-100] - [SP 800-137] - [IR 8062] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- assessment, authorization, and monitoring policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and

- - - c. -

Review and update the current assessment, authorization, and monitoring:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Control Assessments - - - - - - - CA-2 - CA-02 - [OMB A-130] - [FIPS 199] - [SP 800-18] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - [IR 8062] - AC-20 - CA-5 - CA-6 - CA-7 - PM-9 - RA-5 - SA-11 - SC-38 - SI-3 - SI-12 - SR-2 - SR-3 - - - a. -

Develop a control assessment plan that describes the scope of the assessment including:

- - 1. -

Controls and control enhancements under assessment;

- - - 2. -

Assessment procedures to be used to determine control effectiveness; and

- - - 3. -

Assessment environment, assessment team, and assessment roles and responsibilities;

- - - - b. -

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

- - - c. -

Assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

- - - d. -

Produce a control assessment report that document the results of the assessment; and

- - - e. -

Provide the results of the control assessment to .

- - - -

Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes. -Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs. -Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives. -To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control.

- - - - Information Exchange - - - - - - - - CA-3 - CA-03 - [OMB A-130, Appendix II] - [FIPS 199] - [SP 800-47] - AC-4 - AC-20 - AU-16 - CA-6 - IA-3 - IR-4 - PL-2 - PT-8 - RA-3 - SA-9 - SC-7 - SI-12 - - - a. -

Approve and manage the exchange of information between the system and other systems using ;

- - - b. -

Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and

- - - c. -

Review and update the agreements .

- - - -

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk. -Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks.

- - - - Plan of Action and Milestones - - - - CA-5 - CA-05 - [OMB A-130] - [SP 800-37] - CA-2 - CA-7 - PM-4 - PM-9 - RA-7 - SI-2 - SI-12 - - - a. -

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and

- - - b. -

Update existing plan of action and milestones based on the findings from control assessments, audits, and continuous monitoring activities.

- - - -

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB.

- - - - Authorization - - - - CA-6 - CA-06 - [OMB A-130] - [SP 800-37] - [SP 800-137] - CA-2 - CA-3 - CA-7 - PM-9 - PM-10 - SA-10 - SI-12 - - - a. -

Assign a senior official as the authorizing official for the system;

- - - b. -

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;

- - - c. -

Ensure that the authorizing official for the system, before commencing operations:

- - 1. -

Accepts the use of common controls inherited by the system; and

- - - 2. -

Authorizes the system to operate;

- - - - d. -

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

- - - e. -

Update the authorizations .

- - - -

Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. -Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

- - - - Continuous Monitoring - - - - - - - - - - - - - - - - CA-7 - CA-07 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - [IR 8011 v1] - [IR 8062] - AC-2 - AC-6 - AC-17 - AT-4 - AU-6 - AU-13 - CA-2 - CA-5 - CA-6 - CM-3 - CM-4 - CM-6 - CM-11 - IA-5 - IR-5 - MA-2 - MA-3 - MA-4 - PE-3 - PE-6 - PE-14 - PE-16 - PE-20 - PL-2 - PM-4 - PM-6 - PM-9 - PM-10 - PM-12 - PM-14 - PM-23 - PM-28 - PM-31 - PS-7 - PT-8 - RA-3 - RA-5 - RA-7 - SA-8 - SA-9 - SA-11 - SC-5 - SC-7 - SC-18 - SC-38 - SC-43 - SC-38 - SI-3 - SI-4 - SI-12 - SR-6 - -

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

- - a. -

Establishing the following system-level metrics to be monitored: ;

- - - b. -

Establishing for monitoring and for assessment of control effectiveness;

- - - c. -

Ongoing control assessments in accordance with the continuous monitoring strategy;

- - - d. -

Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

- - - e. -

Correlation and analysis of information generated by control assessments and monitoring;

- - - f. -

Response actions to address results of the analysis of control assessment and monitoring information; and

- - - g. -

Reporting the security and privacy status of the system to - .

- - - -

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. -Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.

- - - Risk Monitoring - CA-7(4) - CA-07(04) - -

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

- - (a) -

Effectiveness monitoring;

- - - (b) -

Compliance monitoring; and

- - - (c) -

Change monitoring.

- - - -

Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.

- - - - - Internal System Connections - - - - - - - - - - CA-9 - CA-09 - [SP 800-124] - [IR 8023] - AC-3 - AC-4 - AC-18 - AC-19 - CM-2 - IA-3 - SC-7 - SI-12 - - - a. -

Authorize internal connections of to the system;

- - - b. -

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;

- - - c. -

Terminate internal system connections after ; and

- - - d. -

Review the continued need for each internal connection.

- - - -

Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.

- - - - - Configuration Management - - Policy and Procedures - - - - - - - - - - - - - - CM-1 - CM-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- configuration management policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

- - - c. -

Review and update the current configuration management:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Baseline Configuration - - - - - - - CM-2 - CM-02 - [SP 800-124] - [SP 800-128] - AC-19 - AU-6 - CA-9 - CM-1 - CM-3 - CM-5 - CM-6 - CM-8 - CM-9 - CP-9 - CP-10 - CP-12 - MA-2 - PL-8 - PM-5 - SA-8 - SA-10 - SA-15 - SC-18 - - - a. -

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and

- - - b. -

Review and update the baseline configuration of the system:

- - 1. -

- ;

- - - 2. -

When required due to ; and

- - - 3. -

When system components are installed or upgraded.

- - - - -

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

- - - - Impact Analyses - CM-4 - CM-04 - [SP 800-128] - CA-7 - CM-3 - CM-8 - CM-9 - MA-2 - RA-3 - RA-5 - SA-5 - SA-8 - SA-10 - SI-2 - -

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

- - -

Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required.

- - - - Access Restrictions for Change - CM-5 - CM-05 - [FIPS 140-3] - [FIPS 186-4] - AC-3 - AC-5 - AC-6 - CM-9 - PE-3 - SC-28 - SC-34 - SC-37 - SI-2 - SI-10 - -

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

- - -

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

- - - - Configuration Settings - - - - - - - - - - CM-6 - CM-06 - [SP 800-70] - [SP 800-126] - [SP 800-128] - [USGCB] - [NCPR] - [DOD STIG] - AC-3 - AC-19 - AU-2 - AU-6 - CA-9 - CM-2 - CM-3 - CM-5 - CM-7 - CM-11 - CP-7 - CP-9 - CP-10 - IA-3 - IA-5 - PL-8 - RA-5 - SA-4 - SA-5 - SA-8 - SA-9 - SC-18 - SC-28 - SC-43 - SI-2 - SI-4 - SI-6 - - - a. -

Establish and document configuration settings for components employed within the system using that reflect the most restrictive mode consistent with operational requirements;

- - - b. -

Implement the configuration settings;

- - - c. -

Identify, document, and approve any deviations from established configuration settings for based on ; and

- - - d. -

Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

- - - -

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. -Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. -Implementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

- - - - Least Functionality - - - - - - - CM-7 - CM-07 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 186-4] - [FIPS 202] - [SP 800-167] - AC-3 - AC-4 - CM-2 - CM-5 - CM-6 - CM-11 - RA-5 - SA-4 - SA-5 - SA-8 - SA-9 - SA-15 - SC-2 - SC-3 - SC-7 - SC-37 - SI-4 - - - a. -

Configure the system to provide only ; and

- - - b. -

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: .

- - - -

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3).

- - - - System Component Inventory - - - - - - - CM-8 - CM-08 - [OMB A-130] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-128] - CM-2 - CM-7 - CM-9 - CM-10 - CM-11 - CM-13 - CP-2 - CP-9 - MA-2 - MA-6 - PE-20 - PM-5 - SA-4 - SA-5 - SI-2 - SR-4 - - - a. -

Develop and document an inventory of system components that:

- - 1. -

Accurately reflects the system;

- - - 2. -

Includes all components within the system;

- - - 3. -

Is at the level of granularity deemed necessary for tracking and reporting; and

- - - 4. -

Includes the following information to achieve system component accountability: ; and

- - - - b. -

Review and update the system component inventory .

- - - -

System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.

- - - - Software Usage Restrictions - CM-10 - CM-10 - AC-17 - AU-6 - CM-7 - CM-8 - SC-7 - - - a. -

Use software and associated documentation in accordance with contract agreements and copyright laws;

- - - b. -

Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

- - - c. -

Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

- - - -

Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement.

- - - - User-installed Software - - - - - - - - - - CM-11 - CM-11 - AC-3 - AU-6 - CM-2 - CM-3 - CM-5 - CM-6 - CM-7 - CM-8 - PL-4 - SI-7 - - - a. -

Establish governing the installation of software by users;

- - - b. -

Enforce software installation policies through the following methods: ; and

- - - c. -

Monitor policy compliance .

- - - -

If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

- - - - - Contingency Planning - - Policy and Procedures - - - - - - - - - - - - - - CP-1 - CP-01 - [SP 800-12] - [SP 800-30] - [SP 800-34] - [SP 800-39] - [SP 800-50] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- contingency planning policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and

- - - c. -

Review and update the current contingency planning:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Contingency Plan - - - - - - - - - - - - - CP-2 - CP-02 - [SP 800-34] - [IR 8179] - CP-3 - CP-4 - CP-6 - CP-7 - CP-8 - CP-9 - CP-10 - CP-11 - CP-13 - IR-4 - IR-6 - IR-8 - IR-9 - MA-6 - MP-2 - MP-4 - MP-5 - PL-2 - PM-8 - PM-11 - SA-15 - SA-20 - SC-7 - SC-23 - SI-12 - - - a. -

Develop a contingency plan for the system that:

- - 1. -

Identifies essential missions and business functions and associated contingency requirements;

- - - 2. -

Provides recovery objectives, restoration priorities, and metrics;

- - - 3. -

Addresses contingency roles, responsibilities, assigned individuals with contact information;

- - - 4. -

Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure;

- - - 5. -

Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and

- - - 6. -

Is reviewed and approved by ;

- - - - b. -

Distribute copies of the contingency plan to ;

- - - c. -

Coordinate contingency planning activities with incident handling activities;

- - - d. -

Review the contingency plan for the system ;

- - - e. -

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

- - - f. -

Communicate contingency plan changes to ; and

- - - g. -

Protect the contingency plan from unauthorized disclosure and modification.

- - - -

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. -In addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

- - - - Contingency Training - - - - - - - CP-3 - CP-03 - [SP 800-50] - AT-2 - AT-3 - AT-4 - CP-2 - CP-4 - CP-8 - IR-2 - IR-4 - IR-9 - -

Provide contingency training to system users consistent with assigned roles and responsibilities:

- - a. -

Within of assuming a contingency role or responsibility;

- - - b. -

When required by system changes; and

- - - c. -

- thereafter.

- - - -

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan.

- - - - Contingency Plan Testing - - - - - - - CP-4 - CP-04 - [FIPS 199] - [SP 800-34] - [SP 800-84] - AT-3 - CP-2 - CP-3 - CP-8 - CP-9 - IR-3 - IR-4 - PL-2 - PM-14 - SR-2 - - - a. -

Test the contingency plan for the system using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: .

- - - b. -

Review the contingency plan test results; and

- - - c. -

Initiate corrective actions, if needed.

- - - -

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

- - - - System Backup - - - - - - - - - - - - - CP-9 - CP-09 - [FIPS 140-3] - [FIPS 186-4] - [SP 800-34] - [SP 800-130] - [SP 800-152] - CP-2 - CP-6 - CP-10 - MP-4 - MP-5 - SC-13 - SI-4 - SI-13 - - - a. -

Conduct backups of user-level information contained in - ;

- - - b. -

Conduct backups of system-level information contained in the system ;

- - - c. -

Conduct backups of system documentation, including security and privacy-related documentation ; and

- - - d. -

Protect the confidentiality, integrity, and availability of backup information.

- - - -

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

- - - - System Recovery and Reconstitution - - - - CP-10 - CP-10 - [SP 800-34] - CP-2 - CP-4 - CP-6 - CP-7 - CP-9 - IR-4 - SA-8 - SC-24 - SI-13 - -

Provide for the recovery and reconstitution of the system to a known state within after a disruption, compromise, or failure.

- - -

Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.

- - - - - Identification and Authentication - - Policy and Procedures - - - - - - - - - - - - - - IA-1 - IA-01 - [OMB A-130] - [FIPS 201-2] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [SP 800-100] - [IR 7874] - AC-1 - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- identification and authentication policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and

- - - c. -

Review and update the current identification and authentication:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Identification and Authentication (organizational Users) - IA-2 - IA-02 - [FIPS 140-3] - [FIPS 201-2] - [FIPS 202] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [SP 800-79-2] - [SP 800-156] - [SP 800-166] - [IR 7539] - [IR 7676] - [IR 7817] - [IR 7849] - [IR 7870] - [IR 7874] - [IR 7966] - AC-2 - AC-3 - AC-4 - AC-14 - AC-17 - AC-18 - AU-1 - AU-6 - IA-4 - IA-5 - IA-8 - MA-4 - MA-5 - PE-2 - PL-4 - SA-4 - SA-8 - -

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

- - -

Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. -Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks. -The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

- - - Multifactor Authentication to Privileged Accounts - IA-2(1) - IA-02(01) - AC-5 - AC-6 - -

Implement multifactor authentication for access to privileged accounts.

- - -

Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

- - - - Multifactor Authentication to Non-privileged Accounts - IA-2(2) - IA-02(02) - AC-5 - -

Implement multifactor authentication for access to non-privileged accounts.

- - -

Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

- - - - Access to Accounts — Replay Resistant - - IA-2(8) - IA-02(08) - -

Implement replay-resistant authentication mechanisms for access to .

- - -

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators.

- - - - Acceptance of PIV Credentials - IA-2(12) - IA-02(12) - -

Accept and electronically verify Personal Identity Verification-compliant credentials.

- - -

Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential.

- - - - - Identifier Management - - - - - - - IA-4 - IA-04 - [FIPS 201-2] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - IA-2 - IA-3 - IA-5 - IA-8 - IA-9 - MA-4 - PE-2 - PE-3 - PE-4 - PL-4 - PM-12 - PS-3 - PS-4 - PS-5 - SC-37 - -

Manage system identifiers by:

- - a. -

Receiving authorization from to assign an individual, group, role, service, or device identifier;

- - - b. -

Selecting an identifier that identifies an individual, group, role, service, or device;

- - - c. -

Assigning the identifier to the intended individual, group, role, service, or device; and

- - - d. -

Preventing reuse of identifiers for .

- - - -

Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.

- - - - Authenticator Management - - - - IA-5 - IA-05 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 201-2] - [FIPS 202] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [IR 7539] - [IR 7817] - [IR 7849] - [IR 7870] - [IR 8040] - AC-3 - AC-6 - CM-6 - IA-2 - IA-4 - IA-7 - IA-8 - IA-9 - MA-4 - PE-2 - PL-4 - -

Manage system authenticators by:

- - a. -

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

- - - b. -

Establishing initial authenticator content for any authenticators issued by the organization;

- - - c. -

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

- - - d. -

Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

- - - e. -

Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

- - - f. -

Changing default authenticators prior to first use;

- - - g. -

Changing or refreshing authenticators ;

- - - h. -

Protecting authenticator content from unauthorized disclosure and modification;

- - - i. -

Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

- - - j. -

Changing authenticators for group or role accounts when membership to those accounts changes.

- - - -

Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. -Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.

- - - Password-based Authentication - - - - - - - IA-5(1) - IA-05(01) - IA-6 - -

For password-based authentication:

- - (a) -

Maintain a list of commonly-used, expected, or compromised passwords and update the list and when organizational passwords are suspected to have been compromised directly or indirectly;

- - - (b) -

Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords;

- - - (c) -

Transmit only cryptographically-protected passwords;

- - - (d) -

Store passwords using an approved hash algorithm and salt, preferably using a keyed hash;

- - - (e) -

Require immediate selection of a new password upon account recovery;

- - - (f) -

Allow user selection of long passwords and passphrases, including spaces and all printable characters;

- - - (g) -

Employ automated tools to assist the user in selecting strong password authenticators; and

- - - (h) -

Enforce the following composition and complexity rules: .

- - - -

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof.

- - - - - Authenticator Feedback - IA-6 - IA-06 - AC-3 - -

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

- - -

Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it.

- - - - Cryptographic Module Authentication - IA-7 - IA-07 - [FIPS 140-3] - AC-3 - IA-5 - SA-4 - SC-12 - SC-13 - -

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

- - -

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

- - - - Identification and Authentication (non-organizational Users) - IA-8 - IA-08 - [OMB A-130] - [FIPS 201-2] - [SP 800-63-3] - [SP 800-79-2] - [SP 800-116] - [IR 8062] - AC-2 - AC-6 - AC-14 - AC-17 - AC-18 - AU-6 - IA-2 - IA-4 - IA-5 - IA-10 - IA-11 - MA-4 - RA-3 - SA-4 - SC-8 - -

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

- - -

Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

- - - Acceptance of PIV Credentials from Other Agencies - IA-8(1) - IA-08(01) - PE-3 - -

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

- - -

Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2].

- - - - Acceptance of External Credentials - IA-8(2) - IA-08(02) - -

Accept only external credentials that are NIST-compliant.

- - -

Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels.

- - - - Use of Nist-issued Profiles - IA-8(4) - IA-08(04) - -

Conform to NIST-issued profiles for identity management.

- - -

Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols.

- - - - - Re-authentication - - - - IA-11 - IA-11 - AC-3 - AC-11 - IA-2 - IA-3 - IA-8 - -

Require users to re-authenticate when .

- - -

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically.

- - - - - Incident Response - - Policy and Procedures - - - - - - - - - - - - - - IR-1 - IR-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-50] - [SP 800-61] - [SP 800-83] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- incident response policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the incident response policy and procedures; and

- - - c. -

Review and update the current incident response:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Incident Response Training - - - - - - - IR-2 - IR-02 - [SP 800-50] - AT-2 - AT-3 - AT-4 - CP-3 - IR-3 - IR-4 - IR-8 - IR-9 - -

Provide incident response training to system users consistent with assigned roles and responsibilities:

- - a. -

Within of assuming an incident response role or responsibility or acquiring system access;

- - - b. -

When required by system changes; and

- - - c. -

- thereafter.

- - - -

Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3.

- - - - Incident Handling - IR-4 - IR-04 - [SP 800-61] - [SP 800-86] - [SP 800-101] - [SP 800-150] - [SP 800-160 v2] - [SP 800-184] - [IR 7559] - AC-19 - AU-6 - AU-7 - CM-6 - CP-2 - CP-3 - CP-4 - IR-2 - IR-3 - IR-6 - IR-8 - IR-10 - PE-6 - PL-2 - PM-12 - SA-8 - SC-5 - SC-7 - SI-3 - SI-4 - SI-7 - - - a. -

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;

- - - b. -

Coordinate incident handling activities with contingency planning activities;

- - - c. -

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and

- - - d. -

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

- - - -

Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk.

- - - - Incident Monitoring - IR-5 - IR-05 - [SP 800-61] - AU-6 - AU-7 - IR-8 - PE-6 - PM-5 - SC-5 - SC-7 - SI-3 - SI-4 - SI-7 - -

Track and document security, privacy, and supply chain incidents.

- - -

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports.

- - - - Incident Reporting - - - - - - - IR-6 - IR-06 - [SP 800-61] - CM-6 - CP-2 - IR-4 - IR-5 - IR-8 - IR-9 - - - a. -

Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within ; and

- - - b. -

Report security, privacy, and supply chain incident information to .

- - - -

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - - Incident Response Assistance - IR-7 - IR-07 - [OMB A-130] - [IR 7559] - AT-2 - AT-3 - IR-4 - IR-6 - IR-8 - PM-22 - PM-26 - SA-9 - SI-18 - -

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents.

- - -

Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.

- - - - Incident Response Plan - - - - - - - - - - - - - - - - IR-8 - IR-08 - [OMB A-130] - [SP 800-61] - [OMB M-17-12] - AC-2 - CP-2 - CP-4 - IR-4 - IR-7 - IR-9 - PE-6 - PL-2 - SA-15 - SI-12 - SR-8 - - - a. -

Develop an incident response plan that:

- - 1. -

Provides the organization with a roadmap for implementing its incident response capability;

- - - 2. -

Describes the structure and organization of the incident response capability;

- - - 3. -

Provides a high-level approach for how the incident response capability fits into the overall organization;

- - - 4. -

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

- - - 5. -

Defines reportable incidents;

- - - 6. -

Provides metrics for measuring the incident response capability within the organization;

- - - 7. -

Defines the resources and management support needed to effectively maintain and mature an incident response capability;

- - - 8. -

Is reviewed and approved by - ; and

- - - 9. -

Explicitly designates responsibility for incident response to .

- - - - b. -

Distribute copies of the incident response plan to ;

- - - c. -

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

- - - d. -

Communicate incident response plan changes to ; and

- - - e. -

Protect the incident response plan from unauthorized disclosure and modification.

- - - -

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

- - - - - Maintenance - - Policy and Procedures - - - - - - - - - - - - - - MA-1 - MA-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- maintenance policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the maintenance policy and procedures; and

- - - c. -

Review and update the current maintenance:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Controlled Maintenance - - - - - - - - - - MA-2 - MA-02 - [OMB A-130] - [IR 8023] - CM-2 - CM-3 - CM-4 - CM-5 - CM-8 - MA-4 - MP-6 - PE-16 - SI-2 - SR-3 - SR-4 - SR-11 - - - a. -

Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

- - - b. -

Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;

- - - c. -

Require that explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

- - - d. -

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ;

- - - e. -

Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and

- - - f. -

Include the following information in organizational maintenance records: .

- - - -

Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems.

- - - - Nonlocal Maintenance - MA-4 - MA-04 - [FIPS 140-3] - [FIPS 197] - [FIPS 201-2] - [SP 800-63-3] - [SP 800-88] - AC-2 - AC-3 - AC-6 - AC-17 - AU-2 - AU-3 - IA-2 - IA-4 - IA-5 - IA-8 - MA-2 - MA-5 - PL-2 - SC-7 - SC-10 - - - a. -

Approve and monitor nonlocal maintenance and diagnostic activities;

- - - b. -

Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;

- - - c. -

Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

- - - d. -

Maintain records for nonlocal maintenance and diagnostic activities; and

- - - e. -

Terminate session and network connections when nonlocal maintenance is completed.

- - - -

Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

- - - - Maintenance Personnel - MA-5 - MA-05 - AC-2 - AC-3 - AC-5 - AC-6 - IA-2 - IA-8 - MA-4 - MP-2 - PE-2 - PE-3 - PS-7 - RA-3 - - - a. -

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;

- - - b. -

Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

- - - c. -

Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

- - - -

Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods.

- - - - - Media Protection - - Policy and Procedures - - - - - - - - - - - - - - MP-1 - MP-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- media protection policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the media protection policy and procedures; and

- - - c. -

Review and update the current media protection:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Media Access - - - - - - - MP-2 - MP-02 - [OMB A-130] - [FIPS 199] - [SP 800-111] - AC-19 - AU-9 - CP-2 - CP-9 - CP-10 - MA-5 - MP-4 - MP-6 - PE-2 - PE-3 - SC-13 - SC-34 - SI-12 - -

Restrict access to to .

- - -

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media.

- - - - Media Sanitization - - - - - - - MP-6 - MP-06 - [OMB A-130] - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-88] - [SP 800-124] - [IR 8023] - [NSA MEDIA] - AC-3 - AC-7 - AU-11 - MA-2 - MA-3 - MA-4 - MA-5 - PM-22 - SI-12 - SI-18 - SI-19 - SR-11 - - - a. -

Sanitize prior to disposal, release out of organizational control, or release for reuse using ; and

- - - b. -

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

- - - -

Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information.

- - - - Media Use - - - - - - - - - - - MP-7 - MP-07 - [FIPS 199] - [SP 800-111] - AC-19 - AC-20 - PL-4 - PM-12 - SC-34 - SC-41 - - - a. -

- the use of on using ; and

- - - b. -

Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

- - - -

System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

- - - - - Physical and Environmental Protection - - Policy and Procedures - - - - - - - - - - - - - - PE-1 - PE-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - AT-3 - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- physical and environmental protection policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

- - - c. -

Review and update the current physical and environmental protection:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Physical Access Authorizations - - - - PE-2 - PE-02 - [FIPS 201-2] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - AT-3 - AU-9 - IA-4 - MA-5 - MP-2 - PE-3 - PE-4 - PE-5 - PE-8 - PM-12 - PS-3 - PS-4 - PS-5 - PS-6 - - - a. -

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;

- - - b. -

Issue authorization credentials for facility access;

- - - c. -

Review the access list detailing authorized facility access by individuals ; and

- - - d. -

Remove individuals from the facility access list when access is no longer required.

- - - -

Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible.

- - - - Physical Access Control - - - - - - - - - - - - - - - - - - - - - - - - - - PE-3 - PE-03 - [FIPS 201-2] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [SP 800-116] - AT-3 - AU-2 - AU-6 - AU-9 - AU-13 - CP-10 - IA-3 - IA-8 - MA-5 - MP-2 - MP-4 - PE-2 - PE-4 - PE-5 - PE-8 - PS-2 - PS-3 - PS-6 - PS-7 - RA-3 - SC-28 - SI-4 - SR-3 - - - a. -

Enforce physical access authorizations at by:

- - 1. -

Verifying individual access authorizations before granting access to the facility; and

- - - 2. -

Controlling ingress and egress to the facility using ;

- - - - b. -

Maintain physical access audit logs for ;

- - - c. -

Control access to areas within the facility designated as publicly accessible by implementing the following controls: ;

- - - d. -

Escort visitors and monitor visitor activity ;

- - - e. -

Secure keys, combinations, and other physical access devices;

- - - f. -

Inventory every ; and

- - - g. -

Change combinations and keys and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

- - - -

Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

- - - - Monitoring Physical Access - - - - - - - PE-6 - PE-06 - AU-2 - AU-6 - AU-9 - AU-12 - CA-7 - CP-10 - IR-4 - IR-8 - - - a. -

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;

- - - b. -

Review physical access logs and upon occurrence of ; and

- - - c. -

Coordinate results of reviews and investigations with the organizational incident response capability.

- - - -

Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses.

- - - - Visitor Access Records - - - - - - - - - - PE-8 - PE-08 - PE-2 - PE-3 - PE-6 - - - a. -

Maintain visitor access records to the facility where the system resides for ;

- - - b. -

Review visitor access records ; and

- - - c. -

Report anomalies in visitor access records to .

- - - -

Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas.

- - - - Emergency Lighting - PE-12 - PE-12 - CP-2 - CP-7 - -

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

- - -

The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites.

- - - - Fire Protection - PE-13 - PE-13 - AT-3 - -

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

- - -

The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors.

- - - - Environmental Controls - - - - - - - - - - - PE-14 - PE-14 - AT-3 - CP-2 - PE-21 - - - a. -

Maintain levels within the facility where the system resides at ; and

- - - b. -

Monitor environmental control levels .

- - - -

The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure.

- - - - Water Damage Protection - PE-15 - PE-15 - AT-3 - PE-10 - -

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

- - -

The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.

- - - - Delivery and Removal - - - - PE-16 - PE-16 - CM-3 - CM-8 - MA-2 - MA-3 - MP-5 - PE-20 - SR-2 - SR-3 - SR-4 - SR-6 - - - a. -

Authorize and control entering and exiting the facility; and

- - - b. -

Maintain records of the system components.

- - - -

Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.

- - - - - Planning - - Policy and Procedures - - - - - - - - - - - - - - PL-1 - PL-01 - [OMB A-130] - [SP 800-12] - [SP 800-18] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- planning policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the planning policy and the associated planning controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the planning policy and procedures; and

- - - c. -

Review and update the current planning:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - System Security and Privacy Plans - - - - - - - - - - PL-2 - PL-02 - [OMB A-130, Appendix II] - [SP 800-18] - [SP 800-37] - [SP 800-160 v1] - [SP 800-160 v2] - AC-2 - AC-6 - AC-14 - AC-17 - AC-20 - CA-2 - CA-3 - CA-7 - CM-9 - CM-13 - CP-2 - CP-4 - IR-4 - IR-8 - MA-4 - MA-5 - MP-4 - MP-5 - PL-7 - PL-8 - PL-10 - PL-11 - PM-1 - PM-7 - PM-8 - PM-9 - PM-10 - PM-11 - RA-3 - RA-8 - RA-9 - SA-5 - SA-17 - SA-22 - SI-12 - SR-2 - SR-4 - - - a. -

Develop security and privacy plans for the system that:

- - 1. -

Are consistent with the organization’s enterprise architecture;

- - - 2. -

Explicitly define the constituent system components;

- - - 3. -

Describe the operational context of the system in terms of missions and business processes;

- - - 4. -

Provide the security categorization of the system, including supporting rationale;

- - - 5. -

Describe any specific threats to the system that are of concern to the organization;

- - - 6. -

Provide the results of a privacy risk assessment for systems processing personally identifiable information;

- - - 7. -

Describe the operational environment for the system and any dependencies on or connections to other systems or system components;

- - - 8. -

Provide an overview of the security and privacy requirements for the system;

- - - 9. -

Identify any relevant control baselines or overlays, if applicable;

- - - 10. -

Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;

- - - 11. -

Include risk determinations for security and privacy architecture and design decisions;

- - - 12. -

Include security- and privacy-related activities affecting the system that require planning and coordination with ; and

- - - 13. -

Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

- - - - b. -

Distribute copies of the plans and communicate subsequent changes to the plans to ;

- - - c. -

Review the plans ;

- - - d. -

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and

- - - e. -

Protect the plans from unauthorized disclosure and modification.

- - - -

System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls. -Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation. -Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. -Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate.

- - - - Rules of Behavior - - - - - - - - PL-4 - PL-04 - [OMB A-130] - [SP 800-18] - AC-2 - AC-6 - AC-8 - AC-9 - AC-17 - AC-18 - AC-19 - AC-20 - AT-2 - AT-3 - CM-11 - IA-2 - IA-4 - IA-5 - MP-7 - PS-6 - PS-8 - SA-5 - SI-12 - - - a. -

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

- - - b. -

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;

- - - c. -

Review and update the rules of behavior ; and

- - - d. -

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge .

- - - -

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons.

- - - Social Media and External Site/application Usage Restrictions - PL-4(1) - PL-04(01) - AC-22 - AU-13 - -

Include in the rules of behavior, restrictions on:

- - (a) -

Use of social media, social networking sites, and external sites/applications;

- - - (b) -

Posting organizational information on public websites; and

- - - (c) -

Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications.

- - - -

Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information.

- - - - - Baseline Selection - PL-10 - PL-10 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-53B] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - [CNSSI 1253] - PL-2 - PL-11 - RA-2 - RA-3 - SA-8 - -

Select a control baseline for the system.

- - -

Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments.

- - - - Baseline Tailoring - PL-11 - PL-11 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-53B] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - [CNSSI 1253] - PL-10 - RA-2 - RA-3 - RA-9 - SA-8 - -

Tailor the selected control baseline by applying specified tailoring actions.

- - -

The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities.

- - - - - Program Management - - Information Security Program Plan - - - - PM-1 - PM-01 - [FISMA] - [OMB A-130] - PL-2 - PM-8 - PM-12 - RA-9 - SI-12 - SR-2 - - - a. -

Develop and disseminate an organization-wide information security program plan that:

- - 1. -

Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;

- - - 2. -

Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;

- - - 3. -

Reflects the coordination among organizational entities responsible for information security; and

- - - 4. -

Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

- - - - b. -

Review the organization-wide information security program plan ;

- - - c. -

Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and

- - - d. -

Protect the information security program plan from unauthorized disclosure and modification.

- - - -

An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents. -Information security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended. -Program management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization. -Common controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls.

- - - - Information Security Program Leadership Role - PM-2 - PM-02 - [OMB M-17-25] - [SP 800-37] - [SP 800-39] - -

Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

- - -

The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer.

- - - - Information Security and Privacy Resources - PM-3 - PM-03 - [OMB A-130] - PM-4 - SA-2 - - - a. -

Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;

- - - b. -

Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and

- - - c. -

Make available for expenditure, the planned information security and privacy resources.

- - - -

Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process.

- - - - Plan of Action and Milestones Process - PM-4 - PM-04 - [PRIVACT] - [OMB A-130] - [SP 800-37] - CA-5 - CA-7 - PM-3 - RA-7 - SI-12 - - - a. -

Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:

- - 1. -

Are developed and maintained;

- - - 2. -

Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and

- - - 3. -

Are reported in accordance with established reporting requirements.

- - - - b. -

Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

- - - -

The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5.

- - - - System Inventory - - - - PM-5 - PM-05 - [IR 8062] - -

Develop and update an inventory of organizational systems.

- - -

[OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8.

- - - Inventory of Personally Identifiable Information - - - - PM-5(1) - PM-05(01) - CM-8 - CM-12 - CM-13 - PL-8 - PM-22 - PT-3 - PT-6 - SI-12 - SI-18 - -

Establish, maintain, and update an inventory of all systems, applications, and projects that process personally identifiable information.

- - -

An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein.

- - - - - Measures of Performance - PM-6 - PM-06 - [OMB A-130] - [SP 800-55] - [SP 800-137] - CA-7 - -

Develop, monitor, and report on the results of information security and privacy measures of performance.

- - -

Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program.

- - - - Enterprise Architecture - PM-7 - PM-07 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-160 v1] - [SP 800-160 v2] - AU-6 - PL-2 - PL-8 - PM-11 - RA-2 - SA-3 - SA-8 - SA-17 - -

Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.

- - -

The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines.

- - - Offloading - - - - PM-7(1) - PM-07(01) - SA-8 - -

Offload to other systems, system components, or an external provider.

- - -

Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services.

- - - - - Critical Infrastructure Plan - PM-8 - PM-08 - [OMB A-130] - [HSPD 7] - [DHS NIPP] - CP-2 - CP-4 - PE-18 - PL-2 - PM-9 - PM-11 - PM-18 - RA-3 - SI-12 - -

Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

- - -

Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

- - - - Risk Management Strategy - - - - PM-9 - PM-09 - [OMB A-130] - [SP 800-30] - [SP 800-39] - [SP 800-161] - [IR 8023] - AC-1 - AU-1 - AT-1 - CA-1 - CA-2 - CA-5 - CA-6 - CA-7 - CM-1 - CP-1 - IA-1 - IR-1 - MA-1 - MP-1 - PE-1 - PL-1 - PL-2 - PM-2 - PM-8 - PM-18 - PM-28 - PM-30 - PS-1 - PT-1 - PT-2 - PT-3 - RA-1 - RA-3 - RA-9 - SA-1 - SA-4 - SC-1 - SC-38 - SI-1 - SI-12 - SR-1 - SR-2 - - - a. -

Develops a comprehensive strategy to manage:

- - 1. -

Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and

- - - 2. -

Privacy risk to individuals resulting from the authorized processing of personally identifiable information;

- - - - b. -

Implement the risk management strategy consistently across the organization; and

- - - c. -

Review and update the risk management strategy or as required, to address organizational changes.

- - - -

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive.

- - - - Authorization Process - PM-10 - PM-10 - [SP 800-37] - [SP 800-39] - CA-6 - CA-7 - PL-2 - - - a. -

Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;

- - - b. -

Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and

- - - c. -

Integrate the authorization processes into an organization-wide risk management program.

- - - -

Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation.

- - - - Mission and Business Process Definition - - - - PM-11 - PM-11 - [OMB A-130] - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - CP-2 - PL-2 - PM-7 - PM-8 - RA-2 - RA-3 - SA-2 - - - a. -

Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and

- - - b. -

Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and

- - - c. -

Review and revise the mission and business processes .

- - - -

Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures.

- - - - Insider Threat Program - PM-12 - PM-12 - [EO 13587] - [ODNI NITP] - AC-6 - AT-2 - AU-6 - AU-7 - AU-10 - AU-12 - AU-13 - CA-7 - IA-4 - IR-4 - MP-7 - PE-2 - PM-16 - PS-3 - PS-4 - PS-5 - PS-7 - PS-8 - SC-7 - SC-38 - SI-4 - PM-14 - -

Implement an insider threat program that includes a cross-discipline insider threat incident handling team.

- - -

Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture. -Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - - Security and Privacy Workforce - PM-13 - PM-13 - [OMB A-130] - [SP 800-181] - AT-2 - AT-3 - -

Establish a security and privacy workforce development and improvement program.

- - -

Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals.

- - - - Testing, Training, and Monitoring - PM-14 - PM-14 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - AT-2 - AT-3 - CA-7 - CP-4 - IR-3 - PM-12 - SI-4 - - - a. -

Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:

- - 1. -

Are developed and maintained; and

- - - 2. -

Continue to be executed; and

- - - - b. -

Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

- - - -

This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.

- - - - Security and Privacy Groups and Associations - PM-15 - PM-15 - [OMB A-130] - SA-11 - SI-5 - -

Establish and institutionalize contact with selected groups and associations within the security and privacy communities:

- - a. -

To facilitate ongoing security and privacy education and training for organizational personnel;

- - - b. -

To maintain currency with recommended security and privacy practices, techniques, and technologies; and

- - - c. -

To share current security and privacy information, including threats, vulnerabilities, and incidents.

- - - -

Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

- - - - Threat Awareness Program - PM-16 - PM-16 - IR-4 - PM-12 - -

Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.

- - -

Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared.

- - - Automated Means for Sharing Threat Intelligence - PM-16(1) - PM-16(01) - -

Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.

- - -

To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures.

- - - - - Protecting Controlled Unclassified Information on External Systems - - - - PM-17 - PM-17 - [32 CFR 2002] - [SP 800-171] - [NARA CUI] - CA-6 - PM-10 - - - a. -

Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards.

- - - b. -

Update the policy and procedures .

- - - -

Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.

- - - - Privacy Program Plan - PM-18 - PM-18 - [PRIVACT] - [OMB A-130] - PM-8 - PM-9 - PM-19 - - - a. -

Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:

- - 1. -

Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;

- - - 2. -

Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;

- - - 3. -

Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;

- - - 4. -

Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;

- - - 5. -

Reflects coordination among organizational entities responsible for the different aspects of privacy; and

- - - 6. -

Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and

- - - - b. -

Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.

- - - -

A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents. -The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended. -Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization. -Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls.

- - - - Privacy Program Leadership Role - PM-19 - PM-19 - [OMB A-130] - PM-18 - PM-20 - PM-23 - PM-24 - -

Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.

- - -

The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24).

- - - - Dissemination of Privacy Program Information - PM-20 - PM-20 - [PRIVACT] - [OMB A-130] - [OMB M-17-06] - PM-19 - PT-6 - PT-7 - RA-8 - -

Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:

- - a. -

Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;

- - - b. -

Ensures that organizational privacy practices and reports are publicly available; and

- - - c. -

Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.

- - - -

Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications.

- - - - Accounting of Disclosures - PM-21 - PM-21 - [PRIVACT] - [OMB A-130] - AU-2 - PT-2 - - - a. -

Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:

- - 1. -

Date, nature, and purpose of each disclosure; and

- - - 2. -

Name and address, or other contact information of the person or organization to which the disclosure was made;

- - - - b. -

Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and

- - - c. -

Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.

- - - -

The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision. -Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions.

- - - - Personally Identifiable Information Quality Management - PM-22 - PM-22 - [OMB A-130] - [SP 800-188] - PM-23 - SI-18 - -

Develop and document policies and procedures for:

- - a. -

Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;

- - - b. -

Correcting or deleting inaccurate or outdated personally identifiable information;

- - - c. -

Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and

- - - d. -

Appeals of adverse decisions on correction or deletion requests.

- - - -

Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information. -The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations. -Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem.

- - - - Data Governance Body - - - - - - - PM-23 - PM-23 - [EVIDACT] - [OMB A-130] - [OMB M-19-23] - [SP 800-188] - AT-2 - AT-3 - PM-19 - PM-22 - PM-24 - PT-8 - SI-4 - SI-19 - -

Establish a Data Governance Body consisting of with .

- - -

A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23].

- - - - Data Integrity Board - PM-24 - PM-24 - [PRIVACT] - [OMB A-130, Appendix II] - [OMB A-108] - AC-4 - PM-19 - PM-23 - PT-8 - -

Establish a Data Integrity Board to:

- - a. -

Review proposals to conduct or participate in a matching program; and

- - - b. -

Conduct an annual review of all matching programs in which the agency has participated.

- - - -

A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy.

- - - - Minimization of Pii Used in Testing, Training, and Research - - - - PM-25 - PM-25 - [OMB A-130, Appendix II] - PM-23 - PT-3 - SA-3 - - - a. -

Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;

- - - b. -

Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;

- - - c. -

Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and

- - - d. -

Review and update policies and procedures .

- - - -

The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2).

- - - - Complaint Management - - - - - - - - - - PM-26 - PM-26 - [OMB A-130] - IR-7 - IR-9 - PM-22 - SI-18 - -

Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:

- - a. -

Mechanisms that are easy to use and readily accessible by the public;

- - - b. -

All information necessary for successfully filing complaints;

- - - c. -

Tracking mechanisms to ensure all complaints received are reviewed and addressed within ;

- - - d. -

Acknowledgement of receipt of complaints, concerns, or questions from individuals within ; and

- - - e. -

Response to complaints, concerns, or questions from individuals within .

- - - -

Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information.

- - - - Privacy Reporting - - - - - - - - - - PM-27 - PM-27 - [FISMA] - [OMB A-130] - [OMB A-108] - IR-9 - PM-19 - - - a. -

Develop and disseminate to:

- - 1. -

OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and

- - - 2. -

- and other personnel with responsibility for monitoring privacy program compliance; and

- - - - b. -

Review and update privacy reports .

- - - -

Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements.

- - - - Risk Framing - - - - - - - PM-28 - PM-28 - [OMB A-130] - [SP 800-39] - CA-7 - PM-9 - RA-3 - RA-7 - - - a. -

Identify and document:

- - 1. -

Assumptions affecting risk assessments, risk responses, and risk monitoring;

- - - 2. -

Constraints affecting risk assessments, risk responses, and risk monitoring;

- - - 3. -

Priorities and trade-offs considered by the organization for managing risk; and

- - - 4. -

Organizational risk tolerance; and

- - - - b. -

Distribute the results of risk framing activities to ;

- - - c. -

Review and update risk framing considerations .

- - - -

Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management.

- - - - Risk Management Program Leadership Roles - PM-29 - PM-29 - [SP 800-37] - PM-2 - PM-19 - - - a. -

Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and

- - - b. -

Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.

- - - -

The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities.

- - - - Supply Chain Risk Management Strategy - - - - PM-30 - PM-30 - [SP 800-161] - PM-9 - SR-1 - SR-2 - SR-3 - SR-4 - SR-5 - SR-6 - SR-7 - SR-8 - SR-9 - SR-11 - - - a. -

Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;

- - - b. -

Implement the supply chain risk management strategy consistently across the organization; and

- - - c. -

Review and update the supply chain risk management strategy on or as required, to address organizational changes.

- - - -

An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level.

- - - - Continuous Monitoring Strategy - - - - - - - - - - - - - - - - PM-31 - PM-31 - [SP 800-37] - [SP 800-137] - AC-2 - AC-6 - AC-17 - AT-4 - AU-6 - AU-13 - CA-2 - CA-5 - CA-6 - CA-7 - CM-3 - CM-4 - CM-6 - CM-11 - IA-5 - IR-5 - MA-2 - MA-3 - MA-4 - PE-3 - PE-6 - PE-14 - PE-16 - PE-20 - PL-2 - PM-4 - PM-6 - PM-9 - PM-10 - PM-12 - PM-14 - PM-23 - PM-28 - PS-7 - PT-8 - RA-3 - RA-5 - RA-7 - SA-9 - SA-11 - SC-5 - SC-7 - SC-18 - SC-38 - SC-43 - SC-38 - SI-3 - SI-4 - SI-12 - SR-2 - SR-4 - -

Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:

- - a. -

Establishing the following organization-wide metrics to be monitored: ;

- - - b. -

Establishing for monitoring and for assessment of control effectiveness;

- - - c. -

Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;

- - - d. -

Correlation and analysis of information generated by control assessments and monitoring;

- - - e. -

Response actions to address results of the analysis of control assessment and monitoring information; and

- - - f. -

Reporting the security and privacy status of organizational systems to - .

- - - -

Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.

- - - - Purposing - - - - PM-32 - PM-32 - [SP 800-137] - CA-7 - PL-2 - RA-3 - RA-9 - -

Analyze supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.

- - -

Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures.

- - - - - Personnel Security - - Policy and Procedures - - - - - - - - - - - - - - PS-1 - PS-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- personnel security policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the personnel security policy and procedures; and

- - - c. -

Review and update the current personnel security:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Position Risk Designation - - - - PS-2 - PS-02 - [5 CFR 731] - AC-5 - AT-3 - PE-2 - PE-3 - PL-2 - PS-3 - PS-6 - SA-5 - SA-21 - SI-12 - - - a. -

Assign a risk designation to all organizational positions;

- - - b. -

Establish screening criteria for individuals filling those positions; and

- - - c. -

Review and update position risk designations .

- - - -

Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.

- - - - Personnel Screening - - - - PS-3 - PS-03 - [EO 13526] - [EO 13587] - [FIPS 199] - [FIPS 201-2] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - AC-2 - IA-4 - MA-5 - PE-2 - PM-12 - PS-2 - PS-6 - PS-7 - SA-21 - - - a. -

Screen individuals prior to authorizing access to the system; and

- - - b. -

Rescreen individuals in accordance with .

- - - -

Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

- - - - Personnel Termination - - - - - - - PS-4 - PS-04 - AC-2 - IA-4 - PE-2 - PM-12 - PS-6 - PS-7 - -

Upon termination of individual employment:

- - a. -

Disable system access within ;

- - - b. -

Terminate or revoke any authenticators and credentials associated with the individual;

- - - c. -

Conduct exit interviews that include a discussion of ;

- - - d. -

Retrieve all security-related organizational system-related property; and

- - - e. -

Retain access to organizational information and systems formerly controlled by terminated individual.

- - - -

System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified.

- - - - Personnel Transfer - - - - - - - - - - - - - PS-5 - PS-05 - AC-2 - IA-4 - PE-2 - PM-12 - PS-4 - PS-7 - - - a. -

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;

- - - b. -

Initiate within ;

- - - c. -

Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

- - - d. -

Notify within .

- - - -

Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

- - - - Access Agreements - - - - - - - PS-6 - PS-06 - AC-17 - PE-2 - PL-4 - PS-2 - PS-3 - PS-6 - PS-7 - PS-8 - SA-21 - SI-12 - - - a. -

Develop and document access agreements for organizational systems;

- - - b. -

Review and update the access agreements ; and

- - - c. -

Verify that individuals requiring access to organizational information and systems:

- - 1. -

Sign appropriate access agreements prior to being granted access; and

- - - 2. -

Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

- - - - -

Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

- - - - External Personnel Security - - - - - - - PS-7 - PS-07 - [SP 800-35] - AT-2 - AT-3 - MA-5 - PE-3 - PS-2 - PS-3 - PS-4 - PS-5 - PS-6 - SA-5 - SA-9 - SA-21 - - - a. -

Establish personnel security requirements, including security roles and responsibilities for external providers;

- - - b. -

Require external providers to comply with personnel security policies and procedures established by the organization;

- - - c. -

Document personnel security requirements;

- - - d. -

Require external providers to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ; and

- - - e. -

Monitor provider compliance with personnel security requirements.

- - - -

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated.

- - - - Personnel Sanctions - - - - - - - PS-8 - PS-08 - AC-1 - AT-1 - AU-1 - CA-1 - CM-1 - CP-1 - IA-1 - IR-1 - MA-1 - MP-1 - PE-1 - PL-1 - PM-1 - PS-1 - PT-1 - RA-1 - SA-1 - SC-1 - SI-1 - SR-1 - PL-4 - PM-12 - PS-6 - PT-1 - - - a. -

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and

- - - b. -

Notify within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

- - - -

Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

- - - - - Risk Assessment - - Policy and Procedures - - - - - - - - - - - - - - RA-1 - RA-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- risk assessment policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and

- - - c. -

Review and update the current risk assessment:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Security Categorization - RA-2 - RA-02 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - CM-8 - MP-4 - PL-2 - PL-10 - PL-11 - PM-7 - RA-3 - RA-5 - RA-7 - RA-8 - SA-8 - SC-7 - SC-38 - SI-12 - - - a. -

Categorize the system and information it processes, stores, and transmits;

- - - b. -

Document the security categorization results, including supporting rationale, in the security plan for the system; and

- - - c. -

Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

- - - -

Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. -Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts. -Security categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant.

- - - - Risk Assessment - - - - - - - - - - - - - - RA-3 - RA-03 - [OMB A-130] - [SP 800-30] - [SP 800-39] - [SP 800-161] - [IR 8023] - [IR 8062] - CA-3 - CM-4 - CM-13 - CP-6 - CP-7 - IA-8 - MA-5 - PE-3 - PE-18 - PL-2 - PL-10 - PL-11 - PM-8 - PM-9 - PM-28 - RA-2 - RA-5 - RA-7 - SA-8 - SA-9 - SC-38 - SI-12 - - - a. -

Conduct a risk assessment, including:

- - 1. -

The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and

- - - 2. -

The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

- - - - b. -

Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

- - - c. -

Document risk assessment results in ;

- - - d. -

Review risk assessment results ;

- - - e. -

Disseminate risk assessment results to ; and

- - - f. -

Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

- - - -

Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities. -Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. -In addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

- - - Supply Chain Risk Assessment - - - - - - - RA-3(1) - RA-03(01) - RA-2 - RA-9 - PM-17 - SR-2 - - - (a) -

Assess supply chain risks associated with ; and

- - - (b) -

Update the supply chain risk assessment , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

- - - -

Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

- - - - - Vulnerability Monitoring and Scanning - - - - - - - - - - RA-5 - RA-05 - [SP 800-40] - [SP 800-53A] - [SP 800-70] - [SP 800-115] - [SP 800-126] - [IR 7788] - [IR 8023] - CA-2 - CA-7 - CM-2 - CM-4 - CM-6 - CM-8 - RA-2 - RA-3 - SA-11 - SA-15 - SC-38 - SI-2 - SI-3 - SI-4 - SI-7 - SR-11 - - - a. -

Monitor and scan for vulnerabilities in the system and hosted applications and when new vulnerabilities potentially affecting the system are identified and reported;

- - - b. -

Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

- - 1. -

Enumerating platforms, software flaws, and improper configurations;

- - - 2. -

Formatting checklists and test procedures; and

- - - 3. -

Measuring vulnerability impact;

- - - - c. -

Analyze vulnerability scan reports and results from vulnerability monitoring;

- - - d. -

Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

- - - e. -

Share information obtained from the vulnerability monitoring process and control assessments with to help eliminate similar vulnerabilities in other systems; and

- - - f. -

Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

- - - -

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers. -Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). -Vulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation. -Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

- - - Update System Vulnerabilities - - - - - RA-5(2) - RA-05(02) - SI-5 - -

Update the system vulnerabilities to be scanned .

- - -

Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.

- - - - - Risk Response - RA-7 - RA-07 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-160 v1] - CA-5 - IR-9 - PM-4 - PM-28 - RA-2 - RA-3 - SR-2 - -

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

- - -

Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.

- - - - - System and Services Acquisition - - Policy and Procedures - - - - - - - - - - - - - - SA-1 - SA-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - [SP 800-160 v1] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- system and services acquisition policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and

- - - c. -

Review and update the current system and services acquisition:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Allocation of Resources - SA-2 - SA-02 - [OMB A-130] - [SP 800-160 v1] - PL-7 - PM-3 - PM-11 - SA-9 - SR-3 - SR-5 - - - a. -

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;

- - - b. -

Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and

- - - c. -

Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

- - - -

Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle.

- - - - System Development Life Cycle - - - - SA-3 - SA-03 - [OMB A-130] - [SP 800-30] - [SP 800-37] - [SP 800-160 v1] - [SP 800-171] - [SP 800-171B] - AT-3 - PL-8 - PM-7 - SA-4 - SA-5 - SA-8 - SA-11 - SA-15 - SA-17 - SA-22 - SR-3 - SR-5 - SR-9 - - - a. -

Acquire, develop, and manage the system using that incorporates information security and privacy considerations;

- - - b. -

Define and document information security and privacy roles and responsibilities throughout the system development life cycle;

- - - c. -

Identify individuals having information security and privacy roles and responsibilities; and

- - - d. -

Integrate the organizational information security and privacy risk management process into system development life cycle activities.

- - - -

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities. -The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle.

- - - - Acquisition Process - - - - - SA-4 - SA-04 - [PRIVACT] - [OMB A-130] - [ISO 15408-1] - [ISO 15408-2] - [ISO 15408-3] - [FIPS 140-3] - [FIPS 201-2] - [SP 800-35] - [SP 800-37] - [SP 800-70] - [SP 800-73-4] - [SP 800-137] - [SP 800-160 v1] - [SP 800-161] - [IR 7539] - [IR 7622] - [IR 7676] - [IR 7870] - [IR 8062] - [NIAP CCEVS] - [NSA CSFC] - CM-6 - CM-8 - PS-7 - SA-3 - SA-5 - SA-8 - SA-11 - SA-15 - SA-16 - SA-17 - SA-21 - SR-3 - SR-5 - -

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service:

- - a. -

Security and privacy functional requirements;

- - - b. -

Strength of mechanism requirements;

- - - c. -

Security and privacy assurance requirements;

- - - d. -

Controls needed to satisfy the security and privacy requirements.

- - - e. -

Security and privacy documentation requirements;

- - - f. -

Requirements for protecting security and privacy documentation;

- - - g. -

Description of the system development environment and environment in which the system is intended to operate;

- - - h. -

Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and

- - - i. -

Acceptance criteria.

- - - -

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle. -Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle. -Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement.

- - - Use of Approved PIV Products - SA-4(10) - SA-04(10) - IA-2 - IA-8 - PM-9 - -

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

- - -

Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations.

- - - - - System Documentation - - - - - - - SA-5 - SA-05 - [SP 800-160 v1] - CM-4 - CM-6 - CM-7 - CM-8 - PL-2 - PL-4 - PL-8 - PS-2 - SA-3 - SA-4 - SA-8 - SA-9 - SA-10 - SA-11 - SA-15 - SA-16 - SA-17 - SI-12 - SR-3 - - - a. -

Obtain administrator documentation for the system, system component, or system service that describes:

- - 1. -

Secure configuration, installation, and operation of the system, component, or service;

- - - 2. -

Effective use and maintenance of security and privacy functions and mechanisms; and

- - - 3. -

Known vulnerabilities regarding configuration and use of administrative or privileged functions;

- - - - b. -

Obtain user documentation for the system, system component, or system service that describes:

- - 1. -

User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;

- - - 2. -

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and

- - - 3. -

User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;

- - - - c. -

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes in response;

- - - d. -

Protect documentation as required, in accordance with the organizational risk management strategy; and

- - - e. -

Distribute documentation to .

- - - -

System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.

- - - - Security and Privacy Engineering Principles - - - - SA-8 - SA-08 - [FIPS 199] - [FIPS 200] - [SP 800-53A] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - [IR 8062] - PL-8 - PM-7 - RA-2 - RA-3 - RA-9 - SA-3 - SA-4 - SA-15 - SA-17 - SA-20 - SC-2 - SC-3 - SC-32 - SC-39 - SR-2 - SR-3 - SR-5 - -

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: .

- - -

Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. -The application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. -Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design.

- - - - External System Services - - - - - - - SA-9 - SA-09 - [OMB A-130] - [SP 800-35] - [SP 800-160 v1] - [SP 800-161] - AC-20 - CA-3 - CP-2 - IR-4 - IR-7 - PL-10 - PL-11 - PS-7 - SA-2 - SA-4 - SR-3 - SR-5 - - - a. -

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: ;

- - - b. -

Define and document organizational oversight and user roles and responsibilities with regard to external system services; and

- - - c. -

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: .

- - - -

External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

- - - - Unsupported System Components - - - - - SA-22 - SA-22 - PL-2 - SA-3 - - - a. -

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or

- - - b. -

Provide the following options for alternative sources for continued support for unsupported components .

- - - -

Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. -Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors.

- - - - - System and Communications Protection - - Policy and Procedures - - - - - - - - - - - - - - SC-1 - SC-01 - [OMB A-130] - [SP 800-12] - [SP 800-100] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- system and communications protection policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and

- - - c. -

Review and update the current system and communications protection:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Denial of Service Protection - - - - - - - - SC-5 - SC-05 - [SP 800-189] - CP-2 - IR-4 - SC-6 - SC-7 - SC-40 - - - a. -

- the effects of the following types of denial of service events: ; and

- - - b. -

Employ the following controls to achieve the denial of service objective: .

- - - -

Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events.

- - - - Boundary Protection - - SC-7 - SC-07 - [OMB A-130] - [FIPS 199] - [SP 800-37] - [SP 800-41] - [SP 800-77] - [SP 800-189] - AC-4 - AC-17 - AC-18 - AC-19 - AC-20 - AU-13 - CA-3 - CM-2 - CM-4 - CM-7 - CM-10 - CP-8 - CP-10 - IR-4 - MA-4 - PE-3 - PM-12 - SA-8 - SC-5 - SC-32 - SC-43 - - - a. -

Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system;

- - - b. -

Implement subnetworks for publicly accessible system components that are separated from internal organizational networks; and

- - - c. -

Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

- - - -

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions.

- - - - Cryptographic Key Establishment and Management - - - - SC-12 - SC-12 - [FIPS 140-3] - [SP 800-56A] - [SP 800-56B] - [SP 800-56C] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-63-3] - [IR 7956] - [IR 7966] - AC-17 - AU-9 - AU-10 - CM-3 - IA-3 - IA-7 - SA-4 - SA-8 - SA-9 - SC-8 - SC-11 - SC-13 - SC-17 - SC-20 - SC-37 - SC-40 - SI-3 - SI-7 - -

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: .

- - -

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

- - - - Cryptographic Protection - - - - - - - SC-13 - SC-13 - [FIPS 140-3] - AC-2 - AC-3 - AC-7 - AC-17 - AC-18 - AC-19 - AU-9 - AU-10 - CM-11 - CP-9 - IA-3 - IA-7 - MA-4 - MP-2 - MP-4 - MP-5 - SA-4 - SA-8 - SA-9 - SC-8 - SC-12 - SC-20 - SC-23 - SC-28 - SC-40 - SI-3 - SI-7 - - - a. -

Determine the ; and

- - - b. -

Implement the following types of cryptography required for each specified cryptographic use: .

- - - -

Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - - Collaborative Computing Devices and Applications - - - - SC-15 - SC-15 - AC-21 - SC-42 - - - a. -

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: ; and

- - - b. -

Provide an explicit indication of use to users physically present at the devices.

- - - -

Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated.

- - - - Secure Name/address Resolution Service (authoritative Source) - SC-20 - SC-20 - [FIPS 140-3] - [FIPS 186-4] - [SP 800-81-2] - AU-10 - SC-8 - SC-12 - SC-13 - SC-21 - SC-22 - - - a. -

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

- - - b. -

Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

- - - -

This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.

- - - - Secure Name/address Resolution Service (recursive or Caching Resolver) - SC-21 - SC-21 - [SP 800-81-2] - SC-20 - SC-22 - -

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

- - -

Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.

- - - - Architecture and Provisioning for Name/address Resolution Service - SC-22 - SC-22 - [SP 800-81-2] - SC-2 - SC-20 - SC-21 - SC-24 - -

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

- - -

Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists.

- - - - Process Isolation - SC-39 - SC-39 - [SP 800-160 v1] - AC-3 - AC-4 - AC-6 - AC-25 - SA-8 - SC-2 - SC-3 - SI-16 - -

Maintain a separate execution domain for each executing system process.

- - -

Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.

- - - - - System and Information Integrity - - Policy and Procedures - - - - - - - - - - - - - - SI-1 - SI-01 - [OMB A-130] - [SP 800-12] - [SP 800-100] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- system and information integrity policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

- - - c. -

Review and update the current system and information integrity:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Flaw Remediation - - - - SI-2 - SI-02 - [OMB A-130] - [FIPS 140-3] - [FIPS 186-4] - [SP 800-40] - [SP 800-128] - [IR 7788] - CA-5 - CM-3 - CM-4 - CM-5 - CM-6 - CM-8 - MA-2 - RA-5 - SA-8 - SA-10 - SA-11 - SI-3 - SI-5 - SI-7 - SI-11 - - - a. -

Identify, report, and correct system flaws;

- - - b. -

Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

- - - c. -

Install security-relevant software and firmware updates within of the release of the updates; and

- - - d. -

Incorporate flaw remediation into the organizational configuration management process.

- - - -

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. -Organization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

- - - - Malicious Code Protection - - - - - - - - - - - - - SI-3 - SI-03 - [SP 800-83] - [SP 800-125B] - [SP 800-177] - AC-4 - AC-19 - CM-3 - CM-8 - IR-4 - MA-3 - MA-4 - RA-5 - SC-7 - SC-23 - SC-26 - SC-28 - SC-44 - SI-2 - SI-4 - SI-7 - SI-8 - SI-15 - - - a. -

Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

- - - b. -

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

- - - c. -

Configure malicious code protection mechanisms to:

- - 1. -

Perform periodic scans of the system and real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy; and

- - - 2. -

- ; and send alert to in response to malicious code detection.

- - - - d. -

Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

- - - -

System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. -Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions. -In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files.

- - - - System Monitoring - - - - - - - - - - - - - - - - - SI-4 - SI-04 - [OMB A-130] - [SP 800-61] - [SP 800-83] - [SP 800-92] - [SP 800-94] - [SP 800-137] - AC-2 - AC-3 - AC-4 - AC-8 - AC-17 - AU-2 - AU-6 - AU-7 - AU-9 - AU-12 - AU-13 - AU-14 - CA-7 - CM-3 - CM-6 - CM-8 - CM-11 - IA-10 - IR-4 - MA-3 - MA-4 - PM-12 - RA-5 - SC-5 - SC-7 - SC-18 - SC-26 - SC-31 - SC-35 - SC-36 - SC-37 - SC-43 - SI-3 - SI-6 - SI-7 - SR-9 - SR-10 - - - a. -

Monitor the system to detect:

- - 1. -

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: ; and

- - - 2. -

Unauthorized local, network, and remote connections;

- - - - b. -

Identify unauthorized use of the system through the following techniques and methods: ;

- - - c. -

Invoke internal monitoring capabilities or deploy monitoring devices:

- - 1. -

Strategically within the system to collect organization-determined essential information; and

- - - 2. -

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

- - - - d. -

Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

- - - e. -

Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

- - - f. -

Obtain legal opinion regarding system monitoring activities; and

- - - g. -

Provide to - .

- - - -

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. -Depending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - - Security Alerts, Advisories, and Directives - - - - - - - - - - - - - - SI-5 - SI-05 - [SP 800-40] - PM-15 - RA-5 - SI-2 - - - a. -

Receive system security alerts, advisories, and directives from on an ongoing basis;

- - - b. -

Generate internal security alerts, advisories, and directives as deemed necessary;

- - - c. -

Disseminate security alerts, advisories, and directives to: ; and

- - - d. -

Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

- - - -

The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.

- - - - Information Management and Retention - SI-12 - SI-12 - [OMB A-130, Appendix II] - AC-1 - AT-1 - AU-1 - CA-1 - CM-1 - CP-1 - IA-1 - IR-1 - MA-1 - MP-1 - PE-1 - PL-1 - PM-1 - PS-1 - PT-1 - RA-1 - SA-1 - SC-1 - SI-1 - SR-1 - AC-16 - AU-5 - AU-11 - CA-2 - CA-3 - CA-5 - CA-6 - CA-7 - CA-9 - CM-5 - CM-9 - CP-2 - IR-8 - MP-2 - MP-3 - MP-4 - MP-6 - PL-2 - PL-4 - PM-4 - PM-8 - PM-9 - PS-2 - PS-6 - PT-1 - PT-2 - PT-3 - RA-2 - RA-3 - SA-5 - SR-1 - -

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

- - -

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel.

- - - - - Supply Chain Risk Management - - Policy and Procedures - - - - - - - - - - - - - - SR-1 - SR-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - [SP 800-161] - PM-9 - PM-30 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- supply chain risk management policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

- - - c. -

Review and update the current supply chain risk management:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Supply Chain Risk Management Plan - - - - - - - SR-2 - SR-02 - [SP 800-30] - [SP 800-39] - [SP 800-160 v1] - [SP 800-161] - [IR 7622] - CA-2 - CP-4 - IR-4 - MA-2 - MA-6 - PE-16 - PL-2 - PM-9 - PM-30 - RA-3 - RA-7 - SA-8 - - - a. -

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: ;

- - - b. -

Implement the supply chain risk management plan consistently across the organization; and

- - - c. -

Review and update the supply chain risk management plan or as required, to address threat, organizational or environmental changes.

- - - -

The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans. -Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

- - - Establish Scrm Team - - - - - - - SR-2(1) - SR-02(01) - -

Establish a supply chain risk management team consisting of to lead and support the following SCRM activities: .

- - -

To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team.

- - - - - Supply Chain Controls and Processes - - - - - - - - - - - - - - SR-3 - SR-03 - [SP 800-30] - [SP 800-161] - [IR 7622] - CA-2 - MA-2 - MA-6 - PE-3 - PE-16 - PL-8 - PM-30 - SA-2 - SA-3 - SA-4 - SA-5 - SA-8 - SA-9 - SA-10 - SA-15 - SC-7 - SC-29 - SC-30 - SC-38 - SI-7 - SR-6 - SR-9 - SR-11 - - - a. -

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of in coordination with ;

- - - b. -

Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: ; and

- - - c. -

Document the selected and implemented supply chain processes and controls in .

- - - -

Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

- - - - Acquisition Strategies, Tools, and Methods - - - - SR-5 - SR-05 - [SP 800-30] - [SP 800-161] - [IR 7622] - AT-3 - SA-2 - SA-3 - SA-4 - SA-5 - SA-8 - SA-9 - SA-10 - SA-15 - SR-6 - SR-9 - SR-10 - SR-11 - -

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: .

- - -

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

- - - - Notification Agreements - - - - - SR-8 - SR-08 - [SP 800-30] - [SP 800-161] - [IR 7622] - IR-4 - IR-6 - IR-8 - -

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the .

- - -

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

- - - - Inspection of Systems or Components - - - - - - - - - - - SR-10 - SR-10 - AT-3 - PM-30 - SI-4 - SI-7 - SR-3 - SR-4 - SR-5 - SR-9 - SR-11 - -

Inspect the following systems or system components to detect tampering: .

- - -

Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations.

- - - - Component Authenticity - - - - - - - - SR-11 - SR-11 - PE-3 - SA-4 - SI-7 - SR-9 - SR-10 - - - a. -

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

- - - b. -

Report counterfeit system components to .

- - - -

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

- - - Anti-counterfeit Training - - - - SR-11(1) - SR-11(01) - AT-3 - -

Train to detect counterfeit system components (including hardware, software, and firmware).

- - -

None.

- - - - Configuration Control for Component Service and Repair - - - - SR-11(2) - SR-11(02) - CM-3 - MA-2 - MA-4 - SA-10 - -

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: .

- - -

None.

- - - - Component Disposal - - - - SR-11(3) - SR-11(03) - MP-6 - -

Dispose of system components using the following techniques and methods: .

- - -

Proper disposal of system components helps to prevent such components from entering the gray market.

- - - - - - - [PRIVACT] - - Privacy Act (P.L. 93-579), December 1974. - - - - - [EVIDACT] - - Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019. - - - - - [EO 13526] - - Executive Order 13526, Classified National Security Information, December 2009. - - - - - [FISMA] - - Federal Information Security Modernization Act (P.L. 113-283), December 2014. - - - - - [EO 13587] - - Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, October 2011. - - - - - [HSPD 7] - - Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection, December 2003. - - - - - [5 CFR 731] - - Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106, Designation of Public Trust Positions and Investigative Requirements(5 C.F.R. 731.106). - - - - - [32 CFR 2002] - - Code of Federal Regulations, Title 32, Controlled Unclassified Information(32 C.F.R 2002). - - - - - [ODNI NITP] - - Office of the Director National Intelligence, National Insider Threat Policy - - - - - - [OMB A-108] - - Office of Management and Budget Memorandum Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, December 2016. - - - - - - [OMB A-130] - - Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016. - - - - - [OMB M-17-06] - - Office of Management and Budget Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services, November 2016. - - - - - - [OMB M-17-12] - - Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 2017. - - - - - - [OMB M-17-25] - - Office of Management and Budget Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 2017. - - - - - - [OMB M-19-23] - - Office of Management and Budget Memorandum M-19-23, Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance, July 2019. - - - - - - [CNSSI 1253] - - Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems, March 2014. - - - - - [DHS NIPP] - - Department of Homeland Security, National Infrastructure Protection Plan (NIPP), 2009. - - - - - [ISO 15408-1] - - International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model, April 2017. - - - - - - [ISO 15408-2] - - International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements, April 2017. - - - - - - [ISO 15408-3] - - International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements, April 2017. - - - - - - [FIPS 140-3] - - National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. - - - - - [FIPS 180-4] - - National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. - - - - - [FIPS 186-4] - - National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4. - - - - - [FIPS 197] - - National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197. - - - - - [FIPS 199] - - National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. - - - - - [FIPS 200] - - National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. - - - - - [FIPS 201-2] - - National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. - - - - - [FIPS 202] - - National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. - - - - - [SP 800-12] - - Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. - - - - - - [SP 800-18] - - Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. - - - - - - [SP 800-30] - - Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. - - - - - [SP 800-34] - - Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. - - - - - [SP 800-35] - - Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. - - - - - [SP 800-37] - - Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. - - - - - [SP 800-39] - - Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. - - - - - [SP 800-40] - - Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3. - - - - - [SP 800-41] - - Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. - - - - - [SP 800-46] - - Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. - - - - - [SP 800-47] - - Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47. - - - - - [SP 800-50] - - Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. - - - - - [SP 800-53A] - - Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. - - - - - [SP 800-53B] - - National Institute of Standards and Technology Special Publication 800-53B, Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. Projected for publication in 2020. - - - - [SP 800-55] - - Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1. - - - - - [SP 800-56A] - - Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. - - - - - [SP 800-56B] - - Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. - - - - - [SP 800-56C] - - Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1. - - - - - [SP 800-57-1] - - Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4. - - - - - [SP 800-57-2] - - Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. - - - - - [SP 800-57-3] - - Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. - - - - - [SP 800-60 v1] - - Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. - - - - - [SP 800-60 v2] - - Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. - - - - - [SP 800-61] - - Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. - - - - - [SP 800-63-3] - - Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. - - - - - [SP 800-70] - - Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. - - - - - [SP 800-73-4] - - Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. - - - - - [SP 800-76-2] - - Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. - - - - - - [SP 800-77] - - Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77. - - - - - [SP 800-78-4] - - Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. - - - - - - [SP 800-79-2] - - Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. - - - - - - [SP 800-81-2] - - Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. - - - - - - [SP 800-83] - - Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. - - - - - [SP 800-84] - - Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. - - - - - [SP 800-86] - - Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. - - - - - [SP 800-88] - - Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. - - - - - [SP 800-92] - - Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. - - - - - [SP 800-94] - - Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. - - - - - [SP 800-97] - - Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. - - - - - [SP 800-100] - - Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. - - - - - [SP 800-101] - - Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. - - - - - - [SP 800-111] - - Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. - - - - - - [SP 800-113] - - Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. - - - - - [SP 800-114] - - Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. - - - - - [SP 800-115] - - Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. - - - - - [SP 800-116] - - Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1. - - - - - [SP 800-121] - - Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2. - - - - - [SP 800-124] - - Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. - - - - - [SP 800-125B] - - Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. - - - - - [SP 800-126] - - Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. - - - - - [SP 800-128] - - Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128. - - - - - [SP 800-130] - - Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. - - - - - [SP 800-137] - - Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. - - - - - [SP 800-150] - - Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. - - - - - [SP 800-152] - - Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. - - - - - [SP 800-156] - - Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156. - - - - - [SP 800-160 v1] - - Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. - - - - - [SP 800-160 v2] - - Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. - - - - - [SP 800-161] - - Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. - - - - - [SP 800-162] - - Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019. - - - - - [SP 800-166] - - Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166. - - - - - [SP 800-167] - - Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. - - - - - [SP 800-171] - - Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2. - - - - - [SP 800-171B] - - Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B. - - - - - [SP 800-177] - - Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. - - - - - [SP 800-178] - - Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. - - - - - [SP 800-181] - - Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181. - - - - - [SP 800-184] - - Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. - - - - - [SP 800-188] - - Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188. - - - - - [SP 800-189] - - Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. - - - - - [SP 800-192] - - Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. - - - - - [IR 7539] - - Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. - - - - - [IR 7559] - - Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. - - - - - [IR 7622] - - Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. - - - - - [IR 7676] - - Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. - - - - - [IR 7788] - - Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788. - - - - - [IR 7817] - - Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. - - - - - [IR 7849] - - Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849. - - - - - [IR 7870] - - Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. - - - - - [IR 7874] - - Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. - - - - - [IR 7956] - - Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956. - - - - - [IR 7966] - - Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. - - - - - [IR 8011 v1] - - Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1. - - - - - [IR 8023] - - Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. - - - - - [IR 8040] - - Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040. - - - - - [IR 8062] - - Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. - - - - - [IR 8179] - - Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179. - - - - - [DOD STIG] - - Defense Information Systems Agency, Security Technical Implementation Guides (STIG). - - - - - [IETF 5905] - - - - - - [NARA CUI] - - National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. - - - - - [NIAP CCEVS] - - National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme. - - - - - [NCPR] - - National Institute of Standards and Technology (2020) National Checklist Program Repository. Available at - - - - - [NSA CSFC] - - National Security Agency, Commercial Solutions for Classified Program (CSfC). - - - - - [NSA MEDIA] - - National Security Agency, Media Destruction Guidance. - - - - - [USGCB] - - National Institute of Standards and Technology (2020) United States Government Configuration Baseline. Available at - - - - - diff --git a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml b/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml deleted file mode 100644 index c400219174..0000000000 --- a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml +++ /dev/null @@ -1,226 +0,0 @@ - - - - SP800-53 LOW IMPACT BASELINE - 2020-08-26T16:28:37.432-04:00 - FPD - 1.0.0-milestone3 - - Document Creator - - - Contact - - - Joint Task Force, Transformation Initiative -
- National Institute of Standards and Technology - Attn: Computer Security Division - Information Technology Laboratory - 100 Bureau Drive (Mail Stop 8930) - Gaithersburg - MD - 20899-8930 -
- sec-cert@nist.gov - - - fcba95f8-df3b-47cd-ae6f-57089a2b7174 - - - fcba95f8-df3b-47cd-ae6f-57089a2b7174 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - true - - diff --git a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.xml b/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.xml deleted file mode 100644 index 755f433bf1..0000000000 --- a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.xml +++ /dev/null @@ -1,11805 +0,0 @@ - - - - SP800-53 MODERATE IMPACT BASELINE - 2020-08-26T16:28:37.775-04:00 - FPD - 1.0.0-milestone3 - 2020-08-31T17:39:50.308351Z - SP800-53 MODERATE IMPACT BASELINE - - Document Creator - - - Contact - - - Joint Task Force, Transformation Initiative -
- National Institute of Standards and Technology - Attn: Computer Security Division - Information Technology Laboratory - 100 Bureau Drive (Mail Stop 8930) - Gaithersburg - MD - 20899-8930 -
- sec-cert@nist.gov - - - 2ef7cfec-cb8e-4571-a7a2-a5c609b4767a - - - 2ef7cfec-cb8e-4571-a7a2-a5c609b4767a - - - - Access Control - - Policy and Procedures - - - - - - - - - - - - - - AC-1 - AC-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - [IR 7874] - IA-1 - PM-9 - PM-24 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- access control policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the access control policy and the associated access controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the access control policy and procedures; and

- - - c. -

Review and update the current access control:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Account Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - AC-2 - AC-02 - [SP 800-162] - [SP 800-178] - [SP 800-192] - AC-3 - AC-5 - AC-6 - AC-17 - AC-18 - AC-20 - AC-24 - AU-2 - AU-12 - CM-5 - IA-2 - IA-4 - IA-5 - IA-8 - MA-3 - MA-5 - PE-2 - PL-4 - PS-2 - PS-4 - PS-5 - PS-7 - SC-7 - SC-13 - SC-37 - - - a. -

Define and document the types of accounts allowed for use within the system;

- - - b. -

Assign account managers;

- - - c. -

Establish conditions for group and role membership;

- - - d. -

Specify:

- - 1. -

Authorized users of the system;

- - - 2. -

Group and role membership; and

- - - 3. -

Access authorizations (i.e., privileges) and for each account;

- - - - e. -

Require approvals by for requests to create accounts;

- - - f. -

Create, enable, modify, disable, and remove accounts in accordance with ;

- - - g. -

Monitor the use of accounts;

- - - h. -

Notify account managers and within:

- - 1. -

- when accounts are no longer required;

- - - 2. -

- when users are terminated or transferred; and

- - - 3. -

- when system usage or need-to-know changes for an individual;

- - - - i. -

Authorize access to the system based on:

- - 1. -

A valid access authorization;

- - - 2. -

Intended system usage; and

- - - 3. -

- ;

- - - - j. -

Review accounts for compliance with account management requirements ;

- - - k. -

Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and

- - - l. -

Align account management processes with personnel termination and transfer processes.

- - - -

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy. -Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability. -Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.

- - - Automated System Account Management - - - - AC-2(1) - AC-02(01) - -

Support the management of system accounts using .

- - -

Automated mechanisms include using email or text messaging to automatically notify account managers when users are terminated or transferred; using the system to monitor account usage; and using telephonic notification to report atypical system account usage.

- - - - Automated Temporary and Emergency Account Management - - - - - AC-2(2) - AC-02(02) - -

Automatically temporary and emergency accounts after .

- - -

Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time-period, rather than at the convenience of the systems administrator. Automatic removal or disabling of accounts provides a more consistent implementation.

- - - - Disable Accounts - - - - AC-2(3) - AC-02(03) - -

Disable accounts when the accounts:

- - (a) -

Have expired;

- - - (b) -

Are no longer associated with a user or individual;

- - - (c) -

Are in violation of organizational policy; or

- - - (d) -

Have been inactive for .

- - - -

Disabling expired, inactive, or otherwise anomalous accounts supports the concept of least privilege and least functionality which reduces the attack surface of the system.

- - - - Automated Audit Actions - AC-2(4) - AC-02(04) - AU-2 - AU-6 - -

Automatically audit account creation, modification, enabling, disabling, and removal actions.

- - -

Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6.

- - - - Inactivity Logout - - - - AC-2(5) - AC-02(05) - AC-11 - -

Require that users log out when .

- - -

Inactivity logout is behavior or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of this control enhancement is addressed by AC-11.

- - - - Disable Accounts for High-risk Individuals - - - - - - - AC-2(13) - AC-02(13) - AU-6 - SI-4 - -

Disable accounts of users within of discovery of .

- - -

Users posing a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes the adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential for execution of this control enhancement.

- - - - - Access Enforcement - AC-3 - AC-03 - [OMB A-130] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-162] - [SP 800-178] - [IR 7874] - AC-2 - AC-4 - AC-5 - AC-6 - AC-16 - AC-17 - AC-18 - AC-19 - AC-20 - AC-21 - AC-22 - AC-24 - AC-25 - AT-2 - AT-3 - AU-9 - CA-9 - CM-5 - CM-11 - IA-2 - IA-5 - IA-6 - IA-7 - IA-11 - MA-3 - MA-4 - MA-5 - MP-4 - PM-2 - PS-3 - SA-17 - SC-2 - SC-3 - SC-4 - SC-13 - SC-28 - SC-31 - SC-34 - SI-4 - -

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

- - -

Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family.

- - - - Information Flow Enforcement - - - - AC-4 - AC-04 - [SP 800-160 v1] - [SP 800-162] - [SP 800-178] - AC-3 - AC-6 - AC-16 - AC-17 - AC-19 - AC-21 - AU-10 - CA-3 - CA-9 - CM-7 - PM-24 - SA-17 - SC-4 - SC-7 - SC-16 - SC-31 - -

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on .

- - -

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization; keeping export-controlled information from being transmitted in the clear to the Internet; restricting web requests that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only); verifying write permissions before accepting information from another security or privacy domain or connected system; employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and security or privacy labels. -Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. This control also applies to control plane traffic (e.g., routing and DNS).

- - - - Separation of Duties - - - - AC-5 - AC-05 - AC-2 - AC-3 - AC-6 - AU-9 - CM-5 - CM-11 - CP-9 - IA-2 - IA-5 - MA-3 - MA-5 - PS-2 - SA-8 - SA-17 - - - a. -

Identify and document ; and

- - - b. -

Define system access authorizations to support separation of duties.

- - - -

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles; conducting system support functions with different individuals; and ensuring security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. This control is enforced through the account management activities in AC-2 and access control mechanisms in AC-3.

- - - - Least Privilege - AC-6 - AC-06 - AC-2 - AC-3 - AC-5 - AC-16 - CM-5 - CM-11 - PL-2 - PM-12 - SA-8 - SA-15 - SA-17 - SC-38 - -

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

- - -

Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary, to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.

- - - Authorize Access to Security Functions - - - - - - - - - - AC-6(1) - AC-06(01) - AC-17 - AC-18 - AC-19 - AU-9 - PE-2 - -

Explicitly authorize access for to:

- - (a) -

- ; and

- - - (b) -

- .

- - - -

Security functions include establishing system accounts; configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Explicitly authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.

- - - - Non-privileged Access for Nonsecurity Functions - - - - AC-6(2) - AC-06(02) - AC-17 - AC-18 - AC-19 - PL-4 - -

Require that users of system accounts (or roles) with access to , use non-privileged accounts or roles, when accessing nonsecurity functions.

- - -

Requiring use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

- - - - Privileged Accounts - - - - AC-6(5) - AC-06(05) - IA-2 - MA-3 - MA-4 - -

Restrict privileged accounts on the system to .

- - -

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided they retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

- - - - Review of User Privileges - - - - - - - AC-6(7) - AC-06(07) - CA-7 - - - (a) -

Review the privileges assigned to to validate the need for such privileges; and

- - - (b) -

Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

- - - -

The need for certain assigned user privileges may change over time reflecting changes in organizational missions and business functions, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.

- - - - Log Use of Privileged Functions - AC-6(9) - AC-06(09) - AU-2 - AU-3 - AU-12 - -

Audit the execution of privileged functions.

- - -

The misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Capturing the use of privileged functions in audit logs is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat.

- - - - Prohibit Non-privileged Users from Executing Privileged Functions - AC-6(10) - AC-06(10) - -

Prevent non-privileged users from executing privileged functions.

- - -

Privileged functions include disabling, circumventing, or altering implemented security or privacy controls; establishing system accounts; performing system integrity checks; and administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. This control enhancement is enforced by AC-3.

- - - - - Unsuccessful Logon Attempts - - - - - - - - - - - - - - - - - AC-7 - AC-07 - [SP 800-63-3] - [SP 800-124] - AC-2 - AC-9 - AU-2 - AU-6 - IA-5 - - - a. -

Enforce a limit of consecutive invalid logon attempts by a user during a ; and

- - - b. -

Automatically when the maximum number of unsuccessful attempts is exceeded.

- - - -

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address. -Techniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

- - - - System Use Notification - - - - - - - AC-8 - AC-08 - AC-14 - PL-4 - SI-4 - - - a. -

Display to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:

- - 1. -

Users are accessing a U.S. Government system;

- - - 2. -

System usage may be monitored, recorded, and subject to audit;

- - - 3. -

Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

- - - 4. -

Use of the system indicates consent to monitoring and recording;

- - - - b. -

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and

- - - c. -

For publicly accessible systems:

- - 1. -

Display system use information , before granting further access to the publicly accessible system;

- - - 2. -

Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

- - - 3. -

Include a description of the authorized uses of the system.

- - - - -

System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

- - - - Device Lock - - - - - AC-11 - AC-11 - AC-2 - AC-7 - IA-11 - PL-4 - - - a. -

Prevent further access to the system by ; and

- - - b. -

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

- - - -

Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User initiated device locking is behavior or policy-based and as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, for example, if organizations require users to log out at the end of workdays.

- - - Pattern-hiding Displays - AC-11(1) - AC-11(01) - -

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

- - -

The pattern-hiding display can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the caveat that controlled unclassified information is not displayed.

- - - - - Session Termination - - - - AC-12 - AC-12 - MA-4 - SC-10 - SC-23 - -

Automatically terminate a user session after .

- - -

Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.

- - - - Permitted Actions Without Identification or Authentication - - - - AC-14 - AC-14 - AC-8 - IA-2 - PL-2 - - - a. -

Identify that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and

- - - b. -

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

- - - -

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none.

- - - - Remote Access - AC-17 - AC-17 - [SP 800-46] - [SP 800-77] - [SP 800-113] - [SP 800-114] - [SP 800-121] - [IR 7966] - AC-2 - AC-3 - AC-4 - AC-18 - AC-19 - AC-20 - CA-3 - CM-10 - IA-2 - IA-3 - IA-8 - MA-4 - PE-17 - PL-2 - PL-4 - SC-10 - SI-4 - - - a. -

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

- - - b. -

Authorize each type of remote access to the system prior to allowing such connections.

- - - -

Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3.

- - - Monitoring and Control - AC-17(1) - AC-17(01) - AU-2 - AU-6 - AU-12 - AU-14 - -

Employ automated mechanisms to monitor and control remote access methods.

- - -

Monitoring and control of remote access methods allows organizations to detect attacks and ensure compliance with remote access policies by auditing connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a.

- - - - Protection of Confidentiality and Integrity Using Encryption - AC-17(2) - AC-17(02) - SC-8 - SC-12 - SC-13 - -

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

- - -

Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions.

- - - - Managed Access Control Points - AC-17(3) - AC-17(03) - SC-7 - -

Route remote accesses through authorized and managed network access control points.

- - -

Organizations consider the Trusted Internet Connections initiative [DHS TIC] requirements for external network connections since limiting the number of access control points for remote accesses reduces attack surface.

- - - - Privileged Commands and Access - - - - AC-17(4) - AC-17(04) - AC-6 - SC-12 - SC-13 - - - (a) -

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: ; and

- - - (b) -

Document the rationale for remote access in the security plan for the system.

- - - -

Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.

- - - - - Wireless Access - AC-18 - AC-18 - [SP 800-94] - [SP 800-97] - AC-2 - AC-3 - AC-17 - AC-19 - CA-9 - CM-7 - IA-2 - IA-3 - IA-8 - PL-4 - SC-40 - SC-43 - SI-4 - - - a. -

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and

- - - b. -

Authorize each type of wireless access to the system prior to allowing such connections.

- - - -

Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication.

- - - Authentication and Encryption - - AC-18(1) - AC-18(01) - SC-8 - SC-13 - -

Protect wireless access to the system using authentication of and encryption.

- - -

Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices with encryption can reduce susceptibility to threats by adversaries involving wireless technologies.

- - - - Disable Wireless Networking - AC-18(3) - AC-18(03) - -

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

- - -

Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies.

- - - - - Access Control for Mobile Devices - AC-19 - AC-19 - [SP 800-114] - [SP 800-124] - AC-3 - AC-4 - AC-7 - AC-11 - AC-17 - AC-18 - AC-20 - CA-9 - CM-2 - CM-6 - IA-2 - IA-3 - MP-2 - MP-4 - MP-5 - MP-7 - PL-4 - SC-7 - SC-34 - SC-43 - SI-3 - SI-4 - - - a. -

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and

- - - b. -

Authorize the connection of mobile devices to organizational systems.

- - - -

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. -Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. -Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

- - - Full Device and Container-based Encryption - - - - - AC-19(5) - AC-19(05) - SC-13 - SC-28 - -

Employ to protect the confidentiality and integrity of information on .

- - -

Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.

- - - - - Use of External Systems - - - - - - - - AC-20 - AC-20 - [FIPS 199] - [SP 800-171] - [SP 800-171B] - AC-2 - AC-3 - AC-17 - AC-19 - CA-3 - PL-2 - PL-4 - SA-9 - SC-7 - -

Establish , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:

- - a. -

Access the system from external systems; and

- - - b. -

Process, store, or transmit organization-controlled information using external systems.

- - - -

External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries. -For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. -This control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

- - - Limits on Authorized Use - AC-20(1) - AC-20(01) - CA-2 - -

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:

- - (a) -

Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or

- - - (b) -

Retention of approved system connection or processing agreements with the organizational entity hosting the external system.

- - - -

Limits on authorized use recognizes the circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.

- - - - Portable Storage Devices — Restricted Use - - - - AC-20(2) - AC-20(02) - MP-7 - SC-41 - -

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using .

- - -

Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.

- - - - - Information Sharing - - - - - - - AC-21 - AC-21 - [OMB A-130] - [SP 800-150] - [IR 8062] - AC-3 - AC-4 - AC-16 - PT-2 - PT-8 - RA-3 - SC-15 - - - a. -

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ; and

- - - b. -

Employ to assist users in making information sharing and collaboration decisions.

- - - -

Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA).

- - - - Publicly Accessible Content - - - - AC-22 - AC-22 - [PRIVACT] - AC-3 - AT-2 - AT-3 - AU-13 - - - a. -

Designate individuals authorized to make information publicly accessible;

- - - b. -

Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

- - - c. -

Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and

- - - d. -

Review the content on the publicly accessible system for nonpublic information and remove such information, if discovered.

- - - -

In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible.

- - - - - Awareness and Training - - Policy and Procedures - - - - - - - - - - - - - - AT-1 - AT-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-50] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- awareness and training policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and

- - - c. -

Review and update the current awareness and training:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Awareness Training - - - - - - - AT-2 - AT-02 - [OMB A-130] - [SP 800-50] - [SP 800-160 v2] - AC-3 - AC-17 - AC-22 - AT-3 - AT-4 - CP-3 - IA-4 - IR-2 - IR-7 - IR-9 - PL-4 - PM-13 - PM-21 - PS-7 - PT-2 - SA-8 - SA-16 - - - a. -

Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):

- - 1. -

As part of initial training for new users and thereafter; and

- - - 2. -

When required by system changes; and

- - - - b. -

Update awareness training .

- - - -

Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information. -Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective.

- - - Insider Threat - AT-2(2) - AT-02(02) - PM-12 - -

Provide awareness training on recognizing and reporting potential indicators of insider threat.

- - -

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations.

- - - - Social Engineering and Mining - AT-2(3) - AT-02(03) - -

Provide awareness training on recognizing and reporting potential and actual instances of social engineering and social mining.

- - -

Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Awareness training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures.

- - - - - Role-based Training - - - - - - - - - - AT-3 - AT-03 - [OMB A-130] - [SP 800-50] - AC-3 - AC-17 - AC-22 - AT-2 - AT-4 - CP-3 - IR-2 - IR-7 - IR-9 - IR-10 - PL-4 - PM-13 - PM-23 - PS-7 - SA-3 - SA-8 - SA-11 - SA-16 - SR-5 - SR-6 - SR-11 - - - a. -

Provide role-based security and privacy training to personnel with the following roles and responsibilities: :

- - 1. -

Before authorizing access to the system, information, or performing assigned duties, and thereafter; and

- - - 2. -

When required by system changes; and

- - - - b. -

Update role-based training .

- - - -

Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information. -Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective.

- - - - Training Records - - - - AT-4 - AT-04 - [OMB A-130] - AT-2 - AT-3 - CP-3 - IR-2 - PM-14 - SI-12 - - - a. -

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and

- - - b. -

Retain individual training records for .

- - - -

Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.

- - - - - Audit and Accountability - - Policy and Procedures - - - - - - - - - - - - - - AU-1 - AU-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- audit and accountability policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and

- - - c. -

Review and update the current audit and accountability:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Event Logging - - - - - - - - - - AU-2 - AU-02 - [OMB A-130] - [SP 800-92] - AC-2 - AC-3 - AC-6 - AC-7 - AC-8 - AC-16 - AC-17 - AU-3 - AU-4 - AU-5 - AU-6 - AU-7 - AU-11 - AU-12 - CM-3 - CM-5 - CM-6 - CM-13 - IA-3 - MA-4 - MP-4 - PE-3 - PM-21 - PT-2 - PT-8 - RA-8 - SA-8 - SC-7 - SC-18 - SI-3 - SI-4 - SI-7 - SI-10 - SI-11 - - - a. -

Identify the types of events that the system is capable of logging in support of the audit function: ;

- - - b. -

Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

- - - c. -

Specify the following event types for logging within the system: ;

- - - d. -

Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and

- - - e. -

Review and update the event types selected for logging .

- - - -

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. -To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage. -Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

- - - - Content of Audit Records - AU-3 - AU-03 - [OMB A-130] - [IR 8062] - AU-2 - AU-8 - AU-12 - AU-14 - MA-4 - SA-8 - SI-7 - SI-11 - -

Ensure that audit records contain information that establishes the following:

- - a. -

What type of event occurred;

- - - b. -

When the event occurred;

- - - c. -

Where the event occurred;

- - - d. -

Source of the event;

- - - e. -

Outcome of the event; and

- - - f. -

Identity of any individuals, subjects, or objects/entities associated with the event.

- - - -

Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage.

- - - Additional Audit Information - - - - AU-3(1) - AU-03(01) - -

Generate audit records containing the following additional information: .

- - -

The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading or that could make it more difficult to locate information of interest.

- - - - - Audit Log Storage Capacity - - - - AU-4 - AU-04 - AU-2 - AU-5 - AU-6 - AU-7 - AU-9 - AU-11 - AU-12 - AU-14 - SI-4 - -

Allocate audit log storage capacity to accommodate .

- - -

Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.

- - - - Response to Audit Logging Process Failures - - - - - - - - - - AU-5 - AU-05 - AU-2 - AU-4 - AU-7 - AU-9 - AU-11 - AU-12 - AU-14 - SI-4 - SI-12 - - - a. -

Alert within in the event of an audit logging process failure; and

- - - b. -

Take the following additional actions: .

- - - -

Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

- - - - Audit Record Review, Analysis, and Reporting - - - - - - - - - - AU-6 - AU-06 - [SP 800-86] - [SP 800-101] - AC-2 - AC-3 - AC-5 - AC-6 - AC-7 - AC-17 - AU-7 - AU-16 - CA-2 - CA-7 - CM-2 - CM-5 - CM-6 - CM-10 - CM-11 - IA-2 - IA-3 - IA-5 - IA-8 - IR-5 - MA-4 - MP-4 - PE-3 - PE-6 - RA-5 - SA-8 - SC-7 - SI-3 - SI-4 - SI-7 - - - a. -

Review and analyze system audit records for indications of ;

- - - b. -

Report findings to ; and

- - - c. -

Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

- - - -

Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.

- - - Automated Process Integration - - - - AU-6(1) - AU-06(01) - PM-7 - -

Integrate audit record review, analysis, and reporting processes using .

- - -

Organizational processes benefiting from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits.

- - - - Correlate Audit Record Repositories - AU-6(3) - AU-06(03) - AU-12 - IR-4 - -

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

- - -

Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness.

- - - - - Audit Record Reduction and Report Generation - AU-7 - AU-07 - AC-2 - AU-2 - AU-3 - AU-4 - AU-5 - AU-6 - AU-12 - AU-16 - CM-5 - IA-5 - IR-4 - PM-12 - SI-4 - -

Provide and implement an audit record reduction and report generation capability that:

- - a. -

Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and

- - - b. -

Does not alter the original content or time ordering of audit records.

- - - -

Audit record reduction is a process that manipulates collected audit log information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities conducting audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.

- - - Automatic Processing - - - - AU-7(1) - AU-07(01) - -

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: .

- - -

Events of interest can be identified by the content of audit records including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, for example, locations selectable by a general networking location or by specific system component.

- - - - - Time Stamps - - - - AU-8 - AU-08 - [IETF 5905] - AU-3 - AU-12 - AU-14 - SC-45 - - - a. -

Use internal system clocks to generate time stamps for audit records; and

- - - b. -

Record time stamps for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

- - - -

Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

- - - Synchronization with Authoritative Time Source - - - - - - - - - - AU-8(1) - AU-08(01) - - - (a) -

Compare the internal system clocks with ; and

- - - (b) -

Synchronize the internal system clocks to the authoritative time source when the time difference is greater than .

- - - -

Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.

- - - - - Protection of Audit Information - AU-9 - AU-09 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 202] - AC-3 - AC-6 - AU-6 - AU-11 - AU-14 - AU-15 - MP-2 - MP-4 - PE-2 - PE-3 - PE-6 - SA-8 - SC-8 - SI-4 - -

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

- - -

Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.

- - - Access by Subset of Privileged Users - - - - AU-9(4) - AU-09(04) - AC-5 - -

Authorize access to management of audit logging functionality to only .

- - -

Individuals or roles with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges, limits the number of users or roles with audit-related privileges.

- - - - - Audit Record Retention - - - - AU-11 - AU-11 - [OMB A-130] - AU-2 - AU-4 - AU-5 - AU-6 - AU-9 - AU-14 - MP-6 - RA-5 - SI-12 - -

Retain audit records for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

- - -

Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

- - - - Audit Record Generation - - - - - - - AU-12 - AU-12 - AC-6 - AC-17 - AU-2 - AU-3 - AU-4 - AU-5 - AU-6 - AU-7 - AU-14 - CM-5 - MA-4 - MP-4 - PM-12 - SA-8 - SC-18 - SI-3 - SI-4 - SI-7 - SI-10 - - - a. -

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on ;

- - - b. -

Allow to select the event types that are to be logged by specific components of the system; and

- - - c. -

Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

- - - -

Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

- - - - - Assessment, Authorization, and Monitoring - - Policy and Procedures - - - - - - - - - - - - - - CA-1 - CA-01 - [OMB A-130, Appendix II] - [SP 800-12] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-100] - [SP 800-137] - [IR 8062] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- assessment, authorization, and monitoring policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and

- - - c. -

Review and update the current assessment, authorization, and monitoring:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Control Assessments - - - - - - - CA-2 - CA-02 - [OMB A-130] - [FIPS 199] - [SP 800-18] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - [IR 8062] - AC-20 - CA-5 - CA-6 - CA-7 - PM-9 - RA-5 - SA-11 - SC-38 - SI-3 - SI-12 - SR-2 - SR-3 - - - a. -

Develop a control assessment plan that describes the scope of the assessment including:

- - 1. -

Controls and control enhancements under assessment;

- - - 2. -

Assessment procedures to be used to determine control effectiveness; and

- - - 3. -

Assessment environment, assessment team, and assessment roles and responsibilities;

- - - - b. -

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

- - - c. -

Assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

- - - d. -

Produce a control assessment report that document the results of the assessment; and

- - - e. -

Provide the results of the control assessment to .

- - - -

Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes. -Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs. -Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives. -To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control.

- - - Independent Assessors - CA-2(1) - CA-02(01) - -

Employ independent assessors or assessment teams to conduct control assessments.

- - -

Independent assessors or assessment teams are individuals or groups conducting impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in positions of advocacy for the organizations acquiring their services. -Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination also includes whether contracted assessment services have sufficient independence, for example, when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, the analogy to independent assessors is having independent SMEs involved in design reviews. -When organizations that own the systems are small or the structures of the organizations require that assessments are conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions, are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments.

- - - - - Information Exchange - - - - - - - - CA-3 - CA-03 - [OMB A-130, Appendix II] - [FIPS 199] - [SP 800-47] - AC-4 - AC-20 - AU-16 - CA-6 - IA-3 - IR-4 - PL-2 - PT-8 - RA-3 - SA-9 - SC-7 - SI-12 - - - a. -

Approve and manage the exchange of information between the system and other systems using ;

- - - b. -

Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and

- - - c. -

Review and update the agreements .

- - - -

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk. -Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks.

- - - - Plan of Action and Milestones - - - - CA-5 - CA-05 - [OMB A-130] - [SP 800-37] - CA-2 - CA-7 - PM-4 - PM-9 - RA-7 - SI-2 - SI-12 - - - a. -

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and

- - - b. -

Update existing plan of action and milestones based on the findings from control assessments, audits, and continuous monitoring activities.

- - - -

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB.

- - - - Authorization - - - - CA-6 - CA-06 - [OMB A-130] - [SP 800-37] - [SP 800-137] - CA-2 - CA-3 - CA-7 - PM-9 - PM-10 - SA-10 - SI-12 - - - a. -

Assign a senior official as the authorizing official for the system;

- - - b. -

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;

- - - c. -

Ensure that the authorizing official for the system, before commencing operations:

- - 1. -

Accepts the use of common controls inherited by the system; and

- - - 2. -

Authorizes the system to operate;

- - - - d. -

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

- - - e. -

Update the authorizations .

- - - -

Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. -Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

- - - - Continuous Monitoring - - - - - - - - - - - - - - - - CA-7 - CA-07 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - [IR 8011 v1] - [IR 8062] - AC-2 - AC-6 - AC-17 - AT-4 - AU-6 - AU-13 - CA-2 - CA-5 - CA-6 - CM-3 - CM-4 - CM-6 - CM-11 - IA-5 - IR-5 - MA-2 - MA-3 - MA-4 - PE-3 - PE-6 - PE-14 - PE-16 - PE-20 - PL-2 - PM-4 - PM-6 - PM-9 - PM-10 - PM-12 - PM-14 - PM-23 - PM-28 - PM-31 - PS-7 - PT-8 - RA-3 - RA-5 - RA-7 - SA-8 - SA-9 - SA-11 - SC-5 - SC-7 - SC-18 - SC-38 - SC-43 - SC-38 - SI-3 - SI-4 - SI-12 - SR-6 - -

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

- - a. -

Establishing the following system-level metrics to be monitored: ;

- - - b. -

Establishing for monitoring and for assessment of control effectiveness;

- - - c. -

Ongoing control assessments in accordance with the continuous monitoring strategy;

- - - d. -

Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

- - - e. -

Correlation and analysis of information generated by control assessments and monitoring;

- - - f. -

Response actions to address results of the analysis of control assessment and monitoring information; and

- - - g. -

Reporting the security and privacy status of the system to - .

- - - -

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. -Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.

- - - Independent Assessment - CA-7(1) - CA-07(01) - -

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

- - -

Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in advocacy positions for the organizations acquiring their services.

- - - - Risk Monitoring - CA-7(4) - CA-07(04) - -

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

- - (a) -

Effectiveness monitoring;

- - - (b) -

Compliance monitoring; and

- - - (c) -

Change monitoring.

- - - -

Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.

- - - - - Internal System Connections - - - - - - - - - - CA-9 - CA-09 - [SP 800-124] - [IR 8023] - AC-3 - AC-4 - AC-18 - AC-19 - CM-2 - IA-3 - SC-7 - SI-12 - - - a. -

Authorize internal connections of to the system;

- - - b. -

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;

- - - c. -

Terminate internal system connections after ; and

- - - d. -

Review the continued need for each internal connection.

- - - -

Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.

- - - - - Configuration Management - - Policy and Procedures - - - - - - - - - - - - - - CM-1 - CM-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- configuration management policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

- - - c. -

Review and update the current configuration management:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Baseline Configuration - - - - - - - CM-2 - CM-02 - [SP 800-124] - [SP 800-128] - AC-19 - AU-6 - CA-9 - CM-1 - CM-3 - CM-5 - CM-6 - CM-8 - CM-9 - CP-9 - CP-10 - CP-12 - MA-2 - PL-8 - PM-5 - SA-8 - SA-10 - SA-15 - SC-18 - - - a. -

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and

- - - b. -

Review and update the baseline configuration of the system:

- - 1. -

- ;

- - - 2. -

When required due to ; and

- - - 3. -

When system components are installed or upgraded.

- - - - -

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

- - - Automation Support for Accuracy and Currency - - - - CM-2(2) - CM-02(02) - CM-7 - IA-3 - RA-5 - -

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using .

- - -

Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, and firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission/business process level or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities.

- - - - Retention of Previous Configurations - - - - CM-2(3) - CM-02(03) - -

Retain of previous versions of baseline configurations of the system to support rollback.

- - -

Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, and configuration records.

- - - - Configure Systems and Components for High-risk Areas - - - - - - - - - - CM-2(7) - CM-02(07) - MP-4 - MP-5 - - - (a) -

Issue with to individuals traveling to locations that the organization deems to be of significant risk; and

- - - (b) -

Apply the following controls to the systems or components when the individuals return from travel: .

- - - -

When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family.

- - - - - Configuration Change Control - - - - - - - - - - - - - - CM-3 - CM-03 - [SP 800-124] - [SP 800-128] - [IR 8062] - CA-7 - CM-2 - CM-4 - CM-5 - CM-6 - CM-9 - CM-11 - IA-3 - MA-2 - PE-16 - PT-7 - RA-8 - SA-8 - SA-10 - SC-28 - SC-34 - SC-37 - SI-2 - SI-3 - SI-4 - SI-7 - SI-10 - SR-11 - - - a. -

Determine and document the types of changes to the system that are configuration-controlled;

- - - b. -

Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;

- - - c. -

Document configuration change decisions associated with the system;

- - - d. -

Implement approved configuration-controlled changes to the system;

- - - e. -

Retain records of configuration-controlled changes to the system for ;

- - - f. -

Monitor and review activities associated with configuration-controlled changes to the system; and

- - - g. -

Coordinate and provide oversight for configuration change control activities through that convenes .

- - - -

Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations and configuration items of systems; changes to operational procedures; changes to configuration settings for system components; unscheduled or unauthorized changes; and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes impacting privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.

- - - Testing, Validation, and Documentation of Changes - CM-3(2) - CM-03(02) - -

Test, validate, and document changes to the system before finalizing the implementation of the changes.

- - -

Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with system operations supporting organizational missions and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls.

- - - - Security and Privacy Representatives - - - - - - - CM-3(4) - CM-03(04) - -

Require to be members of the .

- - -

Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3.

- - - - - Impact Analyses - CM-4 - CM-04 - [SP 800-128] - CA-7 - CM-3 - CM-8 - CM-9 - MA-2 - RA-3 - RA-5 - SA-5 - SA-8 - SA-10 - SI-2 - -

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

- - -

Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required.

- - - Verification of Controls - CM-4(2) - CM-04(02) - SA-11 - SC-3 - SI-6 - -

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

- - -

Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls.

- - - - - Access Restrictions for Change - CM-5 - CM-05 - [FIPS 140-3] - [FIPS 186-4] - AC-3 - AC-5 - AC-6 - CM-9 - PE-3 - SC-28 - SC-34 - SC-37 - SI-2 - SI-10 - -

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

- - -

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

- - - - Configuration Settings - - - - - - - - - - CM-6 - CM-06 - [SP 800-70] - [SP 800-126] - [SP 800-128] - [USGCB] - [NCPR] - [DOD STIG] - AC-3 - AC-19 - AU-2 - AU-6 - CA-9 - CM-2 - CM-3 - CM-5 - CM-7 - CM-11 - CP-7 - CP-9 - CP-10 - IA-3 - IA-5 - PL-8 - RA-5 - SA-4 - SA-5 - SA-8 - SA-9 - SC-18 - SC-28 - SC-43 - SI-2 - SI-4 - SI-6 - - - a. -

Establish and document configuration settings for components employed within the system using that reflect the most restrictive mode consistent with operational requirements;

- - - b. -

Implement the configuration settings;

- - - c. -

Identify, document, and approve any deviations from established configuration settings for based on ; and

- - - d. -

Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

- - - -

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. -Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. -Implementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

- - - - Least Functionality - - - - - - - CM-7 - CM-07 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 186-4] - [FIPS 202] - [SP 800-167] - AC-3 - AC-4 - CM-2 - CM-5 - CM-6 - CM-11 - RA-5 - SA-4 - SA-5 - SA-8 - SA-9 - SA-15 - SC-2 - SC-3 - SC-7 - SC-37 - SI-4 - - - a. -

Configure the system to provide only ; and

- - - b. -

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: .

- - - -

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3).

- - - Periodic Review - - - - - - - CM-7(1) - CM-07(01) - AC-18 - - - (a) -

Review the system to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and

- - - (b) -

Disable or remove .

- - - -

Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking.

- - - - Prevent Program Execution - - - - - CM-7(2) - CM-07(02) - CM-8 - PL-4 - PM-5 - PS-6 - -

Prevent program execution in accordance with .

- - -

Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements restricting software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features; restricting roles allowed to approve program execution; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time.

- - - - Authorized Software — Whitelisting - - - - - - - CM-7(5) - CM-07(05) - CM-2 - CM-6 - CM-8 - CM-10 - PM-5 - SA-10 - SC-34 - SI-7 - - - (a) -

Identify ;

- - - (b) -

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and

- - - (c) -

Review and update the list of authorized software programs .

- - - -

The process used to identify specific software programs or entire categories of software programs that are authorized to execute on organizational systems is commonly referred to as whitelisting. Software programs identified can be limited to specific versions or from a specific source. To facilitate comprehensive whitelisting and increase the strength of protection for attacks that bypass application level whitelisting, software programs may be decomposed into and monitored at different levels of detail. Software program levels of detail include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of whitelisting may also be applied to user actions, ports, IP addresses, and media access control (MAC) addresses. Organizations consider verifying the integrity of white-listed software programs using, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Whitelisting of URLs for websites is addressed in CA-3(5) and SC-7.

- - - - - System Component Inventory - - - - - - - CM-8 - CM-08 - [OMB A-130] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-128] - CM-2 - CM-7 - CM-9 - CM-10 - CM-11 - CM-13 - CP-2 - CP-9 - MA-2 - MA-6 - PE-20 - PM-5 - SA-4 - SA-5 - SI-2 - SR-4 - - - a. -

Develop and document an inventory of system components that:

- - 1. -

Accurately reflects the system;

- - - 2. -

Includes all components within the system;

- - - 3. -

Is at the level of granularity deemed necessary for tracking and reporting; and

- - - 4. -

Includes the following information to achieve system component accountability: ; and

- - - - b. -

Review and update the system component inventory .

- - - -

System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.

- - - Updates During Installation and Removal - CM-8(1) - CM-08(01) - PM-16 - -

Update the inventory of system components as part of component installations, removals, and system updates.

- - -

Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated routinely as part of component installations or removals, or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components.

- - - - Automated Unauthorized Component Detection - - - - - - - - - - - CM-8(3) - CM-08(03) - AC-19 - CA-7 - RA-5 - SC-3 - SC-39 - SC-44 - SI-3 - SI-4 - SI-7 - - - (a) -

Detect the presence of unauthorized hardware, software, and firmware components within the system using - ; and

- - - (b) -

Take the following actions when unauthorized components are detected: .

- - - -

Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices). Isolation can be achieved, for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing.

- - - - - Configuration Management Plan - - - - CM-9 - CM-09 - [SP 800-128] - CM-2 - CM-3 - CM-4 - CM-5 - CM-8 - PL-2 - SA-10 - SI-12 - -

Develop, document, and implement a configuration management plan for the system that:

- - a. -

Addresses roles, responsibilities, and configuration management processes and procedures;

- - - b. -

Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;

- - - c. -

Defines the configuration items for the system and places the configuration items under configuration management;

- - - d. -

Is reviewed and approved by ; and

- - - e. -

Protects the configuration management plan from unauthorized disclosure and modification.

- - - -

Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities. -Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes, how to update configuration settings and baselines, how to maintain component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. -Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Templates can represent a master configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, for example, the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control.

- - - - Software Usage Restrictions - CM-10 - CM-10 - AC-17 - AU-6 - CM-7 - CM-8 - SC-7 - - - a. -

Use software and associated documentation in accordance with contract agreements and copyright laws;

- - - b. -

Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

- - - c. -

Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

- - - -

Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement.

- - - - User-installed Software - - - - - - - - - - CM-11 - CM-11 - AC-3 - AU-6 - CM-2 - CM-3 - CM-5 - CM-6 - CM-7 - CM-8 - PL-4 - SI-7 - - - a. -

Establish governing the installation of software by users;

- - - b. -

Enforce software installation policies through the following methods: ; and

- - - c. -

Monitor policy compliance .

- - - -

If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

- - - - Information Location - - - - CM-12 - CM-12 - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - AC-2 - AC-3 - AC-4 - AC-6 - AC-23 - CM-8 - PM-5 - RA-2 - SA-4 - SA-8 - SA-17 - SC-4 - SC-16 - SC-28 - SI-4 - SI-7 - - - a. -

Identify and document the location of and the specific system components on which the information is processed and stored;

- - - b. -

Identify and document the users who have access to the system and system components where the information is processed and stored; and

- - - c. -

Document changes to the location (i.e., system or system components) where the information is processed and stored.

- - - -

Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and associated information reside in the system components; and how information is being processed so that information flow can be understood, and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).

- - - Automated Tools to Support Information Location - - - - - - - CM-12(1) - CM-12(01) - -

Use automated tools to identify on to ensure controls are in place to protect organizational information and individual privacy.

- - -

The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information organization-wide. The output of automated information location tools can be used to guide and inform system architecture and design decisions.

- - - - - - Contingency Planning - - Policy and Procedures - - - - - - - - - - - - - - CP-1 - CP-01 - [SP 800-12] - [SP 800-30] - [SP 800-34] - [SP 800-39] - [SP 800-50] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- contingency planning policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and

- - - c. -

Review and update the current contingency planning:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Contingency Plan - - - - - - - - - - - - - CP-2 - CP-02 - [SP 800-34] - [IR 8179] - CP-3 - CP-4 - CP-6 - CP-7 - CP-8 - CP-9 - CP-10 - CP-11 - CP-13 - IR-4 - IR-6 - IR-8 - IR-9 - MA-6 - MP-2 - MP-4 - MP-5 - PL-2 - PM-8 - PM-11 - SA-15 - SA-20 - SC-7 - SC-23 - SI-12 - - - a. -

Develop a contingency plan for the system that:

- - 1. -

Identifies essential missions and business functions and associated contingency requirements;

- - - 2. -

Provides recovery objectives, restoration priorities, and metrics;

- - - 3. -

Addresses contingency roles, responsibilities, assigned individuals with contact information;

- - - 4. -

Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure;

- - - 5. -

Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and

- - - 6. -

Is reviewed and approved by ;

- - - - b. -

Distribute copies of the contingency plan to ;

- - - c. -

Coordinate contingency planning activities with incident handling activities;

- - - d. -

Review the contingency plan for the system ;

- - - e. -

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

- - - f. -

Communicate contingency plan changes to ; and

- - - g. -

Protect the contingency plan from unauthorized disclosure and modification.

- - - -

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. -In addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

- - - Coordinate with Related Plans - CP-2(1) - CP-02(01) - -

Coordinate contingency plan development with organizational elements responsible for related plans.

- - -

Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Cyber Incident Response Plans, and Occupant Emergency Plans.

- - - - Resume Missions and Business Functions - - - - - CP-2(3) - CP-02(03) - -

Plan for the resumption of missions and business functions within of contingency plan activation.

- - -

Organizations may choose to conduct contingency planning activities to resume missions and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of missions and business functions. The time-period for the resumption of missions and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure.

- - - - Identify Critical Assets - - CP-2(8) - CP-02(08) - CM-8 - RA-9 - -

Identify critical system assets supporting missions and business functions.

- - -

Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational missions and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (manually executed operations) and personnel (individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement.

- - - - - Contingency Training - - - - - - - CP-3 - CP-03 - [SP 800-50] - AT-2 - AT-3 - AT-4 - CP-2 - CP-4 - CP-8 - IR-2 - IR-4 - IR-9 - -

Provide contingency training to system users consistent with assigned roles and responsibilities:

- - a. -

Within of assuming a contingency role or responsibility;

- - - b. -

When required by system changes; and

- - - c. -

- thereafter.

- - - -

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan.

- - - - Contingency Plan Testing - - - - - - - CP-4 - CP-04 - [FIPS 199] - [SP 800-34] - [SP 800-84] - AT-3 - CP-2 - CP-3 - CP-8 - CP-9 - IR-3 - IR-4 - PL-2 - PM-14 - SR-2 - - - a. -

Test the contingency plan for the system using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: .

- - - b. -

Review the contingency plan test results; and

- - - c. -

Initiate corrective actions, if needed.

- - - -

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

- - - Coordinate with Related Plans - CP-4(1) - CP-04(01) - IR-8 - PM-8 - -

Coordinate contingency plan testing with organizational elements responsible for related plans.

- - -

Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations coordinate with those elements.

- - - - - Alternate Storage Site - CP-6 - CP-06 - [SP 800-34] - CP-2 - CP-7 - CP-8 - CP-9 - CP-10 - MP-4 - MP-5 - PE-3 - SC-36 - SI-13 - - - a. -

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and

- - - b. -

Ensure that the alternate storage site provides controls equivalent to that of the primary site.

- - - -

Alternate storage sites are sites that are geographically distinct from primary storage sites and that maintain duplicate copies of information and data if the primary storage site is not available. In contrast to alternate storage sites, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may also be considered as alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems.

- - - Separation from Primary Site - CP-6(1) - CP-06(01) - RA-3 - -

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

- - -

Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.

- - - - Accessibility - CP-6(3) - CP-06(03) - RA-3 - -

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

- - -

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.

- - - - - Alternate Processing Site - - - - - - - CP-7 - CP-07 - [SP 800-34] - CP-2 - CP-6 - CP-8 - CP-9 - CP-10 - MA-6 - PE-3 - PE-11 - PE-12 - PE-17 - SC-36 - SI-13 - - - a. -

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential missions and business functions within when the primary processing capabilities are unavailable;

- - - b. -

Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time-period for transfer and resumption; and

- - - c. -

Provide controls at the alternate processing site that are equivalent to those at the primary site.

- - - -

Alternate processing sites are sites that are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives such as failover to a cloud-based service provider or other internally- or externally-provided processing service. Geographically distributed architectures that support contingency requirements may also be considered as alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites; access rules; physical and environmental protection requirements; and the coordination for the transfer and assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems.

- - - Separation from Primary Site - CP-7(1) - CP-07(01) - RA-3 - -

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

- - -

Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.

- - - - Accessibility - CP-7(2) - CP-07(02) - RA-3 - -

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

- - -

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk.

- - - - Priority of Service - CP-7(3) - CP-07(03) - -

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

- - -

Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning.

- - - - - Telecommunications Services - - - - - - - CP-8 - CP-08 - [SP 800-34] - CP-2 - CP-6 - CP-7 - CP-11 - SC-7 - -

Establish alternate telecommunications services, including necessary agreements to permit the resumption of for essential missions and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

- - -

This control applies to telecommunications services (for data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions and business functions despite the loss of primary telecommunications services. Organizations may specify different time-periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines or the use of satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

- - - Priority of Service Provisions - CP-8(1) - CP-08(01) - - - (a) -

Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and

- - - (b) -

Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

- - - -

Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program and the Department of Homeland Security, manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program.

- - - - Single Points of Failure - CP-8(2) - CP-08(02) - -

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

- - -

In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services.

- - - - - System Backup - - - - - - - - - - - - - CP-9 - CP-09 - [FIPS 140-3] - [FIPS 186-4] - [SP 800-34] - [SP 800-130] - [SP 800-152] - CP-2 - CP-6 - CP-10 - MP-4 - MP-5 - SC-13 - SI-4 - SI-13 - - - a. -

Conduct backups of user-level information contained in - ;

- - - b. -

Conduct backups of system-level information contained in the system ;

- - - c. -

Conduct backups of system documentation, including security and privacy-related documentation ; and

- - - d. -

Protect the confidentiality, integrity, and availability of backup information.

- - - -

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

- - - Testing for Reliability and Integrity - - - - CP-9(1) - CP-09(01) - CP-4 - -

Test backup information to verify media reliability and information integrity.

- - -

Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance.

- - - - Cryptographic Protection - - - - CP-9(8) - CP-09(08) - SC-12 - SC-13 - SC-28 - -

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of .

- - -

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. This control enhancement applies to system backup information in storage at primary and alternate locations. Organizations implementing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.

- - - - - System Recovery and Reconstitution - - - - CP-10 - CP-10 - [SP 800-34] - CP-2 - CP-4 - CP-6 - CP-7 - CP-9 - IR-4 - SA-8 - SC-24 - SI-13 - -

Provide for the recovery and reconstitution of the system to a known state within after a disruption, compromise, or failure.

- - -

Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.

- - - Transaction Recovery - CP-10(2) - CP-10(02) - -

Implement transaction recovery for systems that are transaction-based.

- - -

Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling.

- - - - - - Identification and Authentication - - Policy and Procedures - - - - - - - - - - - - - - IA-1 - IA-01 - [OMB A-130] - [FIPS 201-2] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [SP 800-100] - [IR 7874] - AC-1 - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- identification and authentication policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and

- - - c. -

Review and update the current identification and authentication:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Identification and Authentication (organizational Users) - IA-2 - IA-02 - [FIPS 140-3] - [FIPS 201-2] - [FIPS 202] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [SP 800-79-2] - [SP 800-156] - [SP 800-166] - [IR 7539] - [IR 7676] - [IR 7817] - [IR 7849] - [IR 7870] - [IR 7874] - [IR 7966] - AC-2 - AC-3 - AC-4 - AC-14 - AC-17 - AC-18 - AU-1 - AU-6 - IA-4 - IA-5 - IA-8 - MA-4 - MA-5 - PE-2 - PL-4 - SA-4 - SA-8 - -

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

- - -

Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. -Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks. -The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

- - - Multifactor Authentication to Privileged Accounts - IA-2(1) - IA-02(01) - AC-5 - AC-6 - -

Implement multifactor authentication for access to privileged accounts.

- - -

Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

- - - - Multifactor Authentication to Non-privileged Accounts - IA-2(2) - IA-02(02) - AC-5 - -

Implement multifactor authentication for access to non-privileged accounts.

- - -

Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

- - - - Access to Accounts — Replay Resistant - - IA-2(8) - IA-02(08) - -

Implement replay-resistant authentication mechanisms for access to .

- - -

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators.

- - - - Acceptance of PIV Credentials - IA-2(12) - IA-02(12) - -

Accept and electronically verify Personal Identity Verification-compliant credentials.

- - -

Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential.

- - - - - Device Identification and Authentication - - - - - IA-3 - IA-03 - AC-17 - AC-18 - AC-19 - AU-6 - CA-3 - CA-9 - IA-4 - IA-5 - IA-9 - IA-11 - SI-4 - -

Uniquely identify and authenticate before establishing a connection.

- - -

Devices that require unique device-to-device identification and authentication are defined by type, by device, or by a combination of type and device. Organization-defined device types can include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on large scale, organizations can restrict the application of the control to a limited number (and type) of devices based on need.

- - - - Identifier Management - - - - - - - IA-4 - IA-04 - [FIPS 201-2] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - IA-2 - IA-3 - IA-5 - IA-8 - IA-9 - MA-4 - PE-2 - PE-3 - PE-4 - PL-4 - PM-12 - PS-3 - PS-4 - PS-5 - SC-37 - -

Manage system identifiers by:

- - a. -

Receiving authorization from to assign an individual, group, role, service, or device identifier;

- - - b. -

Selecting an identifier that identifies an individual, group, role, service, or device;

- - - c. -

Assigning the identifier to the intended individual, group, role, service, or device; and

- - - d. -

Preventing reuse of identifiers for .

- - - -

Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.

- - - Identify User Status - - - - IA-4(4) - IA-04(04) - -

Manage individual identifiers by uniquely identifying each individual as .

- - -

Characteristics identifying the status of individuals include contractors and foreign nationals. Identifying the status of individuals by characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor.

- - - - - Authenticator Management - - - - IA-5 - IA-05 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 201-2] - [FIPS 202] - [SP 800-63-3] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [IR 7539] - [IR 7817] - [IR 7849] - [IR 7870] - [IR 8040] - AC-3 - AC-6 - CM-6 - IA-2 - IA-4 - IA-7 - IA-8 - IA-9 - MA-4 - PE-2 - PL-4 - -

Manage system authenticators by:

- - a. -

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

- - - b. -

Establishing initial authenticator content for any authenticators issued by the organization;

- - - c. -

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

- - - d. -

Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

- - - e. -

Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

- - - f. -

Changing default authenticators prior to first use;

- - - g. -

Changing or refreshing authenticators ;

- - - h. -

Protecting authenticator content from unauthorized disclosure and modification;

- - - i. -

Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

- - - j. -

Changing authenticators for group or role accounts when membership to those accounts changes.

- - - -

Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. -Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.

- - - Password-based Authentication - - - - - - - IA-5(1) - IA-05(01) - IA-6 - -

For password-based authentication:

- - (a) -

Maintain a list of commonly-used, expected, or compromised passwords and update the list and when organizational passwords are suspected to have been compromised directly or indirectly;

- - - (b) -

Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords;

- - - (c) -

Transmit only cryptographically-protected passwords;

- - - (d) -

Store passwords using an approved hash algorithm and salt, preferably using a keyed hash;

- - - (e) -

Require immediate selection of a new password upon account recovery;

- - - (f) -

Allow user selection of long passwords and passphrases, including spaces and all printable characters;

- - - (g) -

Employ automated tools to assist the user in selecting strong password authenticators; and

- - - (h) -

Enforce the following composition and complexity rules: .

- - - -

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof.

- - - - Implement a local cache of revocation data to support path discovery and validation. - IA-5(2) - IA-05(02) - IA-3 - SC-17 - -

Discussion: Public key cryptography is a valid authentication mechanism for individuals and machines or devices. When PKI is implemented, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation supports system availability in situations where organizations are unable to access revocation information via the network.

- - - - - Protection of Authenticators - IA-5(6) - IA-05(06) - RA-2 - -

Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

- - -

For systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process.

- - - - - Authenticator Feedback - IA-6 - IA-06 - AC-3 - -

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

- - -

Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it.

- - - - Cryptographic Module Authentication - IA-7 - IA-07 - [FIPS 140-3] - AC-3 - IA-5 - SA-4 - SC-12 - SC-13 - -

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

- - -

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

- - - - Identification and Authentication (non-organizational Users) - IA-8 - IA-08 - [OMB A-130] - [FIPS 201-2] - [SP 800-63-3] - [SP 800-79-2] - [SP 800-116] - [IR 8062] - AC-2 - AC-6 - AC-14 - AC-17 - AC-18 - AU-6 - IA-2 - IA-4 - IA-5 - IA-10 - IA-11 - MA-4 - RA-3 - SA-4 - SC-8 - -

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

- - -

Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

- - - Acceptance of PIV Credentials from Other Agencies - IA-8(1) - IA-08(01) - PE-3 - -

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

- - -

Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2].

- - - - Acceptance of External Credentials - IA-8(2) - IA-08(02) - -

Accept only external credentials that are NIST-compliant.

- - -

Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels.

- - - - Use of Nist-issued Profiles - IA-8(4) - IA-08(04) - -

Conform to NIST-issued profiles for identity management.

- - -

Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols.

- - - - - Re-authentication - - - - IA-11 - IA-11 - AC-3 - AC-11 - IA-2 - IA-3 - IA-8 - -

Require users to re-authenticate when .

- - -

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically.

- - - - Identity Proofing - IA-12 - IA-12 - [FIPS 201-2] - [SP 800-63-3] - [SP 800-63A] - [SP 800-79-2] - IA-1 - IA-2 - IA-3 - IA-4 - IA-5 - IA-6 - IA-8 - - - a. -

Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;

- - - b. -

Resolve user identities to a unique individual; and

- - - c. -

Collect, validate, and verify identity evidence.

- - - -

Identity proofing is the process of collecting, validating, and verifying user’s identity information for the purposes of issuing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3] and [SP 800-63A].

- - - Identity Evidence - IA-12(2) - IA-12(02) - -

Require evidence of individual identification be presented to the registration authority.

- - -

Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risk to the systems, roles, and privileges associated with the user’s account.

- - - - Identity Evidence Validation and Verification - - - - IA-12(3) - IA-12(03) - -

Require that the presented identity evidence be validated and verified through .

- - -

Validating and verifying identity evidence increases the assurance that accounts, identifiers, and authenticators are being issued to the correct user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an actual person or individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risk to the systems, roles, and privileges associated with the users account

- - - - Address Confirmation - - IA-12(5) - IA-12(05) - IA-12 - -

Require that a be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

- - -

To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to increase assurance that the individual associated with an address of record is the same person that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts are obtained from records and not self-asserted by the user. The address can include a physical or a digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses.

- - - - - - Incident Response - - Policy and Procedures - - - - - - - - - - - - - - IR-1 - IR-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-50] - [SP 800-61] - [SP 800-83] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- incident response policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the incident response policy and procedures; and

- - - c. -

Review and update the current incident response:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Incident Response Training - - - - - - - IR-2 - IR-02 - [SP 800-50] - AT-2 - AT-3 - AT-4 - CP-3 - IR-3 - IR-4 - IR-8 - IR-9 - -

Provide incident response training to system users consistent with assigned roles and responsibilities:

- - a. -

Within of assuming an incident response role or responsibility or acquiring system access;

- - - b. -

When required by system changes; and

- - - c. -

- thereafter.

- - - -

Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3.

- - - - Incident Response Testing - - - - - - - IR-3 - IR-03 - [OMB A-130] - [SP 800-84] - [SP 800-115] - CP-3 - CP-4 - IR-2 - IR-4 - IR-8 - PM-14 - -

Test the effectiveness of the incident response capability for the system using the following tests: .

- - -

Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.

- - - Coordination with Related Plans - IR-3(2) - IR-03(02) - -

Coordinate incident response testing with organizational elements responsible for related plans.

- - -

Organizational plans related to incident response testing include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Contingency Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans.

- - - - - Incident Handling - IR-4 - IR-04 - [SP 800-61] - [SP 800-86] - [SP 800-101] - [SP 800-150] - [SP 800-160 v2] - [SP 800-184] - [IR 7559] - AC-19 - AU-6 - AU-7 - CM-6 - CP-2 - CP-3 - CP-4 - IR-2 - IR-3 - IR-6 - IR-8 - IR-10 - PE-6 - PL-2 - PM-12 - SA-8 - SC-5 - SC-7 - SI-3 - SI-4 - SI-7 - - - a. -

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;

- - - b. -

Coordinate incident handling activities with contingency planning activities;

- - - c. -

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and

- - - d. -

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

- - - -

Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk.

- - - Automated Incident Handling Processes - - - - IR-4(1) - IR-04(01) - -

Support the incident handling process using .

- - -

Automated mechanisms supporting incident handling processes include online incident management systems; and tools that support the collection of live response data, full network packet capture, and forensic analysis.

- - - - - Incident Monitoring - IR-5 - IR-05 - [SP 800-61] - AU-6 - AU-7 - IR-8 - PE-6 - PM-5 - SC-5 - SC-7 - SI-3 - SI-4 - SI-7 - -

Track and document security, privacy, and supply chain incidents.

- - -

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports.

- - - - Incident Reporting - - - - - - - IR-6 - IR-06 - [SP 800-61] - CM-6 - CP-2 - IR-4 - IR-5 - IR-8 - IR-9 - - - a. -

Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within ; and

- - - b. -

Report security, privacy, and supply chain incident information to .

- - - -

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - Automated Reporting - - - - IR-6(1) - IR-06(01) - IR-7 - -

Report incidents using .

- - -

Reporting recipients are as specified in IR-6b. Automated reporting mechanisms include email, posting on web sites, and automated incident response tools and programs.

- - - - Supply Chain Coordination - IR-6(3) - IR-06(03) - SR-8 - -

Provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident.

- - -

Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents including the ability to improve processes or to identify the root cause of an incident.

- - - - - Incident Response Assistance - IR-7 - IR-07 - [OMB A-130] - [IR 7559] - AT-2 - AT-3 - IR-4 - IR-6 - IR-8 - PM-22 - PM-26 - SA-9 - SI-18 - -

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents.

- - -

Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.

- - - Automation Support for Availability of Information and Support - - - - IR-7(1) - IR-07(01) - -

Increase the availability of incident response information and support using .

- - -

Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

- - - - - Incident Response Plan - - - - - - - - - - - - - - - - IR-8 - IR-08 - [OMB A-130] - [SP 800-61] - [OMB M-17-12] - AC-2 - CP-2 - CP-4 - IR-4 - IR-7 - IR-9 - PE-6 - PL-2 - SA-15 - SI-12 - SR-8 - - - a. -

Develop an incident response plan that:

- - 1. -

Provides the organization with a roadmap for implementing its incident response capability;

- - - 2. -

Describes the structure and organization of the incident response capability;

- - - 3. -

Provides a high-level approach for how the incident response capability fits into the overall organization;

- - - 4. -

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

- - - 5. -

Defines reportable incidents;

- - - 6. -

Provides metrics for measuring the incident response capability within the organization;

- - - 7. -

Defines the resources and management support needed to effectively maintain and mature an incident response capability;

- - - 8. -

Is reviewed and approved by - ; and

- - - 9. -

Explicitly designates responsibility for incident response to .

- - - - b. -

Distribute copies of the incident response plan to ;

- - - c. -

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

- - - d. -

Communicate incident response plan changes to ; and

- - - e. -

Protect the incident response plan from unauthorized disclosure and modification.

- - - -

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

- - - - - Maintenance - - Policy and Procedures - - - - - - - - - - - - - - MA-1 - MA-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- maintenance policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the maintenance policy and procedures; and

- - - c. -

Review and update the current maintenance:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Controlled Maintenance - - - - - - - - - - MA-2 - MA-02 - [OMB A-130] - [IR 8023] - CM-2 - CM-3 - CM-4 - CM-5 - CM-8 - MA-4 - MP-6 - PE-16 - SI-2 - SR-3 - SR-4 - SR-11 - - - a. -

Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

- - - b. -

Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;

- - - c. -

Require that explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

- - - d. -

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ;

- - - e. -

Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and

- - - f. -

Include the following information in organizational maintenance records: .

- - - -

Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems.

- - - - Maintenance Tools - - - - MA-3 - MA-03 - [SP 800-88] - MA-2 - PE-16 - - - a. -

Approve, control, and monitor the use of system maintenance tools; and

- - - b. -

Review previously approved system maintenance tools .

- - - -

Approving, controlling, monitoring, and reviewing maintenance tools are intended to address security-related issues associated with maintenance tools that are not within system boundaries but are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for approval of maintenance tools and how that approval is documented. Periodic review of maintenance tools facilitates withdrawal of the approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items. Such tools can be vehicles for transporting malicious code, intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support system maintenance and are a part of the system, including the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch, are not addressed by maintenance tools.

- - - Inspect Tools - MA-3(1) - MA-03(01) - SI-7 - -

Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

- - -

Maintenance tools can be brought into a facility directly by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.

- - - - Inspect Media - MA-3(2) - MA-03(02) - SI-3 - -

Check media containing diagnostic and test programs for malicious code before the media are used in the system.

- - -

If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.

- - - - Prevent Unauthorized Removal - - - - MA-3(3) - MA-03(03) - MP-6 - -

Prevent the removal of maintenance equipment containing organizational information by:

- - (a) -

Verifying that there is no organizational information contained on the equipment;

- - - (b) -

Sanitizing or destroying the equipment;

- - - (c) -

Retaining the equipment within the facility; or

- - - (d) -

Obtaining an exemption from explicitly authorizing removal of the equipment from the facility.

- - - -

Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.

- - - - - Nonlocal Maintenance - MA-4 - MA-04 - [FIPS 140-3] - [FIPS 197] - [FIPS 201-2] - [SP 800-63-3] - [SP 800-88] - AC-2 - AC-3 - AC-6 - AC-17 - AU-2 - AU-3 - IA-2 - IA-4 - IA-5 - IA-8 - MA-2 - MA-5 - PL-2 - SC-7 - SC-10 - - - a. -

Approve and monitor nonlocal maintenance and diagnostic activities;

- - - b. -

Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;

- - - c. -

Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

- - - d. -

Maintain records for nonlocal maintenance and diagnostic activities; and

- - - e. -

Terminate session and network connections when nonlocal maintenance is completed.

- - - -

Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

- - - - Maintenance Personnel - MA-5 - MA-05 - AC-2 - AC-3 - AC-5 - AC-6 - IA-2 - IA-8 - MA-4 - MP-2 - PE-2 - PE-3 - PS-7 - RA-3 - - - a. -

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;

- - - b. -

Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

- - - c. -

Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

- - - -

Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods.

- - - - Timely Maintenance - - - - - - - MA-6 - MA-06 - CM-8 - CP-2 - CP-7 - RA-7 - SA-15 - SI-13 - SR-2 - SR-3 - SR-4 - -

Obtain maintenance support and/or spare parts for within of failure.

- - -

Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.

- - - - - Media Protection - - Policy and Procedures - - - - - - - - - - - - - - MP-1 - MP-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- media protection policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the media protection policy and procedures; and

- - - c. -

Review and update the current media protection:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Media Access - - - - - - - MP-2 - MP-02 - [OMB A-130] - [FIPS 199] - [SP 800-111] - AC-19 - AU-9 - CP-2 - CP-9 - CP-10 - MA-5 - MP-4 - MP-6 - PE-2 - PE-3 - SC-13 - SC-34 - SI-12 - -

Restrict access to to .

- - -

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media.

- - - - Media Marking - - - - - - - MP-3 - MP-03 - [32 CFR 2002] - [FIPS 199] - AC-16 - CP-9 - MP-5 - PE-22 - SI-12 - - - a. -

Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

- - - b. -

Exempt from marking if the media remain within .

- - - -

Security marking refers to the application or use of human-readable security attributes. Security labeling refers to the application or use of security attributes regarding internal data structures within systems. System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002]. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

- - - - Media Storage - - - - - - - MP-4 - MP-04 - [FIPS 199] - [SP 800-56A] - [SP 800-56B] - [SP 800-56C] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-111] - AC-19 - CP-2 - CP-6 - CP-9 - CP-10 - MP-2 - MP-7 - PE-3 - PL-2 - SC-13 - SC-28 - SC-34 - SI-12 - - - a. -

Physically control and securely store within ; and

- - - b. -

Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

- - - -

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet; or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. For media containing information determined to be in the public domain, to be publicly releasable, or to have limited adverse impact on organizations, operations, or individuals if accessed by other than authorized personnel, fewer controls may be needed. In these situations, physical access controls provide adequate protection.

- - - - Media Transport - - - - - - - MP-5 - MP-05 - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - AC-7 - AC-19 - CP-2 - CP-9 - MP-3 - MP-4 - PE-16 - PL-2 - SC-13 - SC-28 - SC-34 - - - a. -

Protect and control during transport outside of controlled areas using ;

- - - b. -

Maintain accountability for system media during transport outside of controlled areas;

- - - c. -

Document activities associated with the transport of system media; and

- - - d. -

Restrict the activities associated with the transport of system media to authorized personnel.

- - - -

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state and magnetic), compact disks, and digital video disks. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel, and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.

- - - - Media Sanitization - - - - - - - MP-6 - MP-06 - [OMB A-130] - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-88] - [SP 800-124] - [IR 8023] - [NSA MEDIA] - AC-3 - AC-7 - AU-11 - MA-2 - MA-3 - MA-4 - MA-5 - PM-22 - SI-12 - SI-18 - SI-19 - SR-11 - - - a. -

Sanitize prior to disposal, release out of organizational control, or release for reuse using ; and

- - - b. -

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

- - - -

Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information.

- - - - Media Use - - - - - - - - - - - MP-7 - MP-07 - [FIPS 199] - [SP 800-111] - AC-19 - AC-20 - PL-4 - PM-12 - SC-34 - SC-41 - - - a. -

- the use of on using ; and

- - - b. -

Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

- - - -

System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

- - - - - Physical and Environmental Protection - - Policy and Procedures - - - - - - - - - - - - - - PE-1 - PE-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - AT-3 - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- physical and environmental protection policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

- - - c. -

Review and update the current physical and environmental protection:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Physical Access Authorizations - - - - PE-2 - PE-02 - [FIPS 201-2] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - AT-3 - AU-9 - IA-4 - MA-5 - MP-2 - PE-3 - PE-4 - PE-5 - PE-8 - PM-12 - PS-3 - PS-4 - PS-5 - PS-6 - - - a. -

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;

- - - b. -

Issue authorization credentials for facility access;

- - - c. -

Review the access list detailing authorized facility access by individuals ; and

- - - d. -

Remove individuals from the facility access list when access is no longer required.

- - - -

Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible.

- - - - Physical Access Control - - - - - - - - - - - - - - - - - - - - - - - - - - PE-3 - PE-03 - [FIPS 201-2] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - [SP 800-116] - AT-3 - AU-2 - AU-6 - AU-9 - AU-13 - CP-10 - IA-3 - IA-8 - MA-5 - MP-2 - MP-4 - PE-2 - PE-4 - PE-5 - PE-8 - PS-2 - PS-3 - PS-6 - PS-7 - RA-3 - SC-28 - SI-4 - SR-3 - - - a. -

Enforce physical access authorizations at by:

- - 1. -

Verifying individual access authorizations before granting access to the facility; and

- - - 2. -

Controlling ingress and egress to the facility using ;

- - - - b. -

Maintain physical access audit logs for ;

- - - c. -

Control access to areas within the facility designated as publicly accessible by implementing the following controls: ;

- - - d. -

Escort visitors and monitor visitor activity ;

- - - e. -

Secure keys, combinations, and other physical access devices;

- - - f. -

Inventory every ; and

- - - g. -

Change combinations and keys and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

- - - -

Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

- - - - Access Control for Transmission - - - - - - - PE-4 - PE-04 - AT-3 - IA-4 - MP-2 - MP-4 - PE-2 - PE-3 - PE-5 - PE-9 - SC-7 - SC-8 - -

Control physical access to within organizational facilities using .

- - -

Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors.

- - - - Access Control for Output Devices - - - - PE-5 - PE-05 - [IR 8023] - PE-2 - PE-3 - PE-4 - PE-18 - -

Control physical access to output from to prevent unauthorized individuals from obtaining the output.

- - -

Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only; placing output devices in locations that can be monitored by personnel; installing monitor or screen filters; and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.

- - - - Monitoring Physical Access - - - - - - - PE-6 - PE-06 - AU-2 - AU-6 - AU-9 - AU-12 - CA-7 - CP-10 - IR-4 - IR-8 - - - a. -

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;

- - - b. -

Review physical access logs and upon occurrence of ; and

- - - c. -

Coordinate results of reviews and investigations with the organizational incident response capability.

- - - -

Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses.

- - - Intrusion Alarms and Surveillance Equipment - PE-6(1) - PE-06(01) - -

Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.

- - -

Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards, triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, for example, motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility.

- - - - - Visitor Access Records - - - - - - - - - - PE-8 - PE-08 - PE-2 - PE-3 - PE-6 - - - a. -

Maintain visitor access records to the facility where the system resides for ;

- - - b. -

Review visitor access records ; and

- - - c. -

Report anomalies in visitor access records to .

- - - -

Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas.

- - - - Power Equipment and Cabling - PE-9 - PE-09 - PE-4 - -

Protect power equipment and power cabling for the system from damage and destruction.

- - -

Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. Power equipment and cabling includes generators and power cabling outside of buildings; internal cabling and uninterruptable power sources in offices or data centers; and power sources for self-contained components such as satellites, vehicles, and other deployable systems.

- - - - Emergency Shutoff - - - - - - - PE-10 - PE-10 - PE-15 - - - a. -

Provide the capability of shutting off power to in emergency situations;

- - - b. -

Place emergency shutoff switches or devices in to facilitate access for authorized personnel; and

- - - c. -

Protect emergency power shutoff capability from unauthorized activation.

- - - -

Emergency power shutoff applies primarily to organizational facilities containing concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.

- - - - Emergency Power - - PE-11 - PE-11 - AT-3 - CP-2 - CP-7 - -

Provide an uninterruptible power supply to facilitate in the event of a primary power source loss.

- - -

An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of most UPS is relatively short but provides sufficient time to start a standby power source such as a backup generator or properly shut down the system.

- - - - Emergency Lighting - PE-12 - PE-12 - CP-2 - CP-7 - -

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

- - -

The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites.

- - - - Fire Protection - PE-13 - PE-13 - AT-3 - -

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

- - -

The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors.

- - - Detection Systems – Automatic Activation and Notification - - - - - - - PE-13(1) - PE-13(01) - -

Employ fire detection systems that activate automatically and notify and in the event of a fire.

- - -

Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances, for example, to enter to facilities where access is restricted due to the classification or impact level of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire.

- - - - - Environmental Controls - - - - - - - - - - - PE-14 - PE-14 - AT-3 - CP-2 - PE-21 - - - a. -

Maintain levels within the facility where the system resides at ; and

- - - b. -

Monitor environmental control levels .

- - - -

The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure.

- - - - Water Damage Protection - PE-15 - PE-15 - AT-3 - PE-10 - -

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

- - -

The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.

- - - - Delivery and Removal - - - - PE-16 - PE-16 - CM-3 - CM-8 - MA-2 - MA-3 - MP-5 - PE-20 - SR-2 - SR-3 - SR-4 - SR-6 - - - a. -

Authorize and control entering and exiting the facility; and

- - - b. -

Maintain records of the system components.

- - - -

Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.

- - - - Alternate Work Site - - - - - - - PE-17 - PE-17 - [SP 800-46] - AC-17 - AC-18 - CP-7 - - - a. -

Determine and document the allowed for use by employees;

- - - b. -

Employ the following controls at alternate work sites: ;

- - - c. -

Assess the effectiveness of controls at alternate work sites; and

- - - d. -

Provide a means for employees to communicate with information security and privacy personnel in case of incidents.

- - - -

Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations.

- - - - - Planning - - Policy and Procedures - - - - - - - - - - - - - - PL-1 - PL-01 - [OMB A-130] - [SP 800-12] - [SP 800-18] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- planning policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the planning policy and the associated planning controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the planning policy and procedures; and

- - - c. -

Review and update the current planning:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - System Security and Privacy Plans - - - - - - - - - - PL-2 - PL-02 - [OMB A-130, Appendix II] - [SP 800-18] - [SP 800-37] - [SP 800-160 v1] - [SP 800-160 v2] - AC-2 - AC-6 - AC-14 - AC-17 - AC-20 - CA-2 - CA-3 - CA-7 - CM-9 - CM-13 - CP-2 - CP-4 - IR-4 - IR-8 - MA-4 - MA-5 - MP-4 - MP-5 - PL-7 - PL-8 - PL-10 - PL-11 - PM-1 - PM-7 - PM-8 - PM-9 - PM-10 - PM-11 - RA-3 - RA-8 - RA-9 - SA-5 - SA-17 - SA-22 - SI-12 - SR-2 - SR-4 - - - a. -

Develop security and privacy plans for the system that:

- - 1. -

Are consistent with the organization’s enterprise architecture;

- - - 2. -

Explicitly define the constituent system components;

- - - 3. -

Describe the operational context of the system in terms of missions and business processes;

- - - 4. -

Provide the security categorization of the system, including supporting rationale;

- - - 5. -

Describe any specific threats to the system that are of concern to the organization;

- - - 6. -

Provide the results of a privacy risk assessment for systems processing personally identifiable information;

- - - 7. -

Describe the operational environment for the system and any dependencies on or connections to other systems or system components;

- - - 8. -

Provide an overview of the security and privacy requirements for the system;

- - - 9. -

Identify any relevant control baselines or overlays, if applicable;

- - - 10. -

Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;

- - - 11. -

Include risk determinations for security and privacy architecture and design decisions;

- - - 12. -

Include security- and privacy-related activities affecting the system that require planning and coordination with ; and

- - - 13. -

Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

- - - - b. -

Distribute copies of the plans and communicate subsequent changes to the plans to ;

- - - c. -

Review the plans ;

- - - d. -

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and

- - - e. -

Protect the plans from unauthorized disclosure and modification.

- - - -

System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls. -Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation. -Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. -Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate.

- - - - Rules of Behavior - - - - - - - - PL-4 - PL-04 - [OMB A-130] - [SP 800-18] - AC-2 - AC-6 - AC-8 - AC-9 - AC-17 - AC-18 - AC-19 - AC-20 - AT-2 - AT-3 - CM-11 - IA-2 - IA-4 - IA-5 - MP-7 - PS-6 - PS-8 - SA-5 - SI-12 - - - a. -

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

- - - b. -

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;

- - - c. -

Review and update the rules of behavior ; and

- - - d. -

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge .

- - - -

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons.

- - - Social Media and External Site/application Usage Restrictions - PL-4(1) - PL-04(01) - AC-22 - AU-13 - -

Include in the rules of behavior, restrictions on:

- - (a) -

Use of social media, social networking sites, and external sites/applications;

- - - (b) -

Posting organizational information on public websites; and

- - - (c) -

Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications.

- - - -

Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information.

- - - - - Security and Privacy Architectures - - - - PL-8 - PL-08 - [OMB A-130] - [SP 800-160 v1] - [SP 800-160 v2] - CM-2 - CM-6 - PL-2 - PL-7 - PL-9 - PM-5 - PM-7 - RA-9 - SA-3 - SA-5 - SA-8 - SA-17 - - - a. -

Develop security and privacy architectures for the system that:

- - 1. -

Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

- - - 2. -

Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

- - - 3. -

Describe how the architectures are integrated into and support the enterprise architecture; and

- - - 4. -

Describe any assumptions about, and dependencies on, external systems and services;

- - - - b. -

Review and update the architectures to reflect changes in the enterprise architecture; and

- - - c. -

Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions.

- - - -

The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs. -[SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews). -In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented. -PL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.

- - - - Baseline Selection - PL-10 - PL-10 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-53B] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - [CNSSI 1253] - PL-2 - PL-11 - RA-2 - RA-3 - SA-8 - -

Select a control baseline for the system.

- - -

Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments.

- - - - Baseline Tailoring - PL-11 - PL-11 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-53B] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - [CNSSI 1253] - PL-10 - RA-2 - RA-3 - RA-9 - SA-8 - -

Tailor the selected control baseline by applying specified tailoring actions.

- - -

The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities.

- - - - - Program Management - - Information Security Program Plan - - - - PM-1 - PM-01 - [FISMA] - [OMB A-130] - PL-2 - PM-8 - PM-12 - RA-9 - SI-12 - SR-2 - - - a. -

Develop and disseminate an organization-wide information security program plan that:

- - 1. -

Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;

- - - 2. -

Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;

- - - 3. -

Reflects the coordination among organizational entities responsible for information security; and

- - - 4. -

Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

- - - - b. -

Review the organization-wide information security program plan ;

- - - c. -

Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and

- - - d. -

Protect the information security program plan from unauthorized disclosure and modification.

- - - -

An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents. -Information security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended. -Program management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization. -Common controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls.

- - - - Information Security Program Leadership Role - PM-2 - PM-02 - [OMB M-17-25] - [SP 800-37] - [SP 800-39] - -

Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

- - -

The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer.

- - - - Information Security and Privacy Resources - PM-3 - PM-03 - [OMB A-130] - PM-4 - SA-2 - - - a. -

Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;

- - - b. -

Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and

- - - c. -

Make available for expenditure, the planned information security and privacy resources.

- - - -

Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process.

- - - - Plan of Action and Milestones Process - PM-4 - PM-04 - [PRIVACT] - [OMB A-130] - [SP 800-37] - CA-5 - CA-7 - PM-3 - RA-7 - SI-12 - - - a. -

Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:

- - 1. -

Are developed and maintained;

- - - 2. -

Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and

- - - 3. -

Are reported in accordance with established reporting requirements.

- - - - b. -

Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

- - - -

The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5.

- - - - System Inventory - - - - PM-5 - PM-05 - [IR 8062] - -

Develop and update an inventory of organizational systems.

- - -

[OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8.

- - - Inventory of Personally Identifiable Information - - - - PM-5(1) - PM-05(01) - CM-8 - CM-12 - CM-13 - PL-8 - PM-22 - PT-3 - PT-6 - SI-12 - SI-18 - -

Establish, maintain, and update an inventory of all systems, applications, and projects that process personally identifiable information.

- - -

An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein.

- - - - - Measures of Performance - PM-6 - PM-06 - [OMB A-130] - [SP 800-55] - [SP 800-137] - CA-7 - -

Develop, monitor, and report on the results of information security and privacy measures of performance.

- - -

Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program.

- - - - Enterprise Architecture - PM-7 - PM-07 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-160 v1] - [SP 800-160 v2] - AU-6 - PL-2 - PL-8 - PM-11 - RA-2 - SA-3 - SA-8 - SA-17 - -

Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.

- - -

The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines.

- - - Offloading - - - - PM-7(1) - PM-07(01) - SA-8 - -

Offload to other systems, system components, or an external provider.

- - -

Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services.

- - - - - Critical Infrastructure Plan - PM-8 - PM-08 - [OMB A-130] - [HSPD 7] - [DHS NIPP] - CP-2 - CP-4 - PE-18 - PL-2 - PM-9 - PM-11 - PM-18 - RA-3 - SI-12 - -

Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

- - -

Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

- - - - Risk Management Strategy - - - - PM-9 - PM-09 - [OMB A-130] - [SP 800-30] - [SP 800-39] - [SP 800-161] - [IR 8023] - AC-1 - AU-1 - AT-1 - CA-1 - CA-2 - CA-5 - CA-6 - CA-7 - CM-1 - CP-1 - IA-1 - IR-1 - MA-1 - MP-1 - PE-1 - PL-1 - PL-2 - PM-2 - PM-8 - PM-18 - PM-28 - PM-30 - PS-1 - PT-1 - PT-2 - PT-3 - RA-1 - RA-3 - RA-9 - SA-1 - SA-4 - SC-1 - SC-38 - SI-1 - SI-12 - SR-1 - SR-2 - - - a. -

Develops a comprehensive strategy to manage:

- - 1. -

Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and

- - - 2. -

Privacy risk to individuals resulting from the authorized processing of personally identifiable information;

- - - - b. -

Implement the risk management strategy consistently across the organization; and

- - - c. -

Review and update the risk management strategy or as required, to address organizational changes.

- - - -

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive.

- - - - Authorization Process - PM-10 - PM-10 - [SP 800-37] - [SP 800-39] - CA-6 - CA-7 - PL-2 - - - a. -

Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;

- - - b. -

Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and

- - - c. -

Integrate the authorization processes into an organization-wide risk management program.

- - - -

Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation.

- - - - Mission and Business Process Definition - - - - PM-11 - PM-11 - [OMB A-130] - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - CP-2 - PL-2 - PM-7 - PM-8 - RA-2 - RA-3 - SA-2 - - - a. -

Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and

- - - b. -

Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and

- - - c. -

Review and revise the mission and business processes .

- - - -

Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures.

- - - - Insider Threat Program - PM-12 - PM-12 - [EO 13587] - [ODNI NITP] - AC-6 - AT-2 - AU-6 - AU-7 - AU-10 - AU-12 - AU-13 - CA-7 - IA-4 - IR-4 - MP-7 - PE-2 - PM-16 - PS-3 - PS-4 - PS-5 - PS-7 - PS-8 - SC-7 - SC-38 - SI-4 - PM-14 - -

Implement an insider threat program that includes a cross-discipline insider threat incident handling team.

- - -

Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture. -Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - - Security and Privacy Workforce - PM-13 - PM-13 - [OMB A-130] - [SP 800-181] - AT-2 - AT-3 - -

Establish a security and privacy workforce development and improvement program.

- - -

Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals.

- - - - Testing, Training, and Monitoring - PM-14 - PM-14 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - AT-2 - AT-3 - CA-7 - CP-4 - IR-3 - PM-12 - SI-4 - - - a. -

Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:

- - 1. -

Are developed and maintained; and

- - - 2. -

Continue to be executed; and

- - - - b. -

Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

- - - -

This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.

- - - - Security and Privacy Groups and Associations - PM-15 - PM-15 - [OMB A-130] - SA-11 - SI-5 - -

Establish and institutionalize contact with selected groups and associations within the security and privacy communities:

- - a. -

To facilitate ongoing security and privacy education and training for organizational personnel;

- - - b. -

To maintain currency with recommended security and privacy practices, techniques, and technologies; and

- - - c. -

To share current security and privacy information, including threats, vulnerabilities, and incidents.

- - - -

Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

- - - - Threat Awareness Program - PM-16 - PM-16 - IR-4 - PM-12 - -

Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.

- - -

Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared.

- - - Automated Means for Sharing Threat Intelligence - PM-16(1) - PM-16(01) - -

Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.

- - -

To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures.

- - - - - Protecting Controlled Unclassified Information on External Systems - - - - PM-17 - PM-17 - [32 CFR 2002] - [SP 800-171] - [NARA CUI] - CA-6 - PM-10 - - - a. -

Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards.

- - - b. -

Update the policy and procedures .

- - - -

Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.

- - - - Privacy Program Plan - PM-18 - PM-18 - [PRIVACT] - [OMB A-130] - PM-8 - PM-9 - PM-19 - - - a. -

Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:

- - 1. -

Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;

- - - 2. -

Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;

- - - 3. -

Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;

- - - 4. -

Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;

- - - 5. -

Reflects coordination among organizational entities responsible for the different aspects of privacy; and

- - - 6. -

Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and

- - - - b. -

Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.

- - - -

A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents. -The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended. -Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization. -Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls.

- - - - Privacy Program Leadership Role - PM-19 - PM-19 - [OMB A-130] - PM-18 - PM-20 - PM-23 - PM-24 - -

Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.

- - -

The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24).

- - - - Dissemination of Privacy Program Information - PM-20 - PM-20 - [PRIVACT] - [OMB A-130] - [OMB M-17-06] - PM-19 - PT-6 - PT-7 - RA-8 - -

Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:

- - a. -

Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;

- - - b. -

Ensures that organizational privacy practices and reports are publicly available; and

- - - c. -

Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.

- - - -

Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications.

- - - - Accounting of Disclosures - PM-21 - PM-21 - [PRIVACT] - [OMB A-130] - AU-2 - PT-2 - - - a. -

Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:

- - 1. -

Date, nature, and purpose of each disclosure; and

- - - 2. -

Name and address, or other contact information of the person or organization to which the disclosure was made;

- - - - b. -

Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and

- - - c. -

Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.

- - - -

The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision. -Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions.

- - - - Personally Identifiable Information Quality Management - PM-22 - PM-22 - [OMB A-130] - [SP 800-188] - PM-23 - SI-18 - -

Develop and document policies and procedures for:

- - a. -

Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;

- - - b. -

Correcting or deleting inaccurate or outdated personally identifiable information;

- - - c. -

Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and

- - - d. -

Appeals of adverse decisions on correction or deletion requests.

- - - -

Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information. -The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations. -Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem.

- - - - Data Governance Body - - - - - - - PM-23 - PM-23 - [EVIDACT] - [OMB A-130] - [OMB M-19-23] - [SP 800-188] - AT-2 - AT-3 - PM-19 - PM-22 - PM-24 - PT-8 - SI-4 - SI-19 - -

Establish a Data Governance Body consisting of with .

- - -

A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23].

- - - - Data Integrity Board - PM-24 - PM-24 - [PRIVACT] - [OMB A-130, Appendix II] - [OMB A-108] - AC-4 - PM-19 - PM-23 - PT-8 - -

Establish a Data Integrity Board to:

- - a. -

Review proposals to conduct or participate in a matching program; and

- - - b. -

Conduct an annual review of all matching programs in which the agency has participated.

- - - -

A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy.

- - - - Minimization of Pii Used in Testing, Training, and Research - - - - PM-25 - PM-25 - [OMB A-130, Appendix II] - PM-23 - PT-3 - SA-3 - - - a. -

Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;

- - - b. -

Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;

- - - c. -

Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and

- - - d. -

Review and update policies and procedures .

- - - -

The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2).

- - - - Complaint Management - - - - - - - - - - PM-26 - PM-26 - [OMB A-130] - IR-7 - IR-9 - PM-22 - SI-18 - -

Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:

- - a. -

Mechanisms that are easy to use and readily accessible by the public;

- - - b. -

All information necessary for successfully filing complaints;

- - - c. -

Tracking mechanisms to ensure all complaints received are reviewed and addressed within ;

- - - d. -

Acknowledgement of receipt of complaints, concerns, or questions from individuals within ; and

- - - e. -

Response to complaints, concerns, or questions from individuals within .

- - - -

Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information.

- - - - Privacy Reporting - - - - - - - - - - PM-27 - PM-27 - [FISMA] - [OMB A-130] - [OMB A-108] - IR-9 - PM-19 - - - a. -

Develop and disseminate to:

- - 1. -

OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and

- - - 2. -

- and other personnel with responsibility for monitoring privacy program compliance; and

- - - - b. -

Review and update privacy reports .

- - - -

Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements.

- - - - Risk Framing - - - - - - - PM-28 - PM-28 - [OMB A-130] - [SP 800-39] - CA-7 - PM-9 - RA-3 - RA-7 - - - a. -

Identify and document:

- - 1. -

Assumptions affecting risk assessments, risk responses, and risk monitoring;

- - - 2. -

Constraints affecting risk assessments, risk responses, and risk monitoring;

- - - 3. -

Priorities and trade-offs considered by the organization for managing risk; and

- - - 4. -

Organizational risk tolerance; and

- - - - b. -

Distribute the results of risk framing activities to ;

- - - c. -

Review and update risk framing considerations .

- - - -

Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management.

- - - - Risk Management Program Leadership Roles - PM-29 - PM-29 - [SP 800-37] - PM-2 - PM-19 - - - a. -

Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and

- - - b. -

Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.

- - - -

The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities.

- - - - Supply Chain Risk Management Strategy - - - - PM-30 - PM-30 - [SP 800-161] - PM-9 - SR-1 - SR-2 - SR-3 - SR-4 - SR-5 - SR-6 - SR-7 - SR-8 - SR-9 - SR-11 - - - a. -

Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;

- - - b. -

Implement the supply chain risk management strategy consistently across the organization; and

- - - c. -

Review and update the supply chain risk management strategy on or as required, to address organizational changes.

- - - -

An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level.

- - - - Continuous Monitoring Strategy - - - - - - - - - - - - - - - - PM-31 - PM-31 - [SP 800-37] - [SP 800-137] - AC-2 - AC-6 - AC-17 - AT-4 - AU-6 - AU-13 - CA-2 - CA-5 - CA-6 - CA-7 - CM-3 - CM-4 - CM-6 - CM-11 - IA-5 - IR-5 - MA-2 - MA-3 - MA-4 - PE-3 - PE-6 - PE-14 - PE-16 - PE-20 - PL-2 - PM-4 - PM-6 - PM-9 - PM-10 - PM-12 - PM-14 - PM-23 - PM-28 - PS-7 - PT-8 - RA-3 - RA-5 - RA-7 - SA-9 - SA-11 - SC-5 - SC-7 - SC-18 - SC-38 - SC-43 - SC-38 - SI-3 - SI-4 - SI-12 - SR-2 - SR-4 - -

Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:

- - a. -

Establishing the following organization-wide metrics to be monitored: ;

- - - b. -

Establishing for monitoring and for assessment of control effectiveness;

- - - c. -

Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;

- - - d. -

Correlation and analysis of information generated by control assessments and monitoring;

- - - e. -

Response actions to address results of the analysis of control assessment and monitoring information; and

- - - f. -

Reporting the security and privacy status of organizational systems to - .

- - - -

Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.

- - - - Purposing - - - - PM-32 - PM-32 - [SP 800-137] - CA-7 - PL-2 - RA-3 - RA-9 - -

Analyze supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.

- - -

Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures.

- - - - - Personnel Security - - Policy and Procedures - - - - - - - - - - - - - - PS-1 - PS-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- personnel security policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the personnel security policy and procedures; and

- - - c. -

Review and update the current personnel security:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Position Risk Designation - - - - PS-2 - PS-02 - [5 CFR 731] - AC-5 - AT-3 - PE-2 - PE-3 - PL-2 - PS-3 - PS-6 - SA-5 - SA-21 - SI-12 - - - a. -

Assign a risk designation to all organizational positions;

- - - b. -

Establish screening criteria for individuals filling those positions; and

- - - c. -

Review and update position risk designations .

- - - -

Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.

- - - - Personnel Screening - - - - PS-3 - PS-03 - [EO 13526] - [EO 13587] - [FIPS 199] - [FIPS 201-2] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-73-4] - [SP 800-76-2] - [SP 800-78-4] - AC-2 - IA-4 - MA-5 - PE-2 - PM-12 - PS-2 - PS-6 - PS-7 - SA-21 - - - a. -

Screen individuals prior to authorizing access to the system; and

- - - b. -

Rescreen individuals in accordance with .

- - - -

Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

- - - - Personnel Termination - - - - - - - PS-4 - PS-04 - AC-2 - IA-4 - PE-2 - PM-12 - PS-6 - PS-7 - -

Upon termination of individual employment:

- - a. -

Disable system access within ;

- - - b. -

Terminate or revoke any authenticators and credentials associated with the individual;

- - - c. -

Conduct exit interviews that include a discussion of ;

- - - d. -

Retrieve all security-related organizational system-related property; and

- - - e. -

Retain access to organizational information and systems formerly controlled by terminated individual.

- - - -

System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified.

- - - - Personnel Transfer - - - - - - - - - - - - - PS-5 - PS-05 - AC-2 - IA-4 - PE-2 - PM-12 - PS-4 - PS-7 - - - a. -

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;

- - - b. -

Initiate within ;

- - - c. -

Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

- - - d. -

Notify within .

- - - -

Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

- - - - Access Agreements - - - - - - - PS-6 - PS-06 - AC-17 - PE-2 - PL-4 - PS-2 - PS-3 - PS-6 - PS-7 - PS-8 - SA-21 - SI-12 - - - a. -

Develop and document access agreements for organizational systems;

- - - b. -

Review and update the access agreements ; and

- - - c. -

Verify that individuals requiring access to organizational information and systems:

- - 1. -

Sign appropriate access agreements prior to being granted access; and

- - - 2. -

Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

- - - - -

Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

- - - - External Personnel Security - - - - - - - PS-7 - PS-07 - [SP 800-35] - AT-2 - AT-3 - MA-5 - PE-3 - PS-2 - PS-3 - PS-4 - PS-5 - PS-6 - SA-5 - SA-9 - SA-21 - - - a. -

Establish personnel security requirements, including security roles and responsibilities for external providers;

- - - b. -

Require external providers to comply with personnel security policies and procedures established by the organization;

- - - c. -

Document personnel security requirements;

- - - d. -

Require external providers to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ; and

- - - e. -

Monitor provider compliance with personnel security requirements.

- - - -

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated.

- - - - Personnel Sanctions - - - - - - - PS-8 - PS-08 - AC-1 - AT-1 - AU-1 - CA-1 - CM-1 - CP-1 - IA-1 - IR-1 - MA-1 - MP-1 - PE-1 - PL-1 - PM-1 - PS-1 - PT-1 - RA-1 - SA-1 - SC-1 - SI-1 - SR-1 - PL-4 - PM-12 - PS-6 - PT-1 - - - a. -

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and

- - - b. -

Notify within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

- - - -

Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

- - - - - Risk Assessment - - Policy and Procedures - - - - - - - - - - - - - - RA-1 - RA-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- risk assessment policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and

- - - c. -

Review and update the current risk assessment:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Security Categorization - RA-2 - RA-02 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - CM-8 - MP-4 - PL-2 - PL-10 - PL-11 - PM-7 - RA-3 - RA-5 - RA-7 - RA-8 - SA-8 - SC-7 - SC-38 - SI-12 - - - a. -

Categorize the system and information it processes, stores, and transmits;

- - - b. -

Document the security categorization results, including supporting rationale, in the security plan for the system; and

- - - c. -

Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

- - - -

Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. -Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts. -Security categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant.

- - - - Risk Assessment - - - - - - - - - - - - - - RA-3 - RA-03 - [OMB A-130] - [SP 800-30] - [SP 800-39] - [SP 800-161] - [IR 8023] - [IR 8062] - CA-3 - CM-4 - CM-13 - CP-6 - CP-7 - IA-8 - MA-5 - PE-3 - PE-18 - PL-2 - PL-10 - PL-11 - PM-8 - PM-9 - PM-28 - RA-2 - RA-5 - RA-7 - SA-8 - SA-9 - SC-38 - SI-12 - - - a. -

Conduct a risk assessment, including:

- - 1. -

The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and

- - - 2. -

The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

- - - - b. -

Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

- - - c. -

Document risk assessment results in ;

- - - d. -

Review risk assessment results ;

- - - e. -

Disseminate risk assessment results to ; and

- - - f. -

Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

- - - -

Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities. -Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. -In addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

- - - Supply Chain Risk Assessment - - - - - - - RA-3(1) - RA-03(01) - RA-2 - RA-9 - PM-17 - SR-2 - - - (a) -

Assess supply chain risks associated with ; and

- - - (b) -

Update the supply chain risk assessment , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

- - - -

Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

- - - - - Vulnerability Monitoring and Scanning - - - - - - - - - - RA-5 - RA-05 - [SP 800-40] - [SP 800-53A] - [SP 800-70] - [SP 800-115] - [SP 800-126] - [IR 7788] - [IR 8023] - CA-2 - CA-7 - CM-2 - CM-4 - CM-6 - CM-8 - RA-2 - RA-3 - SA-11 - SA-15 - SC-38 - SI-2 - SI-3 - SI-4 - SI-7 - SR-11 - - - a. -

Monitor and scan for vulnerabilities in the system and hosted applications and when new vulnerabilities potentially affecting the system are identified and reported;

- - - b. -

Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

- - 1. -

Enumerating platforms, software flaws, and improper configurations;

- - - 2. -

Formatting checklists and test procedures; and

- - - 3. -

Measuring vulnerability impact;

- - - - c. -

Analyze vulnerability scan reports and results from vulnerability monitoring;

- - - d. -

Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

- - - e. -

Share information obtained from the vulnerability monitoring process and control assessments with to help eliminate similar vulnerabilities in other systems; and

- - - f. -

Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

- - - -

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers. -Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). -Vulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation. -Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

- - - Update System Vulnerabilities - - - - - RA-5(2) - RA-05(02) - SI-5 - -

Update the system vulnerabilities to be scanned .

- - -

Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.

- - - - Privileged Access - - - - - - - RA-5(5) - RA-05(05) - -

Implement privileged access authorization to for .

- - -

In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.

- - - - - Risk Response - RA-7 - RA-07 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-160 v1] - CA-5 - IR-9 - PM-4 - PM-28 - RA-2 - RA-3 - SR-2 - -

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

- - -

Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.

- - - - Criticality Analysis - - - - - - - RA-9 - RA-09 - [IR 8179] - CP-2 - PL-2 - PL-8 - PL-11 - PM-1 - RA-2 - SA-8 - SA-15 - SA-20 - -

Identify critical system components and functions by performing a criticality analysis for at .

- - -

Not all system components, functions, or services necessarily require significant protections. Criticality analysis is a key tenet of, for example, supply chain risk management, and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders regulations, directives, policies, and standards; system functionality requirements; system and component interfaces; and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system; decomposition into the specific functions to perform those missions; and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system. -The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system containing the components and functions. Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, for example, by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.

- - - - - System and Services Acquisition - - Policy and Procedures - - - - - - - - - - - - - - SA-1 - SA-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - [SP 800-160 v1] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- system and services acquisition policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and

- - - c. -

Review and update the current system and services acquisition:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Allocation of Resources - SA-2 - SA-02 - [OMB A-130] - [SP 800-160 v1] - PL-7 - PM-3 - PM-11 - SA-9 - SR-3 - SR-5 - - - a. -

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;

- - - b. -

Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and

- - - c. -

Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

- - - -

Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle.

- - - - System Development Life Cycle - - - - SA-3 - SA-03 - [OMB A-130] - [SP 800-30] - [SP 800-37] - [SP 800-160 v1] - [SP 800-171] - [SP 800-171B] - AT-3 - PL-8 - PM-7 - SA-4 - SA-5 - SA-8 - SA-11 - SA-15 - SA-17 - SA-22 - SR-3 - SR-5 - SR-9 - - - a. -

Acquire, develop, and manage the system using that incorporates information security and privacy considerations;

- - - b. -

Define and document information security and privacy roles and responsibilities throughout the system development life cycle;

- - - c. -

Identify individuals having information security and privacy roles and responsibilities; and

- - - d. -

Integrate the organizational information security and privacy risk management process into system development life cycle activities.

- - - -

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities. -The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle.

- - - - Acquisition Process - - - - - SA-4 - SA-04 - [PRIVACT] - [OMB A-130] - [ISO 15408-1] - [ISO 15408-2] - [ISO 15408-3] - [FIPS 140-3] - [FIPS 201-2] - [SP 800-35] - [SP 800-37] - [SP 800-70] - [SP 800-73-4] - [SP 800-137] - [SP 800-160 v1] - [SP 800-161] - [IR 7539] - [IR 7622] - [IR 7676] - [IR 7870] - [IR 8062] - [NIAP CCEVS] - [NSA CSFC] - CM-6 - CM-8 - PS-7 - SA-3 - SA-5 - SA-8 - SA-11 - SA-15 - SA-16 - SA-17 - SA-21 - SR-3 - SR-5 - -

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service:

- - a. -

Security and privacy functional requirements;

- - - b. -

Strength of mechanism requirements;

- - - c. -

Security and privacy assurance requirements;

- - - d. -

Controls needed to satisfy the security and privacy requirements.

- - - e. -

Security and privacy documentation requirements;

- - - f. -

Requirements for protecting security and privacy documentation;

- - - g. -

Description of the system development environment and environment in which the system is intended to operate;

- - - h. -

Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and

- - - i. -

Acceptance criteria.

- - - -

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle. -Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle. -Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement.

- - - Functional Properties of Controls - SA-4(1) - SA-04(01) - -

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

- - -

Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.

- - - - Design and Implementation Information for Controls - - - - - - - - SA-4(2) - SA-04(02) - -

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: at .

- - -

Organizations may require different levels of detail in the documentation for the design and implementation for controls in organizational systems, system components, or system services based on mission and business requirements; requirements for resiliency and trustworthiness; and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system.

- - - - Functions, Ports, Protocols, and Services in Use - SA-4(9) - SA-04(09) - CM-7 - SA-9 - -

Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.

- - -

The identification of functions, ports, protocols, and services early in the system development life cycle, for example, during the initial requirements definition and design stages, allows organizations to influence the design of the system, system component, or system service. This early involvement in the system life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or when requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources.

- - - - Use of Approved PIV Products - SA-4(10) - SA-04(10) - IA-2 - IA-8 - PM-9 - -

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

- - -

Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations.

- - - - - System Documentation - - - - - - - SA-5 - SA-05 - [SP 800-160 v1] - CM-4 - CM-6 - CM-7 - CM-8 - PL-2 - PL-4 - PL-8 - PS-2 - SA-3 - SA-4 - SA-8 - SA-9 - SA-10 - SA-11 - SA-15 - SA-16 - SA-17 - SI-12 - SR-3 - - - a. -

Obtain administrator documentation for the system, system component, or system service that describes:

- - 1. -

Secure configuration, installation, and operation of the system, component, or service;

- - - 2. -

Effective use and maintenance of security and privacy functions and mechanisms; and

- - - 3. -

Known vulnerabilities regarding configuration and use of administrative or privileged functions;

- - - - b. -

Obtain user documentation for the system, system component, or system service that describes:

- - 1. -

User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;

- - - 2. -

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and

- - - 3. -

User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;

- - - - c. -

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes in response;

- - - d. -

Protect documentation as required, in accordance with the organizational risk management strategy; and

- - - e. -

Distribute documentation to .

- - - -

System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.

- - - - Security and Privacy Engineering Principles - - - - SA-8 - SA-08 - [FIPS 199] - [FIPS 200] - [SP 800-53A] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - [IR 8062] - PL-8 - PM-7 - RA-2 - RA-3 - RA-9 - SA-3 - SA-4 - SA-15 - SA-17 - SA-20 - SC-2 - SC-3 - SC-32 - SC-39 - SR-2 - SR-3 - SR-5 - -

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: .

- - -

Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. -The application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. -Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design.

- - - - External System Services - - - - - - - SA-9 - SA-09 - [OMB A-130] - [SP 800-35] - [SP 800-160 v1] - [SP 800-161] - AC-20 - CA-3 - CP-2 - IR-4 - IR-7 - PL-10 - PL-11 - PS-7 - SA-2 - SA-4 - SR-3 - SR-5 - - - a. -

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: ;

- - - b. -

Define and document organizational oversight and user roles and responsibilities with regard to external system services; and

- - - c. -

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: .

- - - -

External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

- - - Identification of Functions, Ports, Protocols, and Services - - - - SA-9(2) - SA-09(02) - CM-6 - CM-7 - -

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: .

- - -

Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols.

- - - - - Developer Configuration Management - - - - - - - - SA-10 - SA-10 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 202] - [SP 800-128] - [SP 800-160 v1] - CM-2 - CM-3 - CM-4 - CM-7 - CM-9 - SA-4 - SA-5 - SA-8 - SA-15 - SI-2 - SR-3 - SR-4 - SR-5 - SR-6 - -

Require the developer of the system, system component, or system service to:

- - a. -

Perform configuration management during system, component, or service ;

- - - b. -

Document, manage, and control the integrity of changes to ;

- - - c. -

Implement only organization-approved changes to the system, component, or service;

- - - d. -

Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and

- - - e. -

Track security flaws and flaw resolution within the system, component, or service and report findings to .

- - - -

Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting from unauthorized modification or destruction, the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes. -The configuration items that are placed under configuration management include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle.

- - - - Developer Testing and Evaluation - - - - - - - - SA-11 - SA-11 - [ISO 15408-3] - [SP 800-30] - [SP 800-53A] - [SP 800-154] - [SP 800-160 v1] - CA-2 - CA-7 - CM-4 - SA-3 - SA-4 - SA-5 - SA-8 - SA-15 - SA-17 - SI-2 - SR-5 - SR-6 - SR-7 - -

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:

- - a. -

Develop and implement a plan for ongoing security and privacy assessments;

- - - b. -

Perform testing/evaluation at ;

- - - c. -

Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;

- - - d. -

Implement a verifiable flaw remediation process; and

- - - e. -

Correct flaws identified during testing and evaluation.

- - - -

Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches. -Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.

- - - - Development Process, Standards, and Tools - - - - - - - SA-15 - SA-15 - [SP 800-160 v1] - [IR 8179] - MA-6 - SA-3 - SA-4 - SA-8 - SA-10 - SA-11 - SR-3 - SR-4 - SR-5 - SR-6 - SR-9 - - - a. -

Require the developer of the system, system component, or system service to follow a documented development process that:

- - 1. -

Explicitly addresses security and privacy requirements;

- - - 2. -

Identifies the standards and tools used in the development process;

- - - 3. -

Documents the specific tool options and tool configurations used in the development process; and

- - - 4. -

Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

- - - - b. -

Review the development process, standards, tools, tool options, and tool configurations to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: .

- - - -

Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes.

- - - Criticality Analysis - - - - - - - SA-15(3) - SA-15(03) - RA-9 - -

Require the developer of the system, system component, or system service to perform a criticality analysis:

- - (a) -

At the following decision points in the system development life cycle: ; and

- - - (b) -

At the following level of rigor: .

- - - -

Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, and source code and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses.

- - - - - Unsupported System Components - - - - - SA-22 - SA-22 - PL-2 - SA-3 - - - a. -

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or

- - - b. -

Provide the following options for alternative sources for continued support for unsupported components .

- - - -

Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. -Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors.

- - - - - System and Communications Protection - - Policy and Procedures - - - - - - - - - - - - - - SC-1 - SC-01 - [OMB A-130] - [SP 800-12] - [SP 800-100] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- system and communications protection policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and

- - - c. -

Review and update the current system and communications protection:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Separation of System and User Functionality - SC-2 - SC-02 - AC-6 - SA-4 - SA-8 - SC-3 - SC-7 - SC-22 - SC-32 - SC-39 - -

Separate user functionality, including user interface services, from system management functionality.

- - -

System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations implement separation of system management functions from user functions, for example, by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18).

- - - - Information in Shared System Resources - SC-4 - SC-04 - AC-3 - AC-4 - SA-8 - -

Prevent unauthorized and unintended information transfer via shared system resources.

- - -

Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This control also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. This control does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.

- - - - Denial of Service Protection - - - - - - - - SC-5 - SC-05 - [SP 800-189] - CP-2 - IR-4 - SC-6 - SC-7 - SC-40 - - - a. -

- the effects of the following types of denial of service events: ; and

- - - b. -

Employ the following controls to achieve the denial of service objective: .

- - - -

Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events.

- - - - Boundary Protection - - SC-7 - SC-07 - [OMB A-130] - [FIPS 199] - [SP 800-37] - [SP 800-41] - [SP 800-77] - [SP 800-189] - AC-4 - AC-17 - AC-18 - AC-19 - AC-20 - AU-13 - CA-3 - CM-2 - CM-4 - CM-7 - CM-10 - CP-8 - CP-10 - IR-4 - MA-4 - PE-3 - PM-12 - SA-8 - SC-5 - SC-32 - SC-43 - - - a. -

Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system;

- - - b. -

Implement subnetworks for publicly accessible system components that are separated from internal organizational networks; and

- - - c. -

Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

- - - -

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions.

- - - Access Points - SC-7(3) - SC-07(03) - -

Limit the number of external network connections to the system.

- - -

Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline requiring limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.

- - - - External Telecommunications Services - - - - SC-7(4) - SC-07(04) - AC-3 - SC-8 - - - (a) -

Implement a managed interface for each external telecommunication service;

- - - (b) -

Establish a traffic flow policy for each managed interface;

- - - (c) -

Protect the confidentiality and integrity of the information being transmitted across each interface;

- - - (d) -

Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;

- - - (e) -

Review exceptions to the traffic flow policy and remove exceptions that are no longer supported by an explicit mission or business need;

- - - (f) -

Prevent unauthorized exchange of control plane traffic with external networks;

- - - (g) -

Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and

- - - (h) -

Filter unauthorized control plane traffic from external networks.

- - - -

External commercial telecommunications services may provide data or voice communications services. Examples of control plane traffic include routing, domain name system (DNS), and management. Unauthorized control plane traffic can occur for example, through a technique known as “spoofing.”

- - - - Deny by Default — Allow by Exception - - - - - SC-7(5) - SC-07(05) - -

Deny network communications traffic by default and allow network communications traffic by exception .

- - -

Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.

- - - - Prevent Split Tunneling for Remote Devices - SC-7(7) - SC-07(07) - -

Prevent a remote device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

- - -

Prevention of split tunneling is implemented in remote devices through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being configurable by users. Prevention of split tunneling is implemented within the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information.

- - - - Route Traffic to Authenticated Proxy Servers - - - - - - - SC-7(8) - SC-07(08) - AC-3 - -

Route to through authenticated proxy servers at managed interfaces.

- - -

External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers can support logging of Transmission Control Protocol sessions and blocking specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for “man-in-the-middle” attacks (depending on the implementation).

- - - - - Transmission Confidentiality and Integrity - - SC-8 - SC-08 - [FIPS 140-3] - [FIPS 197] - [SP 800-52] - [SP 800-77] - [SP 800-81-2] - [SP 800-113] - [SP 800-177] - [IR 8023] - AC-17 - AC-18 - AU-10 - IA-3 - IA-8 - IA-9 - MA-4 - PE-4 - SA-4 - SA-8 - SC-7 - SC-16 - SC-20 - SC-23 - SC-28 - -

Protect the of transmitted information.

- - -

Protecting the confidentiality and integrity of transmitted information applies to internal and external networks, and any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical means or by logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a term for wireline or fiber-optics telecommunication system that includes terminals and adequate acoustical, electrical, electromagnetic, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques. -Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services, may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunication service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.

- - - Cryptographic Protection - - SC-8(1) - SC-08(01) - SC-13 - -

Implement cryptographic mechanisms to during transmission.

- - -

Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have application in digital signatures, checksums, and message authentication codes. SC-13 is used to specify the specific protocols, algorithms, and algorithm parameters to be implemented on each transmission path.

- - - - - Network Disconnect - - - - SC-10 - SC-10 - AC-17 - SC-23 - -

Terminate the network connection associated with a communications session at the end of the session or after of inactivity.

- - -

Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time-periods by type of network access or for specific network accesses.

- - - - Cryptographic Key Establishment and Management - - - - SC-12 - SC-12 - [FIPS 140-3] - [SP 800-56A] - [SP 800-56B] - [SP 800-56C] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-63-3] - [IR 7956] - [IR 7966] - AC-17 - AU-9 - AU-10 - CM-3 - IA-3 - IA-7 - SA-4 - SA-8 - SA-9 - SC-8 - SC-11 - SC-13 - SC-17 - SC-20 - SC-37 - SC-40 - SI-3 - SI-7 - -

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: .

- - -

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

- - - - Cryptographic Protection - - - - - - - SC-13 - SC-13 - [FIPS 140-3] - AC-2 - AC-3 - AC-7 - AC-17 - AC-18 - AC-19 - AU-9 - AU-10 - CM-11 - CP-9 - IA-3 - IA-7 - MA-4 - MP-2 - MP-4 - MP-5 - SA-4 - SA-8 - SA-9 - SC-8 - SC-12 - SC-20 - SC-23 - SC-28 - SC-40 - SI-3 - SI-7 - - - a. -

Determine the ; and

- - - b. -

Implement the following types of cryptography required for each specified cryptographic use: .

- - - -

Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - - Collaborative Computing Devices and Applications - - - - SC-15 - SC-15 - AC-21 - SC-42 - - - a. -

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: ; and

- - - b. -

Provide an explicit indication of use to users physically present at the devices.

- - - -

Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated.

- - - - Public Key Infrastructure Certificates - - - - SC-17 - SC-17 - [SP 800-32] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-63-3] - AU-10 - IA-5 - SC-12 - - - a. -

Issue public key certificates under an or obtain public key certificates from an approved service provider; and

- - - b. -

Include only approved trust anchors in trust stores or certificate stores managed by the organization.

- - - -

This control addresses certificates with visibility external to organizational systems and certificates related to internal operations of systems, for example, application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.

- - - - Mobile Code - SC-18 - SC-18 - [SP 800-28] - AU-2 - AU-12 - CM-2 - CM-6 - SI-3 - - - a. -

Define acceptable and unacceptable mobile code and mobile code technologies; and

- - - b. -

Authorize, monitor, and control the use of mobile code within the system.

- - - -

Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java, JavaScript, Flash animations, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.

- - - - Secure Name/address Resolution Service (authoritative Source) - SC-20 - SC-20 - [FIPS 140-3] - [FIPS 186-4] - [SP 800-81-2] - AU-10 - SC-8 - SC-12 - SC-13 - SC-21 - SC-22 - - - a. -

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

- - - b. -

Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

- - - -

This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.

- - - - Secure Name/address Resolution Service (recursive or Caching Resolver) - SC-21 - SC-21 - [SP 800-81-2] - SC-20 - SC-22 - -

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

- - -

Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.

- - - - Architecture and Provisioning for Name/address Resolution Service - SC-22 - SC-22 - [SP 800-81-2] - SC-2 - SC-20 - SC-21 - SC-24 - -

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

- - -

Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists.

- - - - Session Authenticity - SC-23 - SC-23 - [SP 800-52] - [SP 800-77] - [SP 800-95] - [SP 800-113] - AU-10 - SC-8 - SC-10 - SC-11 - -

Protect the authenticity of communications sessions.

- - -

Protecting session authenticity addresses communications protection at the session, level; not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of information transmitted. Authenticity protection includes protecting against man-in-the-middle attacks and session hijacking, and the insertion of false information into sessions.

- - - - Protection of Information at Rest - - - - - SC-28 - SC-28 - [OMB A-130] - [SP 800-56A] - [SP 800-56B] - [SP 800-56C] - [SP 800-57-1] - [SP 800-57-2] - [SP 800-57-3] - [SP 800-111] - [SP 800-124] - AC-3 - AC-4 - AC-6 - AC-19 - CA-7 - CM-3 - CM-5 - CM-6 - CP-9 - MP-4 - MP-5 - PE-3 - SC-8 - SC-12 - SC-13 - SC-34 - SI-3 - SI-7 - SI-16 - -

Protect the of the following information at rest: .

- - -

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information requiring protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure off-line storage in lieu of online storage.

- - - Cryptographic Protection - - - - - - - SC-28(1) - SC-28(01) - AC-19 - -

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on : .

- - -

Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. Organizations using cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13).

- - - - - Process Isolation - SC-39 - SC-39 - [SP 800-160 v1] - AC-3 - AC-4 - AC-6 - AC-25 - SA-8 - SC-2 - SC-3 - SI-16 - -

Maintain a separate execution domain for each executing system process.

- - -

Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.

- - - - - System and Information Integrity - - Policy and Procedures - - - - - - - - - - - - - - SI-1 - SI-01 - [OMB A-130] - [SP 800-12] - [SP 800-100] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- system and information integrity policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

- - - c. -

Review and update the current system and information integrity:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Flaw Remediation - - - - SI-2 - SI-02 - [OMB A-130] - [FIPS 140-3] - [FIPS 186-4] - [SP 800-40] - [SP 800-128] - [IR 7788] - CA-5 - CM-3 - CM-4 - CM-5 - CM-6 - CM-8 - MA-2 - RA-5 - SA-8 - SA-10 - SA-11 - SI-3 - SI-5 - SI-7 - SI-11 - - - a. -

Identify, report, and correct system flaws;

- - - b. -

Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

- - - c. -

Install security-relevant software and firmware updates within of the release of the updates; and

- - - d. -

Incorporate flaw remediation into the organizational configuration management process.

- - - -

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. -Organization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

- - - Automated Flaw Remediation Status - - - - - - - SI-2(2) - SI-02(02) - CA-7 - SI-4 - -

Determine if system components have applicable security-relevant software and firmware updates installed using - .

- - -

Automated mechanisms can track and determine the status of known flaws for system components.

- - - - - Malicious Code Protection - - - - - - - - - - - - - SI-3 - SI-03 - [SP 800-83] - [SP 800-125B] - [SP 800-177] - AC-4 - AC-19 - CM-3 - CM-8 - IR-4 - MA-3 - MA-4 - RA-5 - SC-7 - SC-23 - SC-26 - SC-28 - SC-44 - SI-2 - SI-4 - SI-7 - SI-8 - SI-15 - - - a. -

Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

- - - b. -

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

- - - c. -

Configure malicious code protection mechanisms to:

- - 1. -

Perform periodic scans of the system and real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy; and

- - - 2. -

- ; and send alert to in response to malicious code detection.

- - - - d. -

Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

- - - -

System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. -Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions. -In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files.

- - - Central Management - SI-3(1) - SI-03(01) - PL-9 - -

Centrally manage malicious code protection mechanisms.

- - -

Central management addresses the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw and malicious code protection controls.

- - - - - System Monitoring - - - - - - - - - - - - - - - - - SI-4 - SI-04 - [OMB A-130] - [SP 800-61] - [SP 800-83] - [SP 800-92] - [SP 800-94] - [SP 800-137] - AC-2 - AC-3 - AC-4 - AC-8 - AC-17 - AU-2 - AU-6 - AU-7 - AU-9 - AU-12 - AU-13 - AU-14 - CA-7 - CM-3 - CM-6 - CM-8 - CM-11 - IA-10 - IR-4 - MA-3 - MA-4 - PM-12 - RA-5 - SC-5 - SC-7 - SC-18 - SC-26 - SC-31 - SC-35 - SC-36 - SC-37 - SC-43 - SI-3 - SI-6 - SI-7 - SR-9 - SR-10 - - - a. -

Monitor the system to detect:

- - 1. -

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: ; and

- - - 2. -

Unauthorized local, network, and remote connections;

- - - - b. -

Identify unauthorized use of the system through the following techniques and methods: ;

- - - c. -

Invoke internal monitoring capabilities or deploy monitoring devices:

- - 1. -

Strategically within the system to collect organization-determined essential information; and

- - - 2. -

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

- - - - d. -

Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

- - - e. -

Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

- - - f. -

Obtain legal opinion regarding system monitoring activities; and

- - - g. -

Provide to - .

- - - -

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. -Depending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - Automated Tools and Mechanisms for Real-time Analysis - SI-4(2) - SI-04(02) - PM-23 - PM-25 - -

Employ automated tools and mechanisms to support near real-time analysis of events.

- - -

Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or Security Information and Event Management technologies that provide real time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.

- - - - Inbound and Outbound Communications Traffic - - - - SI-4(4) - SI-04(04) - -

Monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions.

- - -

Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code within organizational systems or propagating among system components; the unauthorized exporting of information; or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components.

- - - - System-generated Alerts - - - - - - - SI-4(5) - SI-04(05) - AU-4 - AU-5 - PE-6 - -

Alert when the following system-generated indications of compromise or potential compromise occur: .

- - -

Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. This control enhancement addresses the security alerts generated by the system. Alternatively, alerts generated by organizations in SI-4(12) focus on information sources external to the system such as suspicious activity reports and reports on potential insider threats.

- - - - - Security Alerts, Advisories, and Directives - - - - - - - - - - - - - - SI-5 - SI-05 - [SP 800-40] - PM-15 - RA-5 - SI-2 - - - a. -

Receive system security alerts, advisories, and directives from on an ongoing basis;

- - - b. -

Generate internal security alerts, advisories, and directives as deemed necessary;

- - - c. -

Disseminate security alerts, advisories, and directives to: ; and

- - - d. -

Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

- - - -

The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.

- - - - Software, Firmware, and Information Integrity - - - - - - - SI-7 - SI-07 - [OMB A-130] - [FIPS 140-3] - [FIPS 180-4] - [FIPS 186-4] - [FIPS 202] - [SP 800-70] - [SP 800-147] - AC-4 - CM-3 - CM-7 - CM-8 - MA-3 - MA-4 - RA-5 - SA-8 - SA-9 - SA-10 - SC-8 - SC-12 - SC-13 - SC-28 - SC-37 - SI-3 - SR-3 - SR-4 - SR-5 - SR-6 - SR-9 - SR-10 - SR-11 - - - a. -

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: ; and

- - - b. -

Take the following actions when unauthorized changes to the software, firmware, and information are detected: .

- - - -

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes the Basic Input Output System (BIOS). Information includes personally identifiable information and metadata containing security and privacy attributes associated with information. Integrity-checking mechanisms, including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools can automatically monitor the integrity of systems and hosted applications.

- - - Integrity Checks - - - - - - - - - - - SI-7(1) - SI-07(01) - -

Perform an integrity check of - .

- - -

Security-relevant events include the identification of a new threat to which organizational systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort.

- - - - Integration of Detection and Response - - - - SI-7(7) - SI-07(07) - AU-2 - AU-6 - IR-4 - IR-5 - SI-4 - -

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: .

- - -

This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended time-period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or unauthorized elevation of system privileges.

- - - - - Spam Protection - SI-8 - SI-08 - [SP 800-45] - [SP 800-177] - SC-5 - SC-7 - SC-38 - SI-3 - SI-4 - - - a. -

Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and

- - - b. -

Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

- - - -

System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.

- - - Central Management - SI-8(1) - SI-08(01) - AU-3 - CM-6 - SI-2 - SI-7 - -

Centrally manage spam protection mechanisms.

- - -

Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection controls.

- - - - Automatic Updates - - - - SI-8(2) - SI-08(02) - -

Automatically update spam protection mechanisms .

- - -

Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capability.

- - - - - Information Input Validation - - - - SI-10 - SI-10 - [OMB A-130, Appendix II] - -

Check the validity of the following information inputs: .

- - -

Checking the valid syntax and semantics of system inputs, including character set, length, numerical range, and acceptable values, verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.

- - - - Error Handling - - - - SI-11 - SI-11 - AU-2 - AU-3 - SC-31 - SI-2 - - - a. -

Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and

- - - b. -

Reveal error messages only to .

- - - -

Organizations consider the structure and the content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.

- - - - Information Management and Retention - SI-12 - SI-12 - [OMB A-130, Appendix II] - AC-1 - AT-1 - AU-1 - CA-1 - CM-1 - CP-1 - IA-1 - IR-1 - MA-1 - MP-1 - PE-1 - PL-1 - PM-1 - PS-1 - PT-1 - RA-1 - SA-1 - SC-1 - SI-1 - SR-1 - AC-16 - AU-5 - AU-11 - CA-2 - CA-3 - CA-5 - CA-6 - CA-7 - CA-9 - CM-5 - CM-9 - CP-2 - IR-8 - MP-2 - MP-3 - MP-4 - MP-6 - PL-2 - PL-4 - PM-4 - PM-8 - PM-9 - PS-2 - PS-6 - PT-1 - PT-2 - PT-3 - RA-2 - RA-3 - SA-5 - SR-1 - -

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

- - -

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel.

- - - - Memory Protection - - - - SI-16 - SI-16 - AC-25 - SC-3 - -

Implement the following controls to protect the system memory from unauthorized code execution: .

- - -

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.

- - - - - Supply Chain Risk Management - - Policy and Procedures - - - - - - - - - - - - - - SR-1 - SR-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - [SP 800-161] - PM-9 - PM-30 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- supply chain risk management policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

- - - c. -

Review and update the current supply chain risk management:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Supply Chain Risk Management Plan - - - - - - - SR-2 - SR-02 - [SP 800-30] - [SP 800-39] - [SP 800-160 v1] - [SP 800-161] - [IR 7622] - CA-2 - CP-4 - IR-4 - MA-2 - MA-6 - PE-16 - PL-2 - PM-9 - PM-30 - RA-3 - RA-7 - SA-8 - - - a. -

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: ;

- - - b. -

Implement the supply chain risk management plan consistently across the organization; and

- - - c. -

Review and update the supply chain risk management plan or as required, to address threat, organizational or environmental changes.

- - - -

The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans. -Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

- - - Establish Scrm Team - - - - - - - SR-2(1) - SR-02(01) - -

Establish a supply chain risk management team consisting of to lead and support the following SCRM activities: .

- - -

To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team.

- - - - - Supply Chain Controls and Processes - - - - - - - - - - - - - - SR-3 - SR-03 - [SP 800-30] - [SP 800-161] - [IR 7622] - CA-2 - MA-2 - MA-6 - PE-3 - PE-16 - PL-8 - PM-30 - SA-2 - SA-3 - SA-4 - SA-5 - SA-8 - SA-9 - SA-10 - SA-15 - SC-7 - SC-29 - SC-30 - SC-38 - SI-7 - SR-6 - SR-9 - SR-11 - - - a. -

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of in coordination with ;

- - - b. -

Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: ; and

- - - c. -

Document the selected and implemented supply chain processes and controls in .

- - - -

Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

- - - - Acquisition Strategies, Tools, and Methods - - - - SR-5 - SR-05 - [SP 800-30] - [SP 800-161] - [IR 7622] - AT-3 - SA-2 - SA-3 - SA-4 - SA-5 - SA-8 - SA-9 - SA-10 - SA-15 - SR-6 - SR-9 - SR-10 - SR-11 - -

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: .

- - -

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

- - - - Supplier Reviews - - - - SR-6 - SR-06 - [FIPS 140-3] - [FIPS 180-4] - [FIPS 186-4] - [FIPS 202] - [SP 800-30] - [SP 800-161] - [IR 7622] - SR-3 - SR-5 - -

Review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide .

- - -

A review of supplier risk includes security processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess any subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate to share review results with other organizations in accordance with any applicable inter-organizational agreements or contracts.

- - - - Notification Agreements - - - - - SR-8 - SR-08 - [SP 800-30] - [SP 800-161] - [IR 7622] - IR-4 - IR-6 - IR-8 - -

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the .

- - -

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

- - - - Inspection of Systems or Components - - - - - - - - - - - SR-10 - SR-10 - AT-3 - PM-30 - SI-4 - SI-7 - SR-3 - SR-4 - SR-5 - SR-9 - SR-11 - -

Inspect the following systems or system components to detect tampering: .

- - -

Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations.

- - - - Component Authenticity - - - - - - - - SR-11 - SR-11 - PE-3 - SA-4 - SI-7 - SR-9 - SR-10 - - - a. -

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

- - - b. -

Report counterfeit system components to .

- - - -

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

- - - Anti-counterfeit Training - - - - SR-11(1) - SR-11(01) - AT-3 - -

Train to detect counterfeit system components (including hardware, software, and firmware).

- - -

None.

- - - - Configuration Control for Component Service and Repair - - - - SR-11(2) - SR-11(02) - CM-3 - MA-2 - MA-4 - SA-10 - -

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: .

- - -

None.

- - - - Component Disposal - - - - SR-11(3) - SR-11(03) - MP-6 - -

Dispose of system components using the following techniques and methods: .

- - -

Proper disposal of system components helps to prevent such components from entering the gray market.

- - - - - - - [PRIVACT] - - Privacy Act (P.L. 93-579), December 1974. - - - - - [EVIDACT] - - Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019. - - - - - [EO 13526] - - Executive Order 13526, Classified National Security Information, December 2009. - - - - - [FISMA] - - Federal Information Security Modernization Act (P.L. 113-283), December 2014. - - - - - [EO 13587] - - Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, October 2011. - - - - - [HSPD 7] - - Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection, December 2003. - - - - - [5 CFR 731] - - Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106, Designation of Public Trust Positions and Investigative Requirements(5 C.F.R. 731.106). - - - - - [32 CFR 2002] - - Code of Federal Regulations, Title 32, Controlled Unclassified Information(32 C.F.R 2002). - - - - - [ODNI NITP] - - Office of the Director National Intelligence, National Insider Threat Policy - - - - - - [OMB A-108] - - Office of Management and Budget Memorandum Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, December 2016. - - - - - - [OMB A-130] - - Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016. - - - - - [OMB M-17-06] - - Office of Management and Budget Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services, November 2016. - - - - - - [OMB M-17-12] - - Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 2017. - - - - - - [OMB M-17-25] - - Office of Management and Budget Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 2017. - - - - - - [OMB M-19-23] - - Office of Management and Budget Memorandum M-19-23, Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance, July 2019. - - - - - - [CNSSI 1253] - - Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems, March 2014. - - - - - [DHS NIPP] - - Department of Homeland Security, National Infrastructure Protection Plan (NIPP), 2009. - - - - - [ISO 15408-1] - - International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model, April 2017. - - - - - - [ISO 15408-2] - - International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements, April 2017. - - - - - - [ISO 15408-3] - - International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements, April 2017. - - - - - - [FIPS 140-3] - - National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. - - - - - [FIPS 180-4] - - National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. - - - - - [FIPS 186-4] - - National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4. - - - - - [FIPS 197] - - National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197. - - - - - [FIPS 199] - - National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. - - - - - [FIPS 200] - - National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. - - - - - [FIPS 201-2] - - National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. - - - - - [FIPS 202] - - National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. - - - - - [SP 800-12] - - Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. - - - - - - [SP 800-18] - - Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. - - - - - - [SP 800-28] - - Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. - - - - - - [SP 800-30] - - Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. - - - - - [SP 800-32] - - Kuhn R, Hu VC, Polk T, Chang S-jH (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32. - - - - - [SP 800-34] - - Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. - - - - - [SP 800-35] - - Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. - - - - - [SP 800-37] - - Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. - - - - - [SP 800-39] - - Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. - - - - - [SP 800-40] - - Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3. - - - - - [SP 800-41] - - Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. - - - - - [SP 800-45] - - Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2. - - - - - [SP 800-46] - - Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. - - - - - [SP 800-47] - - Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47. - - - - - [SP 800-50] - - Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. - - - - - [SP 800-52] - - McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2. - - - - - [SP 800-53A] - - Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. - - - - - [SP 800-53B] - - National Institute of Standards and Technology Special Publication 800-53B, Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. Projected for publication in 2020. - - - - [SP 800-55] - - Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1. - - - - - [SP 800-56A] - - Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. - - - - - [SP 800-56B] - - Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. - - - - - [SP 800-56C] - - Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1. - - - - - [SP 800-57-1] - - Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4. - - - - - [SP 800-57-2] - - Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. - - - - - [SP 800-57-3] - - Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. - - - - - [SP 800-60 v1] - - Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. - - - - - [SP 800-60 v2] - - Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. - - - - - [SP 800-61] - - Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. - - - - - [SP 800-63-3] - - Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. - - - - - [SP 800-63A] - - Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020. - - - - - [SP 800-70] - - Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. - - - - - [SP 800-73-4] - - Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. - - - - - [SP 800-76-2] - - Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. - - - - - - [SP 800-77] - - Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77. - - - - - [SP 800-78-4] - - Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. - - - - - - [SP 800-79-2] - - Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. - - - - - - [SP 800-81-2] - - Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. - - - - - - [SP 800-83] - - Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. - - - - - [SP 800-84] - - Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. - - - - - [SP 800-86] - - Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. - - - - - [SP 800-88] - - Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. - - - - - [SP 800-92] - - Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. - - - - - [SP 800-94] - - Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. - - - - - [SP 800-95] - - Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95. - - - - - [SP 800-97] - - Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. - - - - - [SP 800-100] - - Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. - - - - - [SP 800-101] - - Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. - - - - - - [SP 800-111] - - Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. - - - - - - [SP 800-113] - - Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. - - - - - [SP 800-114] - - Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. - - - - - [SP 800-115] - - Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. - - - - - [SP 800-116] - - Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1. - - - - - [SP 800-121] - - Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2. - - - - - [SP 800-124] - - Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. - - - - - [SP 800-125B] - - Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. - - - - - [SP 800-126] - - Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. - - - - - [SP 800-128] - - Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128. - - - - - [SP 800-130] - - Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. - - - - - [SP 800-137] - - Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. - - - - - [SP 800-147] - - Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147. - - - - - [SP 800-150] - - Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. - - - - - [SP 800-152] - - Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. - - - - - [SP 800-154] - - Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154. - - - - - [SP 800-156] - - Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156. - - - - - [SP 800-160 v1] - - Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. - - - - - [SP 800-160 v2] - - Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. - - - - - [SP 800-161] - - Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. - - - - - [SP 800-162] - - Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019. - - - - - [SP 800-166] - - Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166. - - - - - [SP 800-167] - - Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. - - - - - [SP 800-171] - - Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2. - - - - - [SP 800-171B] - - Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B. - - - - - [SP 800-177] - - Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. - - - - - [SP 800-178] - - Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. - - - - - [SP 800-181] - - Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181. - - - - - [SP 800-184] - - Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. - - - - - [SP 800-188] - - Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188. - - - - - [SP 800-189] - - Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. - - - - - [SP 800-192] - - Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. - - - - - [IR 7539] - - Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. - - - - - [IR 7559] - - Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. - - - - - [IR 7622] - - Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. - - - - - [IR 7676] - - Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. - - - - - [IR 7788] - - Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788. - - - - - [IR 7817] - - Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. - - - - - [IR 7849] - - Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849. - - - - - [IR 7870] - - Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. - - - - - [IR 7874] - - Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. - - - - - [IR 7956] - - Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956. - - - - - [IR 7966] - - Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. - - - - - [IR 8011 v1] - - Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1. - - - - - [IR 8023] - - Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. - - - - - [IR 8040] - - Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040. - - - - - [IR 8062] - - Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. - - - - - [IR 8179] - - Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179. - - - - - [DOD STIG] - - Defense Information Systems Agency, Security Technical Implementation Guides (STIG). - - - - - [IETF 5905] - - - - - - [NARA CUI] - - National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. - - - - - [NIAP CCEVS] - - National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme. - - - - - [NCPR] - - National Institute of Standards and Technology (2020) National Checklist Program Repository. Available at - - - - - [NSA CSFC] - - National Security Agency, Commercial Solutions for Classified Program (CSfC). - - - - - [NSA MEDIA] - - National Security Agency, Media Destruction Guidance. - - - - - [USGCB] - - National Institute of Standards and Technology (2020) United States Government Configuration Baseline. Available at - - - - - diff --git a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml b/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml deleted file mode 100644 index 8e14681453..0000000000 --- a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml +++ /dev/null @@ -1,365 +0,0 @@ - - - - SP800-53 MODERATE IMPACT BASELINE - 2020-08-26T16:28:37.775-04:00 - FPD - 1.0.0-milestone3 - - Document Creator - - - Contact - - - Joint Task Force, Transformation Initiative -
- National Institute of Standards and Technology - Attn: Computer Security Division - Information Technology Laboratory - 100 Bureau Drive (Mail Stop 8930) - Gaithersburg - MD - 20899-8930 -
- sec-cert@nist.gov - - - 2ef7cfec-cb8e-4571-a7a2-a5c609b4767a - - - 2ef7cfec-cb8e-4571-a7a2-a5c609b4767a - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - true - - diff --git a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.xml b/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.xml deleted file mode 100644 index 454f459a29..0000000000 --- a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.xml +++ /dev/null @@ -1,4180 +0,0 @@ - - - - SP800-53 PRIVACY BASELINE - 2020-08-26T16:28:37.032-04:00 - FPD - 1.0.0-milestone3 - 2020-08-31T17:39:57.58205Z - SP800-53 PRIVACY BASELINE - - Document Creator - - - Contact - - - Joint Task Force, Transformation Initiative -
- National Institute of Standards and Technology - Attn: Computer Security Division - Information Technology Laboratory - 100 Bureau Drive (Mail Stop 8930) - Gaithersburg - MD - 20899-8930 -
- sec-cert@nist.gov - - - d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696 - - - d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696 - - - - Access Control - - Policy and Procedures - - - - - - - - - - - - - - AC-1 - AC-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - [IR 7874] - IA-1 - PM-9 - PM-24 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- access control policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the access control policy and the associated access controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the access control policy and procedures; and

- - - c. -

Review and update the current access control:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - - Awareness and Training - - Policy and Procedures - - - - - - - - - - - - - - AT-1 - AT-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-50] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- awareness and training policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and

- - - c. -

Review and update the current awareness and training:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Awareness Training - - - - - - - AT-2 - AT-02 - [OMB A-130] - [SP 800-50] - [SP 800-160 v2] - AC-3 - AC-17 - AC-22 - AT-3 - AT-4 - CP-3 - IA-4 - IR-2 - IR-7 - IR-9 - PL-4 - PM-13 - PM-21 - PS-7 - PT-2 - SA-8 - SA-16 - - - a. -

Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):

- - 1. -

As part of initial training for new users and thereafter; and

- - - 2. -

When required by system changes; and

- - - - b. -

Update awareness training .

- - - -

Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information. -Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective.

- - - Breach - AT-2(5) - AT-02(05) - IR-1 - IR-2 - -

Provide awareness training on how to identify and respond to a breach, including the organization’s process for reporting a breach.

- - -

A breach is a type of incident that involves personally identifiable information. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The awareness training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Awareness training includes tabletop exercises that simulate a breach.

- - - - - Role-based Training - - - - - - - - - - AT-3 - AT-03 - [OMB A-130] - [SP 800-50] - AC-3 - AC-17 - AC-22 - AT-2 - AT-4 - CP-3 - IR-2 - IR-7 - IR-9 - IR-10 - PL-4 - PM-13 - PM-23 - PS-7 - SA-3 - SA-8 - SA-11 - SA-16 - SR-5 - SR-6 - SR-11 - - - a. -

Provide role-based security and privacy training to personnel with the following roles and responsibilities: :

- - 1. -

Before authorizing access to the system, information, or performing assigned duties, and thereafter; and

- - - 2. -

When required by system changes; and

- - - - b. -

Update role-based training .

- - - -

Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information. -Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective.

- - - Accessing Personally Identifiable Information - - - - - - - AT-3(5) - AT-03(05) - -

Provide with initial and training on:

- - (a) -

Organizational authority for collecting personally identifiable information;

- - - (b) -

Authorized uses of personally identifiable information;

- - - (c) -

Identifying, reporting, and responding to a suspected or confirmed breach;

- - - (d) -

Content of system of records notices, computer matching agreements, and privacy impact assessments;

- - - (e) -

Authorized sharing of personally identifiable information with external parties; and

- - - (f) -

Rules of behavior and the consequences for unauthorized collection, use, or sharing of personally identifiable information.

- - - -

Role-based training addresses the responsibility of individuals when accessing personally identifiable information; the organization’s established rules of behavior when accessing personally identifiable information; the consequences for violating the rules of behavior; and how to respond to a breach. Role-based training helps ensure personnel comply with applicable privacy requirements and is necessary to manage privacy risks.

- - - - - Training Records - - - - AT-4 - AT-04 - [OMB A-130] - AT-2 - AT-3 - CP-3 - IR-2 - PM-14 - SI-12 - - - a. -

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and

- - - b. -

Retain individual training records for .

- - - -

Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.

- - - - - Audit and Accountability - - Policy and Procedures - - - - - - - - - - - - - - AU-1 - AU-01 - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- audit and accountability policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and

- - - c. -

Review and update the current audit and accountability:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Event Logging - - - - - - - - - - AU-2 - AU-02 - [OMB A-130] - [SP 800-92] - AC-2 - AC-3 - AC-6 - AC-7 - AC-8 - AC-16 - AC-17 - AU-3 - AU-4 - AU-5 - AU-6 - AU-7 - AU-11 - AU-12 - CM-3 - CM-5 - CM-6 - CM-13 - IA-3 - MA-4 - MP-4 - PE-3 - PM-21 - PT-2 - PT-8 - RA-8 - SA-8 - SC-7 - SC-18 - SI-3 - SI-4 - SI-7 - SI-10 - SI-11 - - - a. -

Identify the types of events that the system is capable of logging in support of the audit function: ;

- - - b. -

Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

- - - c. -

Specify the following event types for logging within the system: ;

- - - d. -

Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and

- - - e. -

Review and update the event types selected for logging .

- - - -

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. -To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage. -Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

- - - - Audit Record Retention - - - - AU-11 - AU-11 - [OMB A-130] - AU-2 - AU-4 - AU-5 - AU-6 - AU-9 - AU-14 - MP-6 - RA-5 - SI-12 - -

Retain audit records for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

- - -

Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

- - - - - Assessment, Authorization, and Monitoring - - Policy and Procedures - - - - - - - - - - - - - - CA-1 - CA-01 - [OMB A-130, Appendix II] - [SP 800-12] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-100] - [SP 800-137] - [IR 8062] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- assessment, authorization, and monitoring policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and

- - - c. -

Review and update the current assessment, authorization, and monitoring:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Control Assessments - - - - - - - CA-2 - CA-02 - [OMB A-130] - [FIPS 199] - [SP 800-18] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - [IR 8062] - AC-20 - CA-5 - CA-6 - CA-7 - PM-9 - RA-5 - SA-11 - SC-38 - SI-3 - SI-12 - SR-2 - SR-3 - - - a. -

Develop a control assessment plan that describes the scope of the assessment including:

- - 1. -

Controls and control enhancements under assessment;

- - - 2. -

Assessment procedures to be used to determine control effectiveness; and

- - - 3. -

Assessment environment, assessment team, and assessment roles and responsibilities;

- - - - b. -

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

- - - c. -

Assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

- - - d. -

Produce a control assessment report that document the results of the assessment; and

- - - e. -

Provide the results of the control assessment to .

- - - -

Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes. -Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs. -Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives. -To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control.

- - - - Plan of Action and Milestones - - - - CA-5 - CA-05 - [OMB A-130] - [SP 800-37] - CA-2 - CA-7 - PM-4 - PM-9 - RA-7 - SI-2 - SI-12 - - - a. -

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and

- - - b. -

Update existing plan of action and milestones based on the findings from control assessments, audits, and continuous monitoring activities.

- - - -

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB.

- - - - Authorization - - - - CA-6 - CA-06 - [OMB A-130] - [SP 800-37] - [SP 800-137] - CA-2 - CA-3 - CA-7 - PM-9 - PM-10 - SA-10 - SI-12 - - - a. -

Assign a senior official as the authorizing official for the system;

- - - b. -

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;

- - - c. -

Ensure that the authorizing official for the system, before commencing operations:

- - 1. -

Accepts the use of common controls inherited by the system; and

- - - 2. -

Authorizes the system to operate;

- - - - d. -

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

- - - e. -

Update the authorizations .

- - - -

Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. -Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

- - - - Continuous Monitoring - - - - - - - - - - - - - - - - CA-7 - CA-07 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - [IR 8011 v1] - [IR 8062] - AC-2 - AC-6 - AC-17 - AT-4 - AU-6 - AU-13 - CA-2 - CA-5 - CA-6 - CM-3 - CM-4 - CM-6 - CM-11 - IA-5 - IR-5 - MA-2 - MA-3 - MA-4 - PE-3 - PE-6 - PE-14 - PE-16 - PE-20 - PL-2 - PM-4 - PM-6 - PM-9 - PM-10 - PM-12 - PM-14 - PM-23 - PM-28 - PM-31 - PS-7 - PT-8 - RA-3 - RA-5 - RA-7 - SA-8 - SA-9 - SA-11 - SC-5 - SC-7 - SC-18 - SC-38 - SC-43 - SC-38 - SI-3 - SI-4 - SI-12 - SR-6 - -

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

- - a. -

Establishing the following system-level metrics to be monitored: ;

- - - b. -

Establishing for monitoring and for assessment of control effectiveness;

- - - c. -

Ongoing control assessments in accordance with the continuous monitoring strategy;

- - - d. -

Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

- - - e. -

Correlation and analysis of information generated by control assessments and monitoring;

- - - f. -

Response actions to address results of the analysis of control assessment and monitoring information; and

- - - g. -

Reporting the security and privacy status of the system to - .

- - - -

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. -Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.

- - - Risk Monitoring - CA-7(4) - CA-07(04) - -

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

- - (a) -

Effectiveness monitoring;

- - - (b) -

Compliance monitoring; and

- - - (c) -

Change monitoring.

- - - -

Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.

- - - - - - Configuration Management - - Policy and Procedures - - - - - - - - - - - - - - CM-1 - CM-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- configuration management policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

- - - c. -

Review and update the current configuration management:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Impact Analyses - CM-4 - CM-04 - [SP 800-128] - CA-7 - CM-3 - CM-8 - CM-9 - MA-2 - RA-3 - RA-5 - SA-5 - SA-8 - SA-10 - SI-2 - -

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

- - -

Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required.

- - - - - Incident Response - - Policy and Procedures - - - - - - - - - - - - - - IR-1 - IR-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-50] - [SP 800-61] - [SP 800-83] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- incident response policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the incident response policy and procedures; and

- - - c. -

Review and update the current incident response:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Incident Response Testing - - - - - - - IR-3 - IR-03 - [OMB A-130] - [SP 800-84] - [SP 800-115] - CP-3 - CP-4 - IR-2 - IR-4 - IR-8 - PM-14 - -

Test the effectiveness of the incident response capability for the system using the following tests: .

- - -

Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.

- - - - Incident Handling - IR-4 - IR-04 - [SP 800-61] - [SP 800-86] - [SP 800-101] - [SP 800-150] - [SP 800-160 v2] - [SP 800-184] - [IR 7559] - AC-19 - AU-6 - AU-7 - CM-6 - CP-2 - CP-3 - CP-4 - IR-2 - IR-3 - IR-6 - IR-8 - IR-10 - PE-6 - PL-2 - PM-12 - SA-8 - SC-5 - SC-7 - SI-3 - SI-4 - SI-7 - - - a. -

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;

- - - b. -

Coordinate incident handling activities with contingency planning activities;

- - - c. -

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and

- - - d. -

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

- - - -

Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk.

- - - - Incident Reporting - - - - - - - IR-6 - IR-06 - [SP 800-61] - CM-6 - CP-2 - IR-4 - IR-5 - IR-8 - IR-9 - - - a. -

Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within ; and

- - - b. -

Report security, privacy, and supply chain incident information to .

- - - -

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - - Incident Response Assistance - IR-7 - IR-07 - [OMB A-130] - [IR 7559] - AT-2 - AT-3 - IR-4 - IR-6 - IR-8 - PM-22 - PM-26 - SA-9 - SI-18 - -

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents.

- - -

Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.

- - - - Incident Response Plan - - - - - - - - - - - - - - - - IR-8 - IR-08 - [OMB A-130] - [SP 800-61] - [OMB M-17-12] - AC-2 - CP-2 - CP-4 - IR-4 - IR-7 - IR-9 - PE-6 - PL-2 - SA-15 - SI-12 - SR-8 - - - a. -

Develop an incident response plan that:

- - 1. -

Provides the organization with a roadmap for implementing its incident response capability;

- - - 2. -

Describes the structure and organization of the incident response capability;

- - - 3. -

Provides a high-level approach for how the incident response capability fits into the overall organization;

- - - 4. -

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

- - - 5. -

Defines reportable incidents;

- - - 6. -

Provides metrics for measuring the incident response capability within the organization;

- - - 7. -

Defines the resources and management support needed to effectively maintain and mature an incident response capability;

- - - 8. -

Is reviewed and approved by - ; and

- - - 9. -

Explicitly designates responsibility for incident response to .

- - - - b. -

Distribute copies of the incident response plan to ;

- - - c. -

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

- - - d. -

Communicate incident response plan changes to ; and

- - - e. -

Protect the incident response plan from unauthorized disclosure and modification.

- - - -

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

- - - Privacy Breaches - IR-8(1) - IR-08(01) - PT-1 - PT-2 - PT-3 - PT-5 - PT-6 - PT-8 - -

Include the following in the Incident Response Plan for breaches involving personally identifiable information:

- - (a) -

A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;

- - - (b) -

An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and

- - - (c) -

Identification of applicable privacy requirements.

- - - -

Organizations may be required by law, regulation, or policy to follow specific procedures relating to privacy breaches, including notice to individuals, affected organizations, and oversight bodies, standards of harm, and mitigation or other specific requirements.

- - - - - - Media Protection - - Policy and Procedures - - - - - - - - - - - - - - MP-1 - MP-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- media protection policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the media protection policy and procedures; and

- - - c. -

Review and update the current media protection:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Media Sanitization - - - - - - - MP-6 - MP-06 - [OMB A-130] - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-88] - [SP 800-124] - [IR 8023] - [NSA MEDIA] - AC-3 - AC-7 - AU-11 - MA-2 - MA-3 - MA-4 - MA-5 - PM-22 - SI-12 - SI-18 - SI-19 - SR-11 - - - a. -

Sanitize prior to disposal, release out of organizational control, or release for reuse using ; and

- - - b. -

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

- - - -

Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information.

- - - - - Planning - - Policy and Procedures - - - - - - - - - - - - - - PL-1 - PL-01 - [OMB A-130] - [SP 800-12] - [SP 800-18] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- planning policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the planning policy and the associated planning controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the planning policy and procedures; and

- - - c. -

Review and update the current planning:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - System Security and Privacy Plans - - - - - - - - - - PL-2 - PL-02 - [OMB A-130, Appendix II] - [SP 800-18] - [SP 800-37] - [SP 800-160 v1] - [SP 800-160 v2] - AC-2 - AC-6 - AC-14 - AC-17 - AC-20 - CA-2 - CA-3 - CA-7 - CM-9 - CM-13 - CP-2 - CP-4 - IR-4 - IR-8 - MA-4 - MA-5 - MP-4 - MP-5 - PL-7 - PL-8 - PL-10 - PL-11 - PM-1 - PM-7 - PM-8 - PM-9 - PM-10 - PM-11 - RA-3 - RA-8 - RA-9 - SA-5 - SA-17 - SA-22 - SI-12 - SR-2 - SR-4 - - - a. -

Develop security and privacy plans for the system that:

- - 1. -

Are consistent with the organization’s enterprise architecture;

- - - 2. -

Explicitly define the constituent system components;

- - - 3. -

Describe the operational context of the system in terms of missions and business processes;

- - - 4. -

Provide the security categorization of the system, including supporting rationale;

- - - 5. -

Describe any specific threats to the system that are of concern to the organization;

- - - 6. -

Provide the results of a privacy risk assessment for systems processing personally identifiable information;

- - - 7. -

Describe the operational environment for the system and any dependencies on or connections to other systems or system components;

- - - 8. -

Provide an overview of the security and privacy requirements for the system;

- - - 9. -

Identify any relevant control baselines or overlays, if applicable;

- - - 10. -

Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;

- - - 11. -

Include risk determinations for security and privacy architecture and design decisions;

- - - 12. -

Include security- and privacy-related activities affecting the system that require planning and coordination with ; and

- - - 13. -

Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

- - - - b. -

Distribute copies of the plans and communicate subsequent changes to the plans to ;

- - - c. -

Review the plans ;

- - - d. -

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and

- - - e. -

Protect the plans from unauthorized disclosure and modification.

- - - -

System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls. -Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation. -Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. -Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate.

- - - - Rules of Behavior - - - - - - - - PL-4 - PL-04 - [OMB A-130] - [SP 800-18] - AC-2 - AC-6 - AC-8 - AC-9 - AC-17 - AC-18 - AC-19 - AC-20 - AT-2 - AT-3 - CM-11 - IA-2 - IA-4 - IA-5 - MP-7 - PS-6 - PS-8 - SA-5 - SI-12 - - - a. -

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

- - - b. -

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;

- - - c. -

Review and update the rules of behavior ; and

- - - d. -

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge .

- - - -

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons.

- - - Social Media and External Site/application Usage Restrictions - PL-4(1) - PL-04(01) - AC-22 - AU-13 - -

Include in the rules of behavior, restrictions on:

- - (a) -

Use of social media, social networking sites, and external sites/applications;

- - - (b) -

Posting organizational information on public websites; and

- - - (c) -

Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications.

- - - -

Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information.

- - - - - Security and Privacy Architectures - - - - PL-8 - PL-08 - [OMB A-130] - [SP 800-160 v1] - [SP 800-160 v2] - CM-2 - CM-6 - PL-2 - PL-7 - PL-9 - PM-5 - PM-7 - RA-9 - SA-3 - SA-5 - SA-8 - SA-17 - - - a. -

Develop security and privacy architectures for the system that:

- - 1. -

Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

- - - 2. -

Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

- - - 3. -

Describe how the architectures are integrated into and support the enterprise architecture; and

- - - 4. -

Describe any assumptions about, and dependencies on, external systems and services;

- - - - b. -

Review and update the architectures to reflect changes in the enterprise architecture; and

- - - c. -

Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions.

- - - -

The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs. -[SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews). -In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented. -PL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.

- - - - Central Management - - - - PL-9 - PL-09 - [OMB A-130] - [SP 800-37] - PL-8 - PM-9 - -

Centrally manage .

- - -

Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and judicious use of organizational resources. Centrally-managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring. -As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include, but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-17(1), AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1), AT-3(2), AT-3(3), AT-4, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11, AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM-3(1), CM-3(4), CM-4, CM-6(1), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-43, SI-2, SI-3, SI-7, SI-8.

- - - - - Program Management - - Information Security and Privacy Resources - PM-3 - PM-03 - [OMB A-130] - PM-4 - SA-2 - - - a. -

Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;

- - - b. -

Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and

- - - c. -

Make available for expenditure, the planned information security and privacy resources.

- - - -

Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process.

- - - - Plan of Action and Milestones Process - PM-4 - PM-04 - [PRIVACT] - [OMB A-130] - [SP 800-37] - CA-5 - CA-7 - PM-3 - RA-7 - SI-12 - - - a. -

Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:

- - 1. -

Are developed and maintained;

- - - 2. -

Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and

- - - 3. -

Are reported in accordance with established reporting requirements.

- - - - b. -

Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

- - - -

The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5.

- - - - Measures of Performance - PM-6 - PM-06 - [OMB A-130] - [SP 800-55] - [SP 800-137] - CA-7 - -

Develop, monitor, and report on the results of information security and privacy measures of performance.

- - -

Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program.

- - - - Enterprise Architecture - PM-7 - PM-07 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-160 v1] - [SP 800-160 v2] - AU-6 - PL-2 - PL-8 - PM-11 - RA-2 - SA-3 - SA-8 - SA-17 - -

Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.

- - -

The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines.

- - - - Critical Infrastructure Plan - PM-8 - PM-08 - [OMB A-130] - [HSPD 7] - [DHS NIPP] - CP-2 - CP-4 - PE-18 - PL-2 - PM-9 - PM-11 - PM-18 - RA-3 - SI-12 - -

Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

- - -

Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

- - - - Risk Management Strategy - - - - PM-9 - PM-09 - [OMB A-130] - [SP 800-30] - [SP 800-39] - [SP 800-161] - [IR 8023] - AC-1 - AU-1 - AT-1 - CA-1 - CA-2 - CA-5 - CA-6 - CA-7 - CM-1 - CP-1 - IA-1 - IR-1 - MA-1 - MP-1 - PE-1 - PL-1 - PL-2 - PM-2 - PM-8 - PM-18 - PM-28 - PM-30 - PS-1 - PT-1 - PT-2 - PT-3 - RA-1 - RA-3 - RA-9 - SA-1 - SA-4 - SC-1 - SC-38 - SI-1 - SI-12 - SR-1 - SR-2 - - - a. -

Develops a comprehensive strategy to manage:

- - 1. -

Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and

- - - 2. -

Privacy risk to individuals resulting from the authorized processing of personally identifiable information;

- - - - b. -

Implement the risk management strategy consistently across the organization; and

- - - c. -

Review and update the risk management strategy or as required, to address organizational changes.

- - - -

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive.

- - - - Authorization Process - PM-10 - PM-10 - [SP 800-37] - [SP 800-39] - CA-6 - CA-7 - PL-2 - - - a. -

Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;

- - - b. -

Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and

- - - c. -

Integrate the authorization processes into an organization-wide risk management program.

- - - -

Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation.

- - - - Mission and Business Process Definition - - - - PM-11 - PM-11 - [OMB A-130] - [FIPS 199] - [SP 800-60 v1] - [SP 800-60 v2] - [SP 800-160 v1] - CP-2 - PL-2 - PM-7 - PM-8 - RA-2 - RA-3 - SA-2 - - - a. -

Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and

- - - b. -

Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and

- - - c. -

Review and revise the mission and business processes .

- - - -

Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures.

- - - - Security and Privacy Workforce - PM-13 - PM-13 - [OMB A-130] - [SP 800-181] - AT-2 - AT-3 - -

Establish a security and privacy workforce development and improvement program.

- - -

Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals.

- - - - Testing, Training, and Monitoring - PM-14 - PM-14 - [OMB A-130] - [SP 800-37] - [SP 800-39] - [SP 800-53A] - [SP 800-115] - [SP 800-137] - AT-2 - AT-3 - CA-7 - CP-4 - IR-3 - PM-12 - SI-4 - - - a. -

Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:

- - 1. -

Are developed and maintained; and

- - - 2. -

Continue to be executed; and

- - - - b. -

Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

- - - -

This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.

- - - - Privacy Program Plan - PM-18 - PM-18 - [PRIVACT] - [OMB A-130] - PM-8 - PM-9 - PM-19 - - - a. -

Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:

- - 1. -

Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;

- - - 2. -

Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;

- - - 3. -

Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;

- - - 4. -

Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;

- - - 5. -

Reflects coordination among organizational entities responsible for the different aspects of privacy; and

- - - 6. -

Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and

- - - - b. -

Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.

- - - -

A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents. -The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended. -Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization. -Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls.

- - - - Privacy Program Leadership Role - PM-19 - PM-19 - [OMB A-130] - PM-18 - PM-20 - PM-23 - PM-24 - -

Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.

- - -

The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24).

- - - - Dissemination of Privacy Program Information - PM-20 - PM-20 - [PRIVACT] - [OMB A-130] - [OMB M-17-06] - PM-19 - PT-6 - PT-7 - RA-8 - -

Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:

- - a. -

Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;

- - - b. -

Ensures that organizational privacy practices and reports are publicly available; and

- - - c. -

Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.

- - - -

Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications.

- - - - Accounting of Disclosures - PM-21 - PM-21 - [PRIVACT] - [OMB A-130] - AU-2 - PT-2 - - - a. -

Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:

- - 1. -

Date, nature, and purpose of each disclosure; and

- - - 2. -

Name and address, or other contact information of the person or organization to which the disclosure was made;

- - - - b. -

Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and

- - - c. -

Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.

- - - -

The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision. -Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions.

- - - - Personally Identifiable Information Quality Management - PM-22 - PM-22 - [OMB A-130] - [SP 800-188] - PM-23 - SI-18 - -

Develop and document policies and procedures for:

- - a. -

Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;

- - - b. -

Correcting or deleting inaccurate or outdated personally identifiable information;

- - - c. -

Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and

- - - d. -

Appeals of adverse decisions on correction or deletion requests.

- - - -

Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information. -The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations. -Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem.

- - - - Data Integrity Board - PM-24 - PM-24 - [PRIVACT] - [OMB A-130, Appendix II] - [OMB A-108] - AC-4 - PM-19 - PM-23 - PT-8 - -

Establish a Data Integrity Board to:

- - a. -

Review proposals to conduct or participate in a matching program; and

- - - b. -

Conduct an annual review of all matching programs in which the agency has participated.

- - - -

A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy.

- - - - Minimization of Pii Used in Testing, Training, and Research - - - - PM-25 - PM-25 - [OMB A-130, Appendix II] - PM-23 - PT-3 - SA-3 - - - a. -

Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;

- - - b. -

Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;

- - - c. -

Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and

- - - d. -

Review and update policies and procedures .

- - - -

The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2).

- - - - Complaint Management - - - - - - - - - - PM-26 - PM-26 - [OMB A-130] - IR-7 - IR-9 - PM-22 - SI-18 - -

Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:

- - a. -

Mechanisms that are easy to use and readily accessible by the public;

- - - b. -

All information necessary for successfully filing complaints;

- - - c. -

Tracking mechanisms to ensure all complaints received are reviewed and addressed within ;

- - - d. -

Acknowledgement of receipt of complaints, concerns, or questions from individuals within ; and

- - - e. -

Response to complaints, concerns, or questions from individuals within .

- - - -

Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information.

- - - - Privacy Reporting - - - - - - - - - - PM-27 - PM-27 - [FISMA] - [OMB A-130] - [OMB A-108] - IR-9 - PM-19 - - - a. -

Develop and disseminate to:

- - 1. -

OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and

- - - 2. -

- and other personnel with responsibility for monitoring privacy program compliance; and

- - - - b. -

Review and update privacy reports .

- - - -

Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements.

- - - - Continuous Monitoring Strategy - - - - - - - - - - - - - - - - PM-31 - PM-31 - [SP 800-37] - [SP 800-137] - AC-2 - AC-6 - AC-17 - AT-4 - AU-6 - AU-13 - CA-2 - CA-5 - CA-6 - CA-7 - CM-3 - CM-4 - CM-6 - CM-11 - IA-5 - IR-5 - MA-2 - MA-3 - MA-4 - PE-3 - PE-6 - PE-14 - PE-16 - PE-20 - PL-2 - PM-4 - PM-6 - PM-9 - PM-10 - PM-12 - PM-14 - PM-23 - PM-28 - PS-7 - PT-8 - RA-3 - RA-5 - RA-7 - SA-9 - SA-11 - SC-5 - SC-7 - SC-18 - SC-38 - SC-43 - SC-38 - SI-3 - SI-4 - SI-12 - SR-2 - SR-4 - -

Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:

- - a. -

Establishing the following organization-wide metrics to be monitored: ;

- - - b. -

Establishing for monitoring and for assessment of control effectiveness;

- - - c. -

Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;

- - - d. -

Correlation and analysis of information generated by control assessments and monitoring;

- - - e. -

Response actions to address results of the analysis of control assessment and monitoring information; and

- - - f. -

Reporting the security and privacy status of organizational systems to - .

- - - -

Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.

- - - - Privacy Policies on Websites, Applications, and Digital Services - PM-33 - PM-33 - [OMB A-130] - PM-19 - PM-20 - PT-6 - PT-7 - RA-8 - -

Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:

- - a. -

Are written in plain language and organized in a way that is easy to understand and navigate;

- - - b. -

Provide useful information that the public would need to make an informed decision about whether and how to interact with the organization; and

- - - c. -

Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes.

- - - -

Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations should post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations should provide a link to the privacy policy on any webpage that collects personally identifiable information.

- - - - - Personally Identifiable Information Processing and Transparency - - Policy and Procedures - - - - - - - - - - - - - - PT-1 - PT-01 - [OMB A-130] - - - a. -

Develop, document, and disseminate to :

- - 1. -

- personally identifiable information processing and transparency policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the incident personally identifiable information processing and transparency policy and procedures; and

- - - c. -

Review and update the current personally identifiable information processing and transparency:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the PT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Authority to Process Personally Identifiable Information - - - - - - - - - - PT-2 - PT-02 - [PRIVACT] - [OMB A-130, Appendix II] - AC-3 - CM-13 - PM-9 - PM-24 - PT-1 - PT-3 - PT-6 - PT-7 - RA-3 - RA-8 - SI-12 - SI-18 - - - a. -

Determine and document the that permits the of personally identifiable information; and

- - - b. -

Restrict the of personally identifiable information to only that which is authorized.

- - - -

Processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes, but is not limited to, creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining. -Organizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organizations’ policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise from its processing. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks. -Organizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, [PRIVACT] statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and/or other documentation. -Organizations take steps to ensure that personally identifiable information is processed only for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information.

- - - - Personally Identifiable Information Processing Purposes - - - - - - - - - - - - - PT-3 - PT-03 - [PRIVACT] - [OMB A-130, Appendix II] - AC-3 - AT-3 - CM-13 - PM-9 - PM-25 - PT-2 - PT-6 - PT-7 - PT-8 - RA-8 - SC-43 - SI-12 - SI-18 - - - a. -

Identify and document the for processing personally identifiable information;

- - - b. -

Describe the purpose(s) in the public privacy notices and policies of the organization;

- - - c. -

Restrict the of personally identifiable information to only that which is compatible with the identified purpose(s); and

- - - d. -

Monitor changes in processing personally identifiable information and implement to ensure that any changes are made in accordance with .

- - - -

Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term process includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system, and individuals whose information is processed by the system, to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations, and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, [PRIVACT] statements, computer matching notices, and other applicable Federal Register notices. -Organizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information. -Organizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes arising from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks arising from changes in personally identifiable information processing purposes.

- - - - Minimization - - - - PT-4 - PT-04 - [OMB A-130] - PM-25 - SA-15 - SC-42 - SI-12 - -

Implement the privacy principle of minimization using .

- - -

The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose, and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization.

- - - - Consent - - - - PT-5 - PT-05 - [PRIVACT] - [OMB A-130] - [SP 800-63-3] - AC-16 - PT-6 - -

Implement for individuals to consent to the processing of their personally identifiable information prior to its collection that:

- - a. -

Facilitate individuals’ informed decision-making; and

- - - b. -

Provide a means for individuals to decline consent.

- - - -

Consent allows individuals to participate in the decision-making about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting this control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks arising from their authorization. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the data actions carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon.

- - - - Privacy Notice - - - - - - - PT-6 - PT-06 - [PRIVACT] - [OMB A-130] - [OMB A-108] - PM-20 - PM-22 - PT-2 - PT-3 - PT-5 - PT-8 - RA-3 - SI-18 - -

Provide notice to individuals about the processing of personally identifiable information that:

- - a. -

Is available to individuals upon first interacting with an organization, and subsequently at ;

- - - b. -

Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;

- - - c. -

Identifies the authority that authorizes the processing of personally identifiable information;

- - - d. -

Identifies the purposes for which personally identifiable information is to be processed; and

- - - e. -

Includes .

- - - -

Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and, other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices. -Privacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon.

- - - Privacy Act Statements - PT-6(2) - PT-06(02) - PT-7 - -

Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals.

- - -

If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a [PRIVACT] statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a [PRIVACT] statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond. -[PRIVACT] statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the [PRIVACT].

- - - - - System of Records Notice - PT-7 - PT-07 - [PRIVACT] - [OMB A-108] - PM-20 - PT-2 - PT-3 - PT-6 - -

For systems that process information that will be maintained in a Privacy Act system of records:

- - a. -

Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;

- - - b. -

Publish system of records notices in the Federal Register; and

- - - c. -

Keep system of records notices accurate, up-to-date, and scoped in accordance with policy.

- - - -

The [PRIVACT] requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and/or modification of a [PRIVACT] system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system, and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in [OMB A-108].

- - - Routine Uses - - - - PT-7(1) - PT-07(01) - -

Review all routine uses published in the system of records notice at to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.

- - -

A [PRIVACT] routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the [PRIVACT] prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The [PRIVACT] requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice.

- - - - Exemption Rules - - - - PT-7(2) - PT-07(02) - -

Review all Privacy Act exemptions claimed for the system of records at to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice.

- - -

The [PRIVACT] includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. These provisions allow agencies in certain circumstances to promulgate regulations to exempt a system of records from select provisions of the [PRIVACT]. At a minimum, organizations’ [PRIVACT] exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the [PRIVACT] from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate.

- - - - - Specific Categories of Personally Identifiable Information - - - - PT-8 - PT-08 - [PRIVACT] - [OMB A-130] - [OMB A-108] - PT-2 - PT-3 - -

Apply for specific categories of personally identifiable information.

- - -

Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from organizational policies and determinations when an organization has determined that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary.

- - - Social Security Numbers - PT-8(1) - PT-08(01) - -

When a system processes Social Security numbers:

- - (a) -

Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;

- - - (b) -

Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and

- - - (c) -

Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.

- - - -

Federal law and policy establish specific requirements for organizations’ processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information, and observe any particular requirements that apply.

- - - - First Amendment Information - PT-8(2) - PT-08(02) - -

Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.

- - -

None. -Related Controls: The [PRIVACT] limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements.

- - - - - Computer Matching Requirements - PT-9 - PT-09 - [PRIVACT] - [OMB A-130] - [OMB A-108] - PM-24 - -

When a system or organization processes information for the purpose of conducting a matching program:

- - a. -

Obtain approval from the Data Integrity Board to conduct the matching program;

- - - b. -

Develop and enter into a computer matching agreement;

- - - c. -

Publish a matching notice in the Federal Register;

- - - d. -

Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and

- - - e. -

Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual.

- - - -

The [PRIVACT] establishes a set of requirements for federal and non-federal agencies when they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. A Federal benefit match is performed for purposes of determining or verifying eligibility for payments under Federal benefit programs, or recouping payments or delinquent debts under Federal benefit programs. A matching program involves not just the matching activity itself, but also the investigative follow-up and ultimate action, if any.

- - - - - Risk Assessment - - Policy and Procedures - - - - - - - - - - - - - - RA-1 - RA-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - PM-9 - PS-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- risk assessment policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and

- - - c. -

Review and update the current risk assessment:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Risk Assessment - - - - - - - - - - - - - - RA-3 - RA-03 - [OMB A-130] - [SP 800-30] - [SP 800-39] - [SP 800-161] - [IR 8023] - [IR 8062] - CA-3 - CM-4 - CM-13 - CP-6 - CP-7 - IA-8 - MA-5 - PE-3 - PE-18 - PL-2 - PL-10 - PL-11 - PM-8 - PM-9 - PM-28 - RA-2 - RA-5 - RA-7 - SA-8 - SA-9 - SC-38 - SI-12 - - - a. -

Conduct a risk assessment, including:

- - 1. -

The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and

- - - 2. -

The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

- - - - b. -

Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

- - - c. -

Document risk assessment results in ;

- - - d. -

Review risk assessment results ;

- - - e. -

Disseminate risk assessment results to ; and

- - - f. -

Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

- - - -

Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities. -Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. -In addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

- - - - Risk Response - RA-7 - RA-07 - [FIPS 199] - [FIPS 200] - [SP 800-30] - [SP 800-37] - [SP 800-39] - [SP 800-160 v1] - CA-5 - IR-9 - PM-4 - PM-28 - RA-2 - RA-3 - SR-2 - -

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

- - -

Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.

- - - - Privacy Impact Assessments - RA-8 - RA-08 - [EGOV] - [OMB A-130, Appendix II] - CM-13 - PT-2 - PT-3 - PT-6 - RA-1 - RA-2 - RA-3 - RA-7 - -

Conduct privacy impact assessments for systems, programs, or other activities before:

- - a. -

Developing or procuring information technology that processes personally identifiable information; and

- - - b. -

Initiating a new collection of personally identifiable information that:

- - 1. -

Will be processed using information technology; and

- - - 2. -

Includes personally identifiable information permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more persons, other than agencies, instrumentalities, or employees of the federal government.

- - - - -

A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document detailing the process and the outcome of the analysis. -Organizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology. -To conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes which may have different labels, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by [EGOV]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.

- - - - - System and Services Acquisition - - Policy and Procedures - - - - - - - - - - - - - - SA-1 - SA-01 - [OMB A-130] - [SP 800-12] - [SP 800-30] - [SP 800-39] - [SP 800-100] - [SP 800-160 v1] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- system and services acquisition policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and

- - - c. -

Review and update the current system and services acquisition:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Acquisition Process - - - - - SA-4 - SA-04 - [PRIVACT] - [OMB A-130] - [ISO 15408-1] - [ISO 15408-2] - [ISO 15408-3] - [FIPS 140-3] - [FIPS 201-2] - [SP 800-35] - [SP 800-37] - [SP 800-70] - [SP 800-73-4] - [SP 800-137] - [SP 800-160 v1] - [SP 800-161] - [IR 7539] - [IR 7622] - [IR 7676] - [IR 7870] - [IR 8062] - [NIAP CCEVS] - [NSA CSFC] - CM-6 - CM-8 - PS-7 - SA-3 - SA-5 - SA-8 - SA-11 - SA-15 - SA-16 - SA-17 - SA-21 - SR-3 - SR-5 - -

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service:

- - a. -

Security and privacy functional requirements;

- - - b. -

Strength of mechanism requirements;

- - - c. -

Security and privacy assurance requirements;

- - - d. -

Controls needed to satisfy the security and privacy requirements.

- - - e. -

Security and privacy documentation requirements;

- - - f. -

Requirements for protecting security and privacy documentation;

- - - g. -

Description of the system development environment and environment in which the system is intended to operate;

- - - h. -

Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and

- - - i. -

Acceptance criteria.

- - - -

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle. -Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle. -Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement.

- - - - External System Services - - - - - - - SA-9 - SA-09 - [OMB A-130] - [SP 800-35] - [SP 800-160 v1] - [SP 800-161] - AC-20 - CA-3 - CP-2 - IR-4 - IR-7 - PL-10 - PL-11 - PS-7 - SA-2 - SA-4 - SR-3 - SR-5 - - - a. -

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: ;

- - - b. -

Define and document organizational oversight and user roles and responsibilities with regard to external system services; and

- - - c. -

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: .

- - - -

External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

- - - - Developer Testing and Evaluation - - - - - - - - SA-11 - SA-11 - [ISO 15408-3] - [SP 800-30] - [SP 800-53A] - [SP 800-154] - [SP 800-160 v1] - CA-2 - CA-7 - CM-4 - SA-3 - SA-4 - SA-5 - SA-8 - SA-15 - SA-17 - SI-2 - SR-5 - SR-6 - SR-7 - -

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:

- - a. -

Develop and implement a plan for ongoing security and privacy assessments;

- - - b. -

Perform testing/evaluation at ;

- - - c. -

Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;

- - - d. -

Implement a verifiable flaw remediation process; and

- - - e. -

Correct flaws identified during testing and evaluation.

- - - -

Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches. -Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.

- - - - - System and Information Integrity - - Policy and Procedures - - - - - - - - - - - - - - SI-1 - SI-01 - [OMB A-130] - [SP 800-12] - [SP 800-100] - PM-9 - PS-8 - SA-8 - SI-12 - - - a. -

Develop, document, and disseminate to :

- - 1. -

- system and information integrity policy that:

- - (a) -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - (b) -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - 2. -

Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;

- - - - b. -

Designate an to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

- - - c. -

Review and update the current system and information integrity:

- - 1. -

Policy ; and

- - - 2. -

Procedures .

- - - - -

This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.

- - - - Information Management and Retention - SI-12 - SI-12 - [OMB A-130, Appendix II] - AC-1 - AT-1 - AU-1 - CA-1 - CM-1 - CP-1 - IA-1 - IR-1 - MA-1 - MP-1 - PE-1 - PL-1 - PM-1 - PS-1 - PT-1 - RA-1 - SA-1 - SC-1 - SI-1 - SR-1 - AC-16 - AU-5 - AU-11 - CA-2 - CA-3 - CA-5 - CA-6 - CA-7 - CA-9 - CM-5 - CM-9 - CP-2 - IR-8 - MP-2 - MP-3 - MP-4 - MP-6 - PL-2 - PL-4 - PM-4 - PM-8 - PM-9 - PS-2 - PS-6 - PT-1 - PT-2 - PT-3 - RA-2 - RA-3 - SA-5 - SR-1 - -

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

- - -

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel.

- - - Limit Personally Identifiable Information Elements - - - - SI-12(1) - SI-12(01) - PM-25 - PT-2 - PT-3 - RA-3 - -

Limit personally identifiable information being processed in the information life cycle to the following elements of PII: .

- - -

Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk.

- - - - Minimize Personally Identifiable Information in Testing, Training, and Research - - - - SI-12(2) - SI-12(02) - PM-22 - PM-25 - SI-19 - -

Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: .

- - -

Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them.

- - - - Information Disposal - - - - SI-12(3) - SI-12(03) - MP-6 - -

Use the following techniques to dispose of, destroy, or erase information following the retention period: .

- - -

Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. Disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information.

- - - - - Personally Identifiable Information Quality Operations - - - - SI-18 - SI-18 - [SP 800-188] - PM-22 - PM-24 - SI-4 - - - a. -

Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle ; and

- - - b. -

Correct or delete inaccurate or outdated personally identifiable information.

- - - -

Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes.

- - - Individual Requests - SI-18(4) - SI-18(04) - PM-22 - -

Correct or delete personally identifiable information upon request by individuals or their designated representatives.

- - -

Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion in determining if personally identifiable information is to be corrected or deleted, based on the scope of requests, the changes sought, the impact of the changes, and applicable laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion.

- - - - - De-identification - - - - - - - SI-19 - SI-19 - [OMB A-130, Appendix II] - [SP 800-188] - MP-6 - PM-22 - PM-23 - PM-24 - RA-2 - SI-12 - - - a. -

Remove the following elements of personally identifiable information from datasets: ; and

- - - b. -

Evaluate for effectiveness of de-identification.

- - - -

De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection, since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time supports management of this residual risk.

- - - - - - [PRIVACT] - - Privacy Act (P.L. 93-579), December 1974. - - - - - [EGOV] - - E-Government Act [includes FISMA] (P.L. 107-347), December 2002. - - - - - [FISMA] - - Federal Information Security Modernization Act (P.L. 113-283), December 2014. - - - - - [HSPD 7] - - Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection, December 2003. - - - - - [OMB A-108] - - Office of Management and Budget Memorandum Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, December 2016. - - - - - - [OMB A-130] - - Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016. - - - - - [OMB M-17-06] - - Office of Management and Budget Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services, November 2016. - - - - - - [OMB M-17-12] - - Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 2017. - - - - - - [DHS NIPP] - - Department of Homeland Security, National Infrastructure Protection Plan (NIPP), 2009. - - - - - [ISO 15408-1] - - International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model, April 2017. - - - - - - [ISO 15408-2] - - International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements, April 2017. - - - - - - [ISO 15408-3] - - International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements, April 2017. - - - - - - [FIPS 140-3] - - National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. - - - - - [FIPS 199] - - National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. - - - - - [FIPS 200] - - National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. - - - - - [FIPS 201-2] - - National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. - - - - - [SP 800-12] - - Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. - - - - - - [SP 800-18] - - Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. - - - - - - [SP 800-30] - - Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. - - - - - [SP 800-35] - - Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. - - - - - [SP 800-37] - - Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. - - - - - [SP 800-39] - - Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. - - - - - [SP 800-50] - - Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. - - - - - [SP 800-53A] - - Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. - - - - - [SP 800-55] - - Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1. - - - - - [SP 800-60 v1] - - Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. - - - - - [SP 800-60 v2] - - Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. - - - - - [SP 800-61] - - Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. - - - - - [SP 800-63-3] - - Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. - - - - - [SP 800-70] - - Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. - - - - - [SP 800-73-4] - - Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. - - - - - [SP 800-83] - - Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. - - - - - [SP 800-84] - - Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. - - - - - [SP 800-86] - - Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. - - - - - [SP 800-88] - - Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. - - - - - [SP 800-92] - - Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. - - - - - [SP 800-100] - - Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. - - - - - [SP 800-101] - - Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. - - - - - - [SP 800-115] - - Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. - - - - - [SP 800-124] - - Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. - - - - - [SP 800-128] - - Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128. - - - - - [SP 800-137] - - Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. - - - - - [SP 800-150] - - Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. - - - - - [SP 800-154] - - Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154. - - - - - [SP 800-160 v1] - - Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. - - - - - [SP 800-160 v2] - - Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. - - - - - [SP 800-161] - - Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. - - - - - [SP 800-181] - - Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181. - - - - - [SP 800-184] - - Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. - - - - - [SP 800-188] - - Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188. - - - - - [IR 7539] - - Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. - - - - - [IR 7559] - - Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. - - - - - [IR 7622] - - Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. - - - - - [IR 7676] - - Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. - - - - - [IR 7870] - - Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. - - - - - [IR 7874] - - Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. - - - - - [IR 8011 v1] - - Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1. - - - - - [IR 8023] - - Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. - - - - - [IR 8062] - - Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. - - - - - [NIAP CCEVS] - - National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme. - - - - - [NSA CSFC] - - National Security Agency, Commercial Solutions for Classified Program (CSfC). - - - - - [NSA MEDIA] - - National Security Agency, Media Destruction Guidance. - - - - - diff --git a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml b/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml deleted file mode 100644 index 20c4a4ec36..0000000000 --- a/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml +++ /dev/null @@ -1,128 +0,0 @@ - - - - SP800-53 PRIVACY BASELINE - 2020-08-26T16:28:37.032-04:00 - FPD - 1.0.0-milestone3 - - Document Creator - - - Contact - - - Joint Task Force, Transformation Initiative -
- National Institute of Standards and Technology - Attn: Computer Security Division - Information Technology Laboratory - 100 Bureau Drive (Mail Stop 8930) - Gaithersburg - MD - 20899-8930 -
- sec-cert@nist.gov - - - d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696 - - - d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - true - - diff --git a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.yaml b/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.yaml deleted file mode 100644 index 91462d4ffe..0000000000 --- a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_HIGH-baseline-resolved-profile_catalog.yaml +++ /dev/null @@ -1,30913 +0,0 @@ -catalog: - uuid: 5656c824-bd88-462c-b967-bb7cb01cdbbd - metadata: - title: SP800-53 HIGH IMPACT BASELINE - last-modified: 2020-08-26T16:28:38.111-04:00 - version: FPD - oscal-version: 1.0.0-milestone3 - properties: - - - name: resolution-timestamp - value: 2020-08-31T17:39:35.488827Z - links: - - - href: NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml - rel: resolution-source - text: SP800-53 HIGH IMPACT BASELINE - roles: - - - id: creator - title: Document Creator - - - id: contact - title: Contact - parties: - - - uuid: a90f4235-ab3c-4bf1-ba0a-865bbc833346 - type: organization - party-name: Joint Task Force, Transformation Initiative - addresses: - - - postal-address: National Institute of Standards and Technology,Attn: Computer Security Division,Information Technology Laboratory,100 Bureau Drive (Mail Stop 8930) - city: Gaithersburg - state: MD - postal-code: 20899-8930 - email-addresses: sec-cert@nist.gov - responsible-parties: - creator: - party-uuids: a90f4235-ab3c-4bf1-ba0a-865bbc833346 - contact: - party-uuids: a90f4235-ab3c-4bf1-ba0a-865bbc833346 - groups: - - - id: ac - class: family - title: Access Control - controls: - - - id: ac-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ac-1_prm_1 - label: organization-defined personnel or roles - - - id: ac-1_prm_2 - - - id: ac-1_prm_3 - label: organization-defined official - - - id: ac-1_prm_4 - label: organization-defined frequency - - - id: ac-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AC-1 - - - name: sort-id - value: AC-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ac-1_smt - name: statement - parts: - - - id: ac-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ac-1_prm_1 }}: - parts: - - - id: ac-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ac-1_prm_2 }} access control policy that: - """ - parts: - - - id: ac-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ac-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ac-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the access control policy and the associated access controls; - - - id: ac-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and - - - id: ac-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current access control: - parts: - - - id: ac-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ac-1_prm_4 }}; and - - - id: ac-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ac-1_prm_5 }}. - - - id: ac-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ac-2 - class: SP800-53 - title: Account Management - parameters: - - - id: ac-2_prm_1 - label: organization-defined attributes (as required) - - - id: ac-2_prm_2 - label: organization-defined personnel or roles - - - id: ac-2_prm_3 - label: organization-defined policy, procedures, and conditions - - - id: ac-2_prm_4 - label: organization-defined personnel or roles - - - id: ac-2_prm_5 - label: organization-defined time-period - - - id: ac-2_prm_6 - label: organization-defined time-period - - - id: ac-2_prm_7 - label: organization-defined time-period - - - id: ac-2_prm_8 - label: organization-defined attributes (as required) - - - id: ac-2_prm_9 - label: organization-defined frequency - properties: - - - name: label - value: AC-2 - - - name: sort-id - value: AC-02 - links: - - - href: #359f960c-2598-454c-ba3b-a30c553e498f - rel: reference - text: [SP 800-162] - - - href: #223b23a9-baea-4a50-8058-63cf7967b61f - rel: reference - text: [SP 800-178] - - - href: #06d3c11a-4a00-42d9-ad75-e6a777ffae5e - rel: reference - text: [SP 800-192] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ac-24 - rel: related - text: AC-24 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-37 - rel: related - text: SC-37 - parts: - - - id: ac-2_smt - name: statement - parts: - - - id: ac-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Define and document the types of accounts allowed for use within the system; - - - id: ac-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Assign account managers; - - - id: ac-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Establish conditions for group and role membership; - - - id: ac-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Specify: - parts: - - - id: ac-2_smt.d.1 - name: item - properties: - - - name: label - value: 1. - prose: Authorized users of the system; - - - id: ac-2_smt.d.2 - name: item - properties: - - - name: label - value: 2. - prose: Group and role membership; and - - - id: ac-2_smt.d.3 - name: item - properties: - - - name: label - value: 3. - prose: Access authorizations (i.e., privileges) and {{ ac-2_prm_1 }} for each account; - - - id: ac-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Require approvals by {{ ac-2_prm_2 }} for requests to create accounts; - - - id: ac-2_smt.f - name: item - properties: - - - name: label - value: f. - prose: Create, enable, modify, disable, and remove accounts in accordance with {{ ac-2_prm_3 }}; - - - id: ac-2_smt.g - name: item - properties: - - - name: label - value: g. - prose: Monitor the use of accounts; - - - id: ac-2_smt.h - name: item - properties: - - - name: label - value: h. - prose: Notify account managers and {{ ac-2_prm_4 }} within: - parts: - - - id: ac-2_smt.h.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ac-2_prm_5 }} when accounts are no longer required; - """ - - - id: ac-2_smt.h.2 - name: item - properties: - - - name: label - value: 2. - prose: - """ - - {{ ac-2_prm_6 }} when users are terminated or transferred; and - """ - - - id: ac-2_smt.h.3 - name: item - properties: - - - name: label - value: 3. - prose: - """ - - {{ ac-2_prm_7 }} when system usage or need-to-know changes for an individual; - """ - - - id: ac-2_smt.i - name: item - properties: - - - name: label - value: i. - prose: Authorize access to the system based on: - parts: - - - id: ac-2_smt.i.1 - name: item - properties: - - - name: label - value: 1. - prose: A valid access authorization; - - - id: ac-2_smt.i.2 - name: item - properties: - - - name: label - value: 2. - prose: Intended system usage; and - - - id: ac-2_smt.i.3 - name: item - properties: - - - name: label - value: 3. - prose: - """ - - {{ ac-2_prm_8 }}; - """ - - - id: ac-2_smt.j - name: item - properties: - - - name: label - value: j. - prose: Review accounts for compliance with account management requirements {{ ac-2_prm_9 }}; - - - id: ac-2_smt.k - name: item - properties: - - - name: label - value: k. - prose: Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and - - - id: ac-2_smt.l - name: item - properties: - - - name: label - value: l. - prose: Align account management processes with personnel termination and transfer processes. - - - id: ac-2_gdn - name: guidance - prose: - """ - Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy. - Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability. - Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training. - """ - controls: - - - id: ac-2.1 - class: SP800-53-enhancement - title: Automated System Account Management - parameters: - - - id: ac-2.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: AC-2(1) - - - name: sort-id - value: AC-02(01) - parts: - - - id: ac-2.1_smt - name: statement - prose: Support the management of system accounts using {{ ac-2.1_prm_1 }}. - - - id: ac-2.1_gdn - name: guidance - prose: Automated mechanisms include using email or text messaging to automatically notify account managers when users are terminated or transferred; using the system to monitor account usage; and using telephonic notification to report atypical system account usage. - - - id: ac-2.2 - class: SP800-53-enhancement - title: Automated Temporary and Emergency Account Management - parameters: - - - id: ac-2.2_prm_1 - - - id: ac-2.2_prm_2 - label: organization-defined time-period for each type of account - properties: - - - name: label - value: AC-2(2) - - - name: sort-id - value: AC-02(02) - parts: - - - id: ac-2.2_smt - name: statement - prose: Automatically {{ ac-2.2_prm_1 }} temporary and emergency accounts after {{ ac-2.2_prm_2 }}. - - - id: ac-2.2_gdn - name: guidance - prose: Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time-period, rather than at the convenience of the systems administrator. Automatic removal or disabling of accounts provides a more consistent implementation. - - - id: ac-2.3 - class: SP800-53-enhancement - title: Disable Accounts - parameters: - - - id: ac-2.3_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: AC-2(3) - - - name: sort-id - value: AC-02(03) - parts: - - - id: ac-2.3_smt - name: statement - prose: Disable accounts when the accounts: - parts: - - - id: ac-2.3_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Have expired; - - - id: ac-2.3_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Are no longer associated with a user or individual; - - - id: ac-2.3_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Are in violation of organizational policy; or - - - id: ac-2.3_smt.d - name: item - properties: - - - name: label - value: (d) - prose: Have been inactive for {{ ac-2.3_prm_1 }}. - - - id: ac-2.3_gdn - name: guidance - prose: Disabling expired, inactive, or otherwise anomalous accounts supports the concept of least privilege and least functionality which reduces the attack surface of the system. - - - id: ac-2.4 - class: SP800-53-enhancement - title: Automated Audit Actions - properties: - - - name: label - value: AC-2(4) - - - name: sort-id - value: AC-02(04) - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - parts: - - - id: ac-2.4_smt - name: statement - prose: Automatically audit account creation, modification, enabling, disabling, and removal actions. - - - id: ac-2.4_gdn - name: guidance - prose: Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6. - - - id: ac-2.5 - class: SP800-53-enhancement - title: Inactivity Logout - parameters: - - - id: ac-2.5_prm_1 - label: organization-defined time-period of expected inactivity or description of when to log out - properties: - - - name: label - value: AC-2(5) - - - name: sort-id - value: AC-02(05) - links: - - - href: #ac-11 - rel: related - text: AC-11 - parts: - - - id: ac-2.5_smt - name: statement - prose: Require that users log out when {{ ac-2.5_prm_1 }}. - - - id: ac-2.5_gdn - name: guidance - prose: Inactivity logout is behavior or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of this control enhancement is addressed by AC-11. - - - id: ac-2.11 - class: SP800-53-enhancement - title: Usage Conditions - parameters: - - - id: ac-2.11_prm_1 - label: organization-defined circumstances and/or usage conditions - - - id: ac-2.11_prm_2 - label: organization-defined system accounts - properties: - - - name: label - value: AC-2(11) - - - name: sort-id - value: AC-02(11) - parts: - - - id: ac-2.11_smt - name: statement - prose: Enforce {{ ac-2.11_prm_1 }} for {{ ac-2.11_prm_2 }}. - - - id: ac-2.11_gdn - name: guidance - prose: Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time. - - - id: ac-2.12 - class: SP800-53-enhancement - title: Account Monitoring for Atypical Usage - parameters: - - - id: ac-2.12_prm_1 - label: organization-defined atypical usage - - - id: ac-2.12_prm_2 - label: organization-defined personnel or roles - properties: - - - name: label - value: AC-2(12) - - - name: sort-id - value: AC-02(12) - links: - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-2.12_smt - name: statement - parts: - - - id: ac-2.12_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Monitor system accounts for {{ ac-2.12_prm_1 }}; and - - - id: ac-2.12_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Report atypical usage of system accounts to {{ ac-2.12_prm_2 }}. - - - id: ac-2.12_gdn - name: guidance - prose: Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals working in organizations. Account monitoring may inadvertently create privacy risks. Data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan. - - - id: ac-2.13 - class: SP800-53-enhancement - title: Disable Accounts for High-risk Individuals - parameters: - - - id: ac-2.13_prm_1 - label: organization-defined time-period - - - id: ac-2.13_prm_2 - label: organization-defined significant risks - properties: - - - name: label - value: AC-2(13) - - - name: sort-id - value: AC-02(13) - links: - - - href: #au-6 - rel: related - text: AU-6 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-2.13_smt - name: statement - prose: Disable accounts of users within {{ ac-2.13_prm_1 }} of discovery of {{ ac-2.13_prm_2 }}. - - - id: ac-2.13_gdn - name: guidance - prose: Users posing a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes the adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential for execution of this control enhancement. - - - id: ac-3 - class: SP800-53 - title: Access Enforcement - properties: - - - name: label - value: AC-3 - - - name: sort-id - value: AC-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #359f960c-2598-454c-ba3b-a30c553e498f - rel: reference - text: [SP 800-162] - - - href: #223b23a9-baea-4a50-8058-63cf7967b61f - rel: reference - text: [SP 800-178] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ac-21 - rel: related - text: AC-21 - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #ac-24 - rel: related - text: AC-24 - - - href: #ac-25 - rel: related - text: AC-25 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-6 - rel: related - text: IA-6 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #ia-11 - rel: related - text: IA-11 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pm-2 - rel: related - text: PM-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-4 - rel: related - text: SC-4 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-31 - rel: related - text: SC-31 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-3_smt - name: statement - prose: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - - - id: ac-3_gdn - name: guidance - prose: Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family. - - - id: ac-4 - class: SP800-53 - title: Information Flow Enforcement - parameters: - - - id: ac-4_prm_1 - label: organization-defined information flow control policies - properties: - - - name: label - value: AC-4 - - - name: sort-id - value: AC-04 - links: - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #359f960c-2598-454c-ba3b-a30c553e498f - rel: reference - text: [SP 800-162] - - - href: #223b23a9-baea-4a50-8058-63cf7967b61f - rel: reference - text: [SP 800-178] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-21 - rel: related - text: AC-21 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sc-4 - rel: related - text: SC-4 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-16 - rel: related - text: SC-16 - - - href: #sc-31 - rel: related - text: SC-31 - parts: - - - id: ac-4_smt - name: statement - prose: Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ ac-4_prm_1 }}. - - - id: ac-4_gdn - name: guidance - prose: - """ - Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization; keeping export-controlled information from being transmitted in the clear to the Internet; restricting web requests that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only); verifying write permissions before accepting information from another security or privacy domain or connected system; employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and security or privacy labels. - Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. This control also applies to control plane traffic (e.g., routing and DNS). - """ - controls: - - - id: ac-4.4 - class: SP800-53-enhancement - title: Flow Control of Encrypted Information - parameters: - - - id: ac-4.4_prm_1 - label: organization-defined information flow control mechanisms - - - id: ac-4.4_prm_2 - - - id: ac-4.4_prm_3 - depends-on: ac-4.4_prm_2 - label: organization-defined procedure or method - properties: - - - name: label - value: AC-4(4) - - - name: sort-id - value: AC-04(04) - links: - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-4.4_smt - name: statement - prose: Prevent encrypted information from bypassing {{ ac-4.4_prm_1 }} by {{ ac-4.4_prm_2 }}. - - - id: ac-4.4_gdn - name: guidance - prose: Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms. - - - id: ac-5 - class: SP800-53 - title: Separation of Duties - parameters: - - - id: ac-5_prm_1 - label: organization-defined duties of individuals requiring separation - properties: - - - name: label - value: AC-5 - - - name: sort-id - value: AC-05 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-17 - rel: related - text: SA-17 - parts: - - - id: ac-5_smt - name: statement - parts: - - - id: ac-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify and document {{ ac-5_prm_1 }}; and - - - id: ac-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Define system access authorizations to support separation of duties. - - - id: ac-5_gdn - name: guidance - prose: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles; conducting system support functions with different individuals; and ensuring security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. This control is enforced through the account management activities in AC-2 and access control mechanisms in AC-3. - - - id: ac-6 - class: SP800-53 - title: Least Privilege - properties: - - - name: label - value: AC-6 - - - name: sort-id - value: AC-06 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sc-38 - rel: related - text: SC-38 - parts: - - - id: ac-6_smt - name: statement - prose: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. - - - id: ac-6_gdn - name: guidance - prose: Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary, to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems. - controls: - - - id: ac-6.1 - class: SP800-53-enhancement - title: Authorize Access to Security Functions - parameters: - - - id: ac-6.1_prm_1 - label: organization-defined individuals or roles - - - id: ac-6.1_prm_2 - label: organization-defined security functions (deployed in hardware, software, and firmware) - - - id: ac-6.1_prm_3 - label: organization-defined security-relevant information - properties: - - - name: label - value: AC-6(1) - - - name: sort-id - value: AC-06(01) - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #pe-2 - rel: related - text: PE-2 - parts: - - - id: ac-6.1_smt - name: statement - prose: Explicitly authorize access for {{ ac-6.1_prm_1 }} to: - parts: - - - id: ac-6.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: - """ - - {{ ac-6.1_prm_2 }}; and - """ - - - id: ac-6.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: - """ - - {{ ac-6.1_prm_3 }}. - """ - - - id: ac-6.1_gdn - name: guidance - prose: Security functions include establishing system accounts; configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Explicitly authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users. - - - id: ac-6.2 - class: SP800-53-enhancement - title: Non-privileged Access for Nonsecurity Functions - parameters: - - - id: ac-6.2_prm_1 - label: organization-defined security functions or security-relevant information - properties: - - - name: label - value: AC-6(2) - - - name: sort-id - value: AC-06(02) - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #pl-4 - rel: related - text: PL-4 - parts: - - - id: ac-6.2_smt - name: statement - prose: Require that users of system accounts (or roles) with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or roles, when accessing nonsecurity functions. - - - id: ac-6.2_gdn - name: guidance - prose: Requiring use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. - - - id: ac-6.3 - class: SP800-53-enhancement - title: Network Access to Privileged Commands - parameters: - - - id: ac-6.3_prm_1 - label: organization-defined privileged commands - - - id: ac-6.3_prm_2 - label: organization-defined compelling operational needs - properties: - - - name: label - value: AC-6(3) - - - name: sort-id - value: AC-06(03) - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - parts: - - - id: ac-6.3_smt - name: statement - prose: Authorize network access to {{ ac-6.3_prm_1 }} only for {{ ac-6.3_prm_2 }} and document the rationale for such access in the security plan for the system. - - - id: ac-6.3_gdn - name: guidance - prose: Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). - - - id: ac-6.5 - class: SP800-53-enhancement - title: Privileged Accounts - parameters: - - - id: ac-6.5_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: AC-6(5) - - - name: sort-id - value: AC-06(05) - links: - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - parts: - - - id: ac-6.5_smt - name: statement - prose: Restrict privileged accounts on the system to {{ ac-6.5_prm_1 }}. - - - id: ac-6.5_gdn - name: guidance - prose: Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided they retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. - - - id: ac-6.7 - class: SP800-53-enhancement - title: Review of User Privileges - parameters: - - - id: ac-6.7_prm_1 - label: organization-defined frequency - - - id: ac-6.7_prm_2 - label: organization-defined roles or classes of users - properties: - - - name: label - value: AC-6(7) - - - name: sort-id - value: AC-06(07) - links: - - - href: #ca-7 - rel: related - text: CA-7 - parts: - - - id: ac-6.7_smt - name: statement - parts: - - - id: ac-6.7_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Review {{ ac-6.7_prm_1 }} the privileges assigned to {{ ac-6.7_prm_2 }} to validate the need for such privileges; and - - - id: ac-6.7_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs. - - - id: ac-6.7_gdn - name: guidance - prose: The need for certain assigned user privileges may change over time reflecting changes in organizational missions and business functions, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. - - - id: ac-6.9 - class: SP800-53-enhancement - title: Log Use of Privileged Functions - properties: - - - name: label - value: AC-6(9) - - - name: sort-id - value: AC-06(09) - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-12 - rel: related - text: AU-12 - parts: - - - id: ac-6.9_smt - name: statement - prose: Audit the execution of privileged functions. - - - id: ac-6.9_gdn - name: guidance - prose: The misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Capturing the use of privileged functions in audit logs is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat. - - - id: ac-6.10 - class: SP800-53-enhancement - title: Prohibit Non-privileged Users from Executing Privileged Functions - properties: - - - name: label - value: AC-6(10) - - - name: sort-id - value: AC-06(10) - parts: - - - id: ac-6.10_smt - name: statement - prose: Prevent non-privileged users from executing privileged functions. - - - id: ac-6.10_gdn - name: guidance - prose: Privileged functions include disabling, circumventing, or altering implemented security or privacy controls; establishing system accounts; performing system integrity checks; and administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. This control enhancement is enforced by AC-3. - - - id: ac-7 - class: SP800-53 - title: Unsuccessful Logon Attempts - parameters: - - - id: ac-7_prm_1 - label: organization-defined number - - - id: ac-7_prm_2 - label: organization-defined time-period - - - id: ac-7_prm_3 - - - id: ac-7_prm_4 - depends-on: ac-7_prm_3 - label: organization-defined time-period - - - id: ac-7_prm_5 - depends-on: ac-7_prm_3 - label: organization-defined delay algorithm - - - id: ac-7_prm_6 - depends-on: ac-7_prm_3 - label: organization-defined action - properties: - - - name: label - value: AC-7 - - - name: sort-id - value: AC-07 - links: - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-9 - rel: related - text: AC-9 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ia-5 - rel: related - text: IA-5 - parts: - - - id: ac-7_smt - name: statement - parts: - - - id: ac-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Enforce a limit of {{ ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ ac-7_prm_2 }}; and - - - id: ac-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Automatically {{ ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded. - - - id: ac-7_gdn - name: guidance - prose: - """ - This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address. - Techniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need. - """ - - - id: ac-8 - class: SP800-53 - title: System Use Notification - parameters: - - - id: ac-8_prm_1 - label: organization-defined system use notification message or banner - - - id: ac-8_prm_2 - label: organization-defined conditions - properties: - - - name: label - value: AC-8 - - - name: sort-id - value: AC-08 - links: - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-8_smt - name: statement - parts: - - - id: ac-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Display {{ ac-8_prm_1 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: - parts: - - - id: ac-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Users are accessing a U.S. Government system; - - - id: ac-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: System usage may be monitored, recorded, and subject to audit; - - - id: ac-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and - - - id: ac-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Use of the system indicates consent to monitoring and recording; - - - id: ac-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and - - - id: ac-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: For publicly accessible systems: - parts: - - - id: ac-8_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Display system use information {{ ac-8_prm_2 }}, before granting further access to the publicly accessible system; - - - id: ac-8_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and - - - id: ac-8_smt.c.3 - name: item - properties: - - - name: label - value: 3. - prose: Include a description of the authorized uses of the system. - - - id: ac-8_gdn - name: guidance - prose: System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. - - - id: ac-10 - class: SP800-53 - title: Concurrent Session Control - parameters: - - - id: ac-10_prm_1 - label: organization-defined account and/or account type - - - id: ac-10_prm_2 - label: organization-defined number - properties: - - - name: label - value: AC-10 - - - name: sort-id - value: AC-10 - links: - - - href: #sc-23 - rel: related - text: SC-23 - parts: - - - id: ac-10_smt - name: statement - prose: Limit the number of concurrent sessions for each {{ ac-10_prm_1 }} to {{ ac-10_prm_2 }}. - - - id: ac-10_gdn - name: guidance - prose: Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for system accounts and does not address concurrent sessions by single users via multiple system accounts. - - - id: ac-11 - class: SP800-53 - title: Device Lock - parameters: - - - id: ac-11_prm_1 - - - id: ac-11_prm_2 - depends-on: ac-11_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: AC-11 - - - name: sort-id - value: AC-11 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ia-11 - rel: related - text: IA-11 - - - href: #pl-4 - rel: related - text: PL-4 - parts: - - - id: ac-11_smt - name: statement - parts: - - - id: ac-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Prevent further access to the system by {{ ac-11_prm_1 }}; and - - - id: ac-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain the device lock until the user reestablishes access using established identification and authentication procedures. - - - id: ac-11_gdn - name: guidance - prose: Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User initiated device locking is behavior or policy-based and as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, for example, if organizations require users to log out at the end of workdays. - controls: - - - id: ac-11.1 - class: SP800-53-enhancement - title: Pattern-hiding Displays - properties: - - - name: label - value: AC-11(1) - - - name: sort-id - value: AC-11(01) - parts: - - - id: ac-11.1_smt - name: statement - prose: Conceal, via the device lock, information previously visible on the display with a publicly viewable image. - - - id: ac-11.1_gdn - name: guidance - prose: The pattern-hiding display can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the caveat that controlled unclassified information is not displayed. - - - id: ac-12 - class: SP800-53 - title: Session Termination - parameters: - - - id: ac-12_prm_1 - label: organization-defined conditions or trigger events requiring session disconnect - properties: - - - name: label - value: AC-12 - - - name: sort-id - value: AC-12 - links: - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #sc-10 - rel: related - text: SC-10 - - - href: #sc-23 - rel: related - text: SC-23 - parts: - - - id: ac-12_smt - name: statement - prose: Automatically terminate a user session after {{ ac-12_prm_1 }}. - - - id: ac-12_gdn - name: guidance - prose: Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use. - - - id: ac-14 - class: SP800-53 - title: Permitted Actions Without Identification or Authentication - parameters: - - - id: ac-14_prm_1 - label: organization-defined user actions - properties: - - - name: label - value: AC-14 - - - name: sort-id - value: AC-14 - links: - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #pl-2 - rel: related - text: PL-2 - parts: - - - id: ac-14_smt - name: statement - parts: - - - id: ac-14_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify {{ ac-14_prm_1 }} that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and - - - id: ac-14_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. - - - id: ac-14_gdn - name: guidance - prose: Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none. - - - id: ac-17 - class: SP800-53 - title: Remote Access - properties: - - - name: label - value: AC-17 - - - name: sort-id - value: AC-17 - links: - - - href: #7768c184-088d-4ee8-a316-f9286b52df7f - rel: reference - text: [SP 800-46] - - - href: #8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - rel: reference - text: [SP 800-77] - - - href: #36132a58-56fd-4980-9f6c-c010d3faf52b - rel: reference - text: [SP 800-113] - - - href: #49fa1ee1-aaf7-4270-bb5a-a86497f717dc - rel: reference - text: [SP 800-114] - - - href: #60b24979-65b8-4ca5-a442-11b74339fab5 - rel: reference - text: [SP 800-121] - - - href: #30213e10-2aca-47b3-8cdb-61303e0959f5 - rel: reference - text: [IR 7966] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-17 - rel: related - text: PE-17 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sc-10 - rel: related - text: SC-10 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-17_smt - name: statement - parts: - - - id: ac-17_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and - - - id: ac-17_smt.b - name: item - properties: - - - name: label - value: b. - prose: Authorize each type of remote access to the system prior to allowing such connections. - - - id: ac-17_gdn - name: guidance - prose: Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3. - controls: - - - id: ac-17.1 - class: SP800-53-enhancement - title: Monitoring and Control - properties: - - - name: label - value: AC-17(1) - - - name: sort-id - value: AC-17(01) - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - parts: - - - id: ac-17.1_smt - name: statement - prose: Employ automated mechanisms to monitor and control remote access methods. - - - id: ac-17.1_gdn - name: guidance - prose: Monitoring and control of remote access methods allows organizations to detect attacks and ensure compliance with remote access policies by auditing connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a. - - - id: ac-17.2 - class: SP800-53-enhancement - title: Protection of Confidentiality and Integrity Using Encryption - properties: - - - name: label - value: AC-17(2) - - - name: sort-id - value: AC-17(02) - links: - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: ac-17.2_smt - name: statement - prose: Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. - - - id: ac-17.2_gdn - name: guidance - prose: Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions. - - - id: ac-17.3 - class: SP800-53-enhancement - title: Managed Access Control Points - properties: - - - name: label - value: AC-17(3) - - - name: sort-id - value: AC-17(03) - links: - - - href: #sc-7 - rel: related - text: SC-7 - parts: - - - id: ac-17.3_smt - name: statement - prose: Route remote accesses through authorized and managed network access control points. - - - id: ac-17.3_gdn - name: guidance - prose: Organizations consider the Trusted Internet Connections initiative [DHS TIC] requirements for external network connections since limiting the number of access control points for remote accesses reduces attack surface. - - - id: ac-17.4 - class: SP800-53-enhancement - title: Privileged Commands and Access - parameters: - - - id: ac-17.4_prm_1 - label: organization-defined needs - properties: - - - name: label - value: AC-17(4) - - - name: sort-id - value: AC-17(04) - links: - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: ac-17.4_smt - name: statement - parts: - - - id: ac-17.4_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ ac-17.4_prm_1 }}; and - - - id: ac-17.4_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Document the rationale for remote access in the security plan for the system. - - - id: ac-17.4_gdn - name: guidance - prose: Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability. - - - id: ac-18 - class: SP800-53 - title: Wireless Access - properties: - - - name: label - value: AC-18 - - - name: sort-id - value: AC-18 - links: - - - href: #41e2e2c6-2260-4258-85c8-09db17c43103 - rel: reference - text: [SP 800-94] - - - href: #6bed1550-cd5d-4e80-8d83-4e597c1514fe - rel: reference - text: [SP 800-97] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sc-40 - rel: related - text: SC-40 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-18_smt - name: statement - parts: - - - id: ac-18_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and - - - id: ac-18_smt.b - name: item - properties: - - - name: label - value: b. - prose: Authorize each type of wireless access to the system prior to allowing such connections. - - - id: ac-18_gdn - name: guidance - prose: Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication. - controls: - - - id: ac-18.1 - class: SP800-53-enhancement - title: Authentication and Encryption - parameters: - - - id: ac-18.1_prm_1 - properties: - - - name: label - value: AC-18(1) - - - name: sort-id - value: AC-18(01) - links: - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: ac-18.1_smt - name: statement - prose: Protect wireless access to the system using authentication of {{ ac-18.1_prm_1 }} and encryption. - - - id: ac-18.1_gdn - name: guidance - prose: Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices with encryption can reduce susceptibility to threats by adversaries involving wireless technologies. - - - id: ac-18.3 - class: SP800-53-enhancement - title: Disable Wireless Networking - properties: - - - name: label - value: AC-18(3) - - - name: sort-id - value: AC-18(03) - parts: - - - id: ac-18.3_smt - name: statement - prose: Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment. - - - id: ac-18.3_gdn - name: guidance - prose: Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies. - - - id: ac-18.4 - class: SP800-53-enhancement - title: Restrict Configurations by Users - properties: - - - name: label - value: AC-18(4) - - - name: sort-id - value: AC-18(04) - links: - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-15 - rel: related - text: SC-15 - parts: - - - id: ac-18.4_smt - name: statement - prose: Identify and explicitly authorize users allowed to independently configure wireless networking capabilities. - - - id: ac-18.4_gdn - name: guidance - prose: Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational systems. - - - id: ac-18.5 - class: SP800-53-enhancement - title: Antennas and Transmission Power Levels - properties: - - - name: label - value: AC-18(5) - - - name: sort-id - value: AC-18(05) - links: - - - href: #pe-19 - rel: related - text: PE-19 - parts: - - - id: ac-18.5_smt - name: statement - prose: Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries. - - - id: ac-18.5_gdn - name: guidance - prose: Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization; employing measures such as emissions security to control wireless emanations; and using directional or beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area. - - - id: ac-19 - class: SP800-53 - title: Access Control for Mobile Devices - properties: - - - name: label - value: AC-19 - - - name: sort-id - value: AC-19 - links: - - - href: #49fa1ee1-aaf7-4270-bb5a-a86497f717dc - rel: reference - text: [SP 800-114] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-11 - rel: related - text: AC-11 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-19_smt - name: statement - parts: - - - id: ac-19_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and - - - id: ac-19_smt.b - name: item - properties: - - - name: label - value: b. - prose: Authorize the connection of mobile devices to organizational systems. - - - id: ac-19_gdn - name: guidance - prose: - """ - A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. - Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. - Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. - """ - controls: - - - id: ac-19.5 - class: SP800-53-enhancement - title: Full Device and Container-based Encryption - parameters: - - - id: ac-19.5_prm_1 - - - id: ac-19.5_prm_2 - label: organization-defined mobile devices - properties: - - - name: label - value: AC-19(5) - - - name: sort-id - value: AC-19(05) - links: - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - parts: - - - id: ac-19.5_smt - name: statement - prose: Employ {{ ac-19.5_prm_1 }} to protect the confidentiality and integrity of information on {{ ac-19.5_prm_2 }}. - - - id: ac-19.5_gdn - name: guidance - prose: Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields. - - - id: ac-20 - class: SP800-53 - title: Use of External Systems - parameters: - - - id: ac-20_prm_1 - - - id: ac-20_prm_2 - depends-on: ac-20_prm_1 - label: organization-defined terms and conditions - - - id: ac-20_prm_3 - depends-on: ac-20_prm_1 - label: organization-defined controls asserted to be implemented on external systems - properties: - - - name: label - value: AC-20 - - - name: sort-id - value: AC-20 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - rel: reference - text: [SP 800-171] - - - href: #aad55f03-8ece-4b21-b09c-9ef65b5a9f55 - rel: reference - text: [SP 800-171B] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-7 - rel: related - text: SC-7 - parts: - - - id: ac-20_smt - name: statement - prose: Establish {{ ac-20_prm_1 }}, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: - parts: - - - id: ac-20_smt.a - name: item - properties: - - - name: label - value: a. - prose: Access the system from external systems; and - - - id: ac-20_smt.b - name: item - properties: - - - name: label - value: b. - prose: Process, store, or transmit organization-controlled information using external systems. - - - id: ac-20_gdn - name: guidance - prose: - """ - External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries. - For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. - This control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. - """ - controls: - - - id: ac-20.1 - class: SP800-53-enhancement - title: Limits on Authorized Use - properties: - - - name: label - value: AC-20(1) - - - name: sort-id - value: AC-20(01) - links: - - - href: #ca-2 - rel: related - text: CA-2 - parts: - - - id: ac-20.1_smt - name: statement - prose: Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: - parts: - - - id: ac-20.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or - - - id: ac-20.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Retention of approved system connection or processing agreements with the organizational entity hosting the external system. - - - id: ac-20.1_gdn - name: guidance - prose: Limits on authorized use recognizes the circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations. - - - id: ac-20.2 - class: SP800-53-enhancement - title: Portable Storage Devices — Restricted Use - parameters: - - - id: ac-20.2_prm_1 - label: organization-defined restrictions - properties: - - - name: label - value: AC-20(2) - - - name: sort-id - value: AC-20(02) - links: - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #sc-41 - rel: related - text: SC-41 - parts: - - - id: ac-20.2_smt - name: statement - prose: Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ ac-20.2_prm_1 }}. - - - id: ac-20.2_gdn - name: guidance - prose: Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used. - - - id: ac-21 - class: SP800-53 - title: Information Sharing - parameters: - - - id: ac-21_prm_1 - label: organization-defined information sharing circumstances where user discretion is required - - - id: ac-21_prm_2 - label: organization-defined automated mechanisms or manual processes - properties: - - - name: label - value: AC-21 - - - name: sort-id - value: AC-21 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ad3e8f21-07c6-4968-b002-00b64dfa70ae - rel: reference - text: [SP 800-150] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sc-15 - rel: related - text: SC-15 - parts: - - - id: ac-21_smt - name: statement - parts: - - - id: ac-21_smt.a - name: item - properties: - - - name: label - value: a. - prose: Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ ac-21_prm_1 }}; and - - - id: ac-21_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ {{ ac-21_prm_2 }} to assist users in making information sharing and collaboration decisions. - - - id: ac-21_gdn - name: guidance - prose: Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). - - - id: ac-22 - class: SP800-53 - title: Publicly Accessible Content - parameters: - - - id: ac-22_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: AC-22 - - - name: sort-id - value: AC-22 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-13 - rel: related - text: AU-13 - parts: - - - id: ac-22_smt - name: statement - parts: - - - id: ac-22_smt.a - name: item - properties: - - - name: label - value: a. - prose: Designate individuals authorized to make information publicly accessible; - - - id: ac-22_smt.b - name: item - properties: - - - name: label - value: b. - prose: Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; - - - id: ac-22_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and - - - id: ac-22_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review the content on the publicly accessible system for nonpublic information {{ ac-22_prm_1 }} and remove such information, if discovered. - - - id: ac-22_gdn - name: guidance - prose: In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible. - - - id: at - class: family - title: Awareness and Training - controls: - - - id: at-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: at-1_prm_1 - label: organization-defined personnel or roles - - - id: at-1_prm_2 - - - id: at-1_prm_3 - label: organization-defined official - - - id: at-1_prm_4 - label: organization-defined frequency - - - id: at-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AT-1 - - - name: sort-id - value: AT-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: at-1_smt - name: statement - parts: - - - id: at-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ at-1_prm_1 }}: - parts: - - - id: at-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ at-1_prm_2 }} awareness and training policy that: - """ - parts: - - - id: at-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: at-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: at-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; - - - id: at-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and - - - id: at-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current awareness and training: - parts: - - - id: at-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ at-1_prm_4 }}; and - - - id: at-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ at-1_prm_5 }}. - - - id: at-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: at-2 - class: SP800-53 - title: Awareness Training - parameters: - - - id: at-2_prm_1 - label: organization-defined frequency - - - id: at-2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: AT-2 - - - name: sort-id - value: AT-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-13 - rel: related - text: PM-13 - - - href: #pm-21 - rel: related - text: PM-21 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-16 - rel: related - text: SA-16 - parts: - - - id: at-2_smt - name: statement - parts: - - - id: at-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide security and privacy awareness training to system users (including managers, senior executives, and contractors): - parts: - - - id: at-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and - - - id: at-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: When required by system changes; and - - - id: at-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update awareness training {{ at-2_prm_2 }}. - - - id: at-2_gdn - name: guidance - prose: - """ - Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information. - Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective. - """ - controls: - - - id: at-2.2 - class: SP800-53-enhancement - title: Insider Threat - properties: - - - name: label - value: AT-2(2) - - - name: sort-id - value: AT-02(02) - links: - - - href: #pm-12 - rel: related - text: PM-12 - parts: - - - id: at-2.2_smt - name: statement - prose: Provide awareness training on recognizing and reporting potential indicators of insider threat. - - - id: at-2.2_gdn - name: guidance - prose: Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations. - - - id: at-2.3 - class: SP800-53-enhancement - title: Social Engineering and Mining - properties: - - - name: label - value: AT-2(3) - - - name: sort-id - value: AT-02(03) - parts: - - - id: at-2.3_smt - name: statement - prose: Provide awareness training on recognizing and reporting potential and actual instances of social engineering and social mining. - - - id: at-2.3_gdn - name: guidance - prose: Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Awareness training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures. - - - id: at-3 - class: SP800-53 - title: Role-based Training - parameters: - - - id: at-3_prm_1 - label: organization-defined roles and responsibilities - - - id: at-3_prm_2 - label: organization-defined frequency - - - id: at-3_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: AT-3 - - - name: sort-id - value: AT-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #ir-10 - rel: related - text: IR-10 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-13 - rel: related - text: PM-13 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-16 - rel: related - text: SA-16 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: at-3_smt - name: statement - parts: - - - id: at-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}: - parts: - - - id: at-3_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and - - - id: at-3_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: When required by system changes; and - - - id: at-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update role-based training {{ at-3_prm_3 }}. - - - id: at-3_gdn - name: guidance - prose: - """ - Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information. - Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective. - """ - - - id: at-4 - class: SP800-53 - title: Training Records - parameters: - - - id: at-4_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: AT-4 - - - name: sort-id - value: AT-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: at-4_smt - name: statement - parts: - - - id: at-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and - - - id: at-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain individual training records for {{ at-4_prm_1 }}. - - - id: at-4_gdn - name: guidance - prose: Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies. - - - id: au - class: family - title: Audit and Accountability - controls: - - - id: au-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: au-1_prm_1 - label: organization-defined personnel or roles - - - id: au-1_prm_2 - - - id: au-1_prm_3 - label: organization-defined official - - - id: au-1_prm_4 - label: organization-defined frequency - - - id: au-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AU-1 - - - name: sort-id - value: AU-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: au-1_smt - name: statement - parts: - - - id: au-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ au-1_prm_1 }}: - parts: - - - id: au-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ au-1_prm_2 }} audit and accountability policy that: - """ - parts: - - - id: au-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: au-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: au-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; - - - id: au-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and - - - id: au-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current audit and accountability: - parts: - - - id: au-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ au-1_prm_4 }}; and - - - id: au-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ au-1_prm_5 }}. - - - id: au-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: au-2 - class: SP800-53 - title: Event Logging - parameters: - - - id: au-2_prm_1 - label: organization-defined event types that the system is capable of logging - - - id: au-2_prm_2 - label: organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type - - - id: au-2_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: AU-2 - - - name: sort-id - value: AU-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #02d8ec60-6197-43f8-9f47-18732127963e - rel: reference - text: [SP 800-92] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pm-21 - rel: related - text: PM-21 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-10 - rel: related - text: SI-10 - - - href: #si-11 - rel: related - text: SI-11 - parts: - - - id: au-2_smt - name: statement - parts: - - - id: au-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }}; - - - id: au-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; - - - id: au-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Specify the following event types for logging within the system: {{ au-2_prm_2 }}; - - - id: au-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and - - - id: au-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Review and update the event types selected for logging {{ au-2_prm_3 }}. - - - id: au-2_gdn - name: guidance - prose: - """ - An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. - To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage. - Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures. - """ - - - id: au-3 - class: SP800-53 - title: Content of Audit Records - properties: - - - name: label - value: AU-3 - - - name: sort-id - value: AU-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-8 - rel: related - text: AU-8 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-11 - rel: related - text: SI-11 - parts: - - - id: au-3_smt - name: statement - prose: Ensure that audit records contain information that establishes the following: - parts: - - - id: au-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: What type of event occurred; - - - id: au-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: When the event occurred; - - - id: au-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Where the event occurred; - - - id: au-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Source of the event; - - - id: au-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Outcome of the event; and - - - id: au-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Identity of any individuals, subjects, or objects/entities associated with the event. - - - id: au-3_gdn - name: guidance - prose: Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage. - controls: - - - id: au-3.1 - class: SP800-53-enhancement - title: Additional Audit Information - parameters: - - - id: au-3.1_prm_1 - label: organization-defined additional information - properties: - - - name: label - value: AU-3(1) - - - name: sort-id - value: AU-03(01) - parts: - - - id: au-3.1_smt - name: statement - prose: Generate audit records containing the following additional information: {{ au-3.1_prm_1 }}. - - - id: au-3.1_gdn - name: guidance - prose: The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading or that could make it more difficult to locate information of interest. - - - id: au-3.2 - class: SP800-53-enhancement - title: Centralized Management of Planned Audit Record Content - parameters: - - - id: au-3.2_prm_1 - label: organization-defined system components - properties: - - - name: label - value: AU-3(2) - - - name: sort-id - value: AU-03(02) - links: - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - parts: - - - id: au-3.2_smt - name: statement - prose: Provide centralized management and configuration of the content to be captured in audit records generated by {{ au-3.2_prm_1 }}. - - - id: au-3.2_gdn - name: guidance - prose: Centralized management of planned audit record content requires that the content to be captured in audit records be configured from a central location (necessitating an automated capability). Organizations coordinate the selection of the required audit record content to support the centralized management and configuration capability provided by the system. - - - id: au-4 - class: SP800-53 - title: Audit Log Storage Capacity - parameters: - - - id: au-4_prm_1 - label: organization-defined audit log retention requirements - properties: - - - name: label - value: AU-4 - - - name: sort-id - value: AU-04 - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: au-4_smt - name: statement - prose: Allocate audit log storage capacity to accommodate {{ au-4_prm_1 }}. - - - id: au-4_gdn - name: guidance - prose: Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability. - - - id: au-5 - class: SP800-53 - title: Response to Audit Logging Process Failures - parameters: - - - id: au-5_prm_1 - label: organization-defined personnel or roles - - - id: au-5_prm_2 - label: organization-defined time-period - - - id: au-5_prm_3 - label: organization-defined additional actions - properties: - - - name: label - value: AU-5 - - - name: sort-id - value: AU-05 - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: au-5_smt - name: statement - parts: - - - id: au-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Alert {{ au-5_prm_1 }} within {{ au-5_prm_2 }} in the event of an audit logging process failure; and - - - id: au-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Take the following additional actions: {{ au-5_prm_3 }}. - - - id: au-5_gdn - name: guidance - prose: Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel. - controls: - - - id: au-5.1 - class: SP800-53-enhancement - title: Storage Capacity Warning - parameters: - - - id: au-5.1_prm_1 - label: organization-defined personnel, roles, and/or locations - - - id: au-5.1_prm_2 - label: organization-defined time-period - - - id: au-5.1_prm_3 - label: organization-defined percentage - properties: - - - name: label - value: AU-5(1) - - - name: sort-id - value: AU-05(01) - parts: - - - id: au-5.1_smt - name: statement - prose: Provide a warning to {{ au-5.1_prm_1 }} within {{ au-5.1_prm_2 }} when allocated audit log storage volume reaches {{ au-5.1_prm_3 }} of repository maximum audit log storage capacity. - - - id: au-5.1_gdn - name: guidance - prose: Organizations may have multiple audit log storage repositories distributed across multiple system components, with each repository having different storage volume capacities. - - - id: au-5.2 - class: SP800-53-enhancement - title: Real-time Alerts - parameters: - - - id: au-5.2_prm_1 - label: organization-defined real-time-period - - - id: au-5.2_prm_2 - label: organization-defined personnel, roles, and/or locations - - - id: au-5.2_prm_3 - label: organization-defined audit logging failure events requiring real-time alerts - properties: - - - name: label - value: AU-5(2) - - - name: sort-id - value: AU-05(02) - parts: - - - id: au-5.2_smt - name: statement - prose: Provide an alert within {{ au-5.2_prm_1 }} to {{ au-5.2_prm_2 }} when the following audit failure events occur: {{ au-5.2_prm_3 }}. - - - id: au-5.2_gdn - name: guidance - prose: Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). - - - id: au-6 - class: SP800-53 - title: Audit Record Review, Analysis, and Reporting - parameters: - - - id: au-6_prm_1 - label: organization-defined frequency - - - id: au-6_prm_2 - label: organization-defined inappropriate or unusual activity - - - id: au-6_prm_3 - label: organization-defined personnel or roles - properties: - - - name: label - value: AU-6 - - - name: sort-id - value: AU-06 - links: - - - href: #35dfd59f-eef2-4f71-bdb5-6d878267456a - rel: reference - text: [SP 800-86] - - - href: #1e2c475a-84ae-4c60-b420-8fb2ea552b71 - rel: reference - text: [SP 800-101] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-16 - rel: related - text: AU-16 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: au-6_smt - name: statement - parts: - - - id: au-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Review and analyze system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }}; - - - id: au-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Report findings to {{ au-6_prm_3 }}; and - - - id: au-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. - - - id: au-6_gdn - name: guidance - prose: Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. - controls: - - - id: au-6.1 - class: SP800-53-enhancement - title: Automated Process Integration - parameters: - - - id: au-6.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: AU-6(1) - - - name: sort-id - value: AU-06(01) - links: - - - href: #pm-7 - rel: related - text: PM-7 - parts: - - - id: au-6.1_smt - name: statement - prose: Integrate audit record review, analysis, and reporting processes using {{ au-6.1_prm_1 }}. - - - id: au-6.1_gdn - name: guidance - prose: Organizational processes benefiting from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits. - - - id: au-6.3 - class: SP800-53-enhancement - title: Correlate Audit Record Repositories - properties: - - - name: label - value: AU-6(3) - - - name: sort-id - value: AU-06(03) - links: - - - href: #au-12 - rel: related - text: AU-12 - - - href: #ir-4 - rel: related - text: IR-4 - parts: - - - id: au-6.3_smt - name: statement - prose: Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. - - - id: au-6.3_gdn - name: guidance - prose: Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness. - - - id: au-6.5 - class: SP800-53-enhancement - title: Integrated Analysis of Audit Records - parameters: - - - id: au-6.5_prm_1 - - - id: au-6.5_prm_2 - depends-on: au-6.5_prm_1 - label: organization-defined data/information collected from other sources - properties: - - - name: label - value: AU-6(5) - - - name: sort-id - value: AU-06(05) - links: - - - href: #au-12 - rel: related - text: AU-12 - - - href: #ir-4 - rel: related - text: IR-4 - parts: - - - id: au-6.5_smt - name: statement - prose: Integrate analysis of audit records with analysis of {{ au-6.5_prm_1 }} to further enhance the ability to identify inappropriate or unusual activity. - - - id: au-6.5_gdn - name: guidance - prose: Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial of service attacks or other types of attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. - - - id: au-6.6 - class: SP800-53-enhancement - title: Correlation with Physical Monitoring - properties: - - - name: label - value: AU-6(6) - - - name: sort-id - value: AU-06(06) - parts: - - - id: au-6.6_smt - name: statement - prose: Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. - - - id: au-6.6_gdn - name: guidance - prose: The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred, may be useful in investigations. - - - id: au-7 - class: SP800-53 - title: Audit Record Reduction and Report Generation - properties: - - - name: label - value: AU-7 - - - name: sort-id - value: AU-07 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-16 - rel: related - text: AU-16 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: au-7_smt - name: statement - prose: Provide and implement an audit record reduction and report generation capability that: - parts: - - - id: au-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and - - - id: au-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Does not alter the original content or time ordering of audit records. - - - id: au-7_gdn - name: guidance - prose: Audit record reduction is a process that manipulates collected audit log information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities conducting audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient. - controls: - - - id: au-7.1 - class: SP800-53-enhancement - title: Automatic Processing - parameters: - - - id: au-7.1_prm_1 - label: organization-defined fields within audit records - properties: - - - name: label - value: AU-7(1) - - - name: sort-id - value: AU-07(01) - parts: - - - id: au-7.1_smt - name: statement - prose: Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ au-7.1_prm_1 }}. - - - id: au-7.1_gdn - name: guidance - prose: Events of interest can be identified by the content of audit records including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, for example, locations selectable by a general networking location or by specific system component. - - - id: au-8 - class: SP800-53 - title: Time Stamps - parameters: - - - id: au-8_prm_1 - label: organization-defined granularity of time measurement - properties: - - - name: label - value: AU-8 - - - name: sort-id - value: AU-08 - links: - - - href: #17ca9481-ea11-4ef2-81c1-885fd37d4be5 - rel: reference - text: [IETF 5905] - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #sc-45 - rel: related - text: SC-45 - parts: - - - id: au-8_smt - name: statement - parts: - - - id: au-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Use internal system clocks to generate time stamps for audit records; and - - - id: au-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Record time stamps for audit records that meet {{ au-8_prm_1 }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. - - - id: au-8_gdn - name: guidance - prose: Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. - controls: - - - id: au-8.1 - class: SP800-53-enhancement - title: Synchronization with Authoritative Time Source - parameters: - - - id: au-8.1_prm_1 - label: organization-defined frequency - - - id: au-8.1_prm_2 - label: organization-defined authoritative time source - - - id: au-8.1_prm_3 - label: organization-defined time-period - properties: - - - name: label - value: AU-8(1) - - - name: sort-id - value: AU-08(01) - parts: - - - id: au-8.1_smt - name: statement - parts: - - - id: au-8.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Compare the internal system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and - - - id: au-8.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ au-8.1_prm_3 }}. - - - id: au-8.1_gdn - name: guidance - prose: Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network. - - - id: au-9 - class: SP800-53 - title: Protection of Audit Information - properties: - - - name: label - value: AU-9 - - - name: sort-id - value: AU-09 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #au-15 - rel: related - text: AU-15 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: au-9_smt - name: statement - prose: Protect audit information and audit logging tools from unauthorized access, modification, and deletion. - - - id: au-9_gdn - name: guidance - prose: Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls. - controls: - - - id: au-9.2 - class: SP800-53-enhancement - title: Store on Separate Physical Systems or Components - parameters: - - - id: au-9.2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: AU-9(2) - - - name: sort-id - value: AU-09(02) - links: - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - parts: - - - id: au-9.2_smt - name: statement - prose: Store audit records {{ au-9.2_prm_1 }} in a repository that is part of a physically different system or system component than the system or component being audited. - - - id: au-9.2_gdn - name: guidance - prose: Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records. - - - id: au-9.3 - class: SP800-53-enhancement - title: Cryptographic Protection - properties: - - - name: label - value: AU-9(3) - - - name: sort-id - value: AU-09(03) - links: - - - href: #au-10 - rel: related - text: AU-10 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: au-9.3_smt - name: statement - prose: Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. - - - id: au-9.3_gdn - name: guidance - prose: Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - - - id: au-9.4 - class: SP800-53-enhancement - title: Access by Subset of Privileged Users - parameters: - - - id: au-9.4_prm_1 - label: organization-defined subset of privileged users or roles - properties: - - - name: label - value: AU-9(4) - - - name: sort-id - value: AU-09(04) - links: - - - href: #ac-5 - rel: related - text: AC-5 - parts: - - - id: au-9.4_smt - name: statement - prose: Authorize access to management of audit logging functionality to only {{ au-9.4_prm_1 }}. - - - id: au-9.4_gdn - name: guidance - prose: Individuals or roles with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges, limits the number of users or roles with audit-related privileges. - - - id: au-10 - class: SP800-53 - title: Non-repudiation - parameters: - - - id: au-10_prm_1 - label: organization-defined actions to be covered by non-repudiation - properties: - - - name: label - value: AU-10 - - - name: sort-id - value: AU-10 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #64e044e4-b2a9-490f-a079-1106407c812f - rel: reference - text: [SP 800-177] - - - href: #au-9 - rel: related - text: AU-9 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-16 - rel: related - text: SC-16 - - - href: #sc-17 - rel: related - text: SC-17 - - - href: #sc-23 - rel: related - text: SC-23 - parts: - - - id: au-10_smt - name: statement - prose: Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ au-10_prm_1 }}. - - - id: au-10_gdn - name: guidance - prose: Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents; senders of not having transmitted messages; receivers of not having received messages; and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, or approving a procurement request, or received specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts. - - - id: au-11 - class: SP800-53 - title: Audit Record Retention - parameters: - - - id: au-11_prm_1 - label: organization-defined time-period consistent with records retention policy - properties: - - - name: label - value: AU-11 - - - name: sort-id - value: AU-11 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: au-11_smt - name: statement - prose: Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. - - - id: au-11_gdn - name: guidance - prose: Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. - - - id: au-12 - class: SP800-53 - title: Audit Record Generation - parameters: - - - id: au-12_prm_1 - label: organization-defined system components - - - id: au-12_prm_2 - label: organization-defined personnel or roles - properties: - - - name: label - value: AU-12 - - - name: sort-id - value: AU-12 - links: - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-10 - rel: related - text: SI-10 - parts: - - - id: au-12_smt - name: statement - parts: - - - id: au-12_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on {{ au-12_prm_1 }}; - - - id: au-12_smt.b - name: item - properties: - - - name: label - value: b. - prose: Allow {{ au-12_prm_2 }} to select the event types that are to be logged by specific components of the system; and - - - id: au-12_smt.c - name: item - properties: - - - name: label - value: c. - prose: Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. - - - id: au-12_gdn - name: guidance - prose: Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records. - controls: - - - id: au-12.1 - class: SP800-53-enhancement - title: System-wide and Time-correlated Audit Trail - parameters: - - - id: au-12.1_prm_1 - label: organization-defined system components - - - id: au-12.1_prm_2 - label: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail - properties: - - - name: label - value: AU-12(1) - - - name: sort-id - value: AU-12(01) - links: - - - href: #au-8 - rel: related - text: AU-8 - parts: - - - id: au-12.1_smt - name: statement - prose: Compile audit records from {{ au-12.1_prm_1 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ au-12.1_prm_2 }}. - - - id: au-12.1_gdn - name: guidance - prose: Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. - - - id: au-12.3 - class: SP800-53-enhancement - title: Changes by Authorized Individuals - parameters: - - - id: au-12.3_prm_1 - label: organization-defined individuals or roles - - - id: au-12.3_prm_2 - label: organization-defined system components - - - id: au-12.3_prm_3 - label: organization-defined selectable event criteria - - - id: au-12.3_prm_4 - label: organization-defined time thresholds - properties: - - - name: label - value: AU-12(3) - - - name: sort-id - value: AU-12(03) - links: - - - href: #ac-3 - rel: related - text: AC-3 - parts: - - - id: au-12.3_smt - name: statement - prose: Provide and implement the capability for {{ au-12.3_prm_1 }} to change the logging to be performed on {{ au-12.3_prm_2 }} based on {{ au-12.3_prm_3 }} within {{ au-12.3_prm_4 }}. - - - id: au-12.3_gdn - name: guidance - prose: Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed, for example, near real-time, within minutes, or within hours. - - - id: ca - class: family - title: Assessment, Authorization, and Monitoring - controls: - - - id: ca-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ca-1_prm_1 - label: organization-defined personnel or roles - - - id: ca-1_prm_2 - - - id: ca-1_prm_3 - label: organization-defined official - - - id: ca-1_prm_4 - label: organization-defined frequency - - - id: ca-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CA-1 - - - name: sort-id - value: CA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-1_smt - name: statement - parts: - - - id: ca-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ca-1_prm_1 }}: - parts: - - - id: ca-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that: - """ - parts: - - - id: ca-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ca-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ca-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; - - - id: ca-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and - - - id: ca-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current assessment, authorization, and monitoring: - parts: - - - id: ca-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ca-1_prm_4 }}; and - - - id: ca-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ca-1_prm_5 }}. - - - id: ca-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ca-2 - class: SP800-53 - title: Control Assessments - parameters: - - - id: ca-2_prm_1 - label: organization-defined frequency - - - id: ca-2_prm_2 - label: organization-defined individuals or roles - properties: - - - name: label - value: CA-2 - - - name: sort-id - value: CA-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - parts: - - - id: ca-2_smt - name: statement - parts: - - - id: ca-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a control assessment plan that describes the scope of the assessment including: - parts: - - - id: ca-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Controls and control enhancements under assessment; - - - id: ca-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Assessment procedures to be used to determine control effectiveness; and - - - id: ca-2_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Assessment environment, assessment team, and assessment roles and responsibilities; - - - id: ca-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; - - - id: ca-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; - - - id: ca-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Produce a control assessment report that document the results of the assessment; and - - - id: ca-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Provide the results of the control assessment to {{ ca-2_prm_2 }}. - - - id: ca-2_gdn - name: guidance - prose: - """ - Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes. - Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs. - Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives. - To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control. - """ - controls: - - - id: ca-2.1 - class: SP800-53-enhancement - title: Independent Assessors - properties: - - - name: label - value: CA-2(1) - - - name: sort-id - value: CA-02(01) - parts: - - - id: ca-2.1_smt - name: statement - prose: Employ independent assessors or assessment teams to conduct control assessments. - - - id: ca-2.1_gdn - name: guidance - prose: - """ - Independent assessors or assessment teams are individuals or groups conducting impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in positions of advocacy for the organizations acquiring their services. - Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination also includes whether contracted assessment services have sufficient independence, for example, when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, the analogy to independent assessors is having independent SMEs involved in design reviews. - When organizations that own the systems are small or the structures of the organizations require that assessments are conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions, are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments. - """ - - - id: ca-2.2 - class: SP800-53-enhancement - title: Specialized Assessments - parameters: - - - id: ca-2.2_prm_1 - label: organization-defined frequency - - - id: ca-2.2_prm_2 - - - id: ca-2.2_prm_3 - - - id: ca-2.2_prm_4 - depends-on: ca-2.2_prm_3 - label: organization-defined other forms of assessment - properties: - - - name: label - value: CA-2(2) - - - name: sort-id - value: CA-02(02) - links: - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #si-2 - rel: related - text: SI-2 - parts: - - - id: ca-2.2_smt - name: statement - prose: Include as part of control assessments, {{ ca-2.2_prm_1 }}, {{ ca-2.2_prm_2 }}, {{ ca-2.2_prm_3 }}. - - - id: ca-2.2_gdn - name: guidance - prose: Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle, for example, during design, development, and unit testing. - - - id: ca-3 - class: SP800-53 - title: Information Exchange - parameters: - - - id: ca-3_prm_1 - - - id: ca-3_prm_2 - depends-on: ca-3_prm_1 - label: organization-defined type of agreement - - - id: ca-3_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: CA-3 - - - name: sort-id - value: CA-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #2e66c31a-190e-49ad-8e00-f306f8a0df17 - rel: reference - text: [SP 800-47] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #au-16 - rel: related - text: AU-16 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-3_smt - name: statement - parts: - - - id: ca-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Approve and manage the exchange of information between the system and other systems using {{ ca-3_prm_1 }}; - - - id: ca-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and - - - id: ca-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the agreements {{ ca-3_prm_3 }}. - - - id: ca-3_gdn - name: guidance - prose: - """ - System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk. - Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks. - """ - controls: - - - id: ca-3.6 - class: SP800-53-enhancement - title: Transfer Authorizations - properties: - - - name: label - value: CA-3(6) - - - name: sort-id - value: CA-03(06) - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - parts: - - - id: ca-3.6_smt - name: statement - prose: Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data. - - - id: ca-3.6_gdn - name: guidance - prose: To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies via independent means, whether the individual or system attempting to transfer information is authorized to do so. This control enhancement also applies to control plane traffic (e.g., routing and DNS) and services such as authenticated SMTP relays. - - - id: ca-5 - class: SP800-53 - title: Plan of Action and Milestones - parameters: - - - id: ca-5_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: CA-5 - - - name: sort-id - value: CA-05 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-5_smt - name: statement - parts: - - - id: ca-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and - - - id: ca-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities. - - - id: ca-5_gdn - name: guidance - prose: Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB. - - - id: ca-6 - class: SP800-53 - title: Authorization - parameters: - - - id: ca-6_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: CA-6 - - - name: sort-id - value: CA-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-6_smt - name: statement - parts: - - - id: ca-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Assign a senior official as the authorizing official for the system; - - - id: ca-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; - - - id: ca-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ensure that the authorizing official for the system, before commencing operations: - parts: - - - id: ca-6_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Accepts the use of common controls inherited by the system; and - - - id: ca-6_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Authorizes the system to operate; - - - id: ca-6_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; - - - id: ca-6_smt.e - name: item - properties: - - - name: label - value: e. - prose: Update the authorizations {{ ca-6_prm_1 }}. - - - id: ca-6_gdn - name: guidance - prose: - """ - Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. - Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. - """ - - - id: ca-7 - class: SP800-53 - title: Continuous Monitoring - parameters: - - - id: ca-7_prm_1 - label: organization-defined system-level metrics - - - id: ca-7_prm_2 - label: organization-defined frequencies - - - id: ca-7_prm_3 - label: organization-defined frequencies - - - id: ca-7_prm_4 - label: organization-defined personnel or roles - - - id: ca-7_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CA-7 - - - name: sort-id - value: CA-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #851b5ba4-6aa0-4583-857c-4c360cbdf2a0 - rel: reference - text: [IR 8011 v1] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pe-14 - rel: related - text: PE-14 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-6 - rel: related - text: PM-6 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #pm-31 - rel: related - text: PM-31 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-6 - rel: related - text: SR-6 - parts: - - - id: ca-7_smt - name: statement - prose: Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: - parts: - - - id: ca-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }}; - - - id: ca-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness; - - - id: ca-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ongoing control assessments in accordance with the continuous monitoring strategy; - - - id: ca-7_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; - - - id: ca-7_smt.e - name: item - properties: - - - name: label - value: e. - prose: Correlation and analysis of information generated by control assessments and monitoring; - - - id: ca-7_smt.f - name: item - properties: - - - name: label - value: f. - prose: Response actions to address results of the analysis of control assessment and monitoring information; and - - - id: ca-7_smt.g - name: item - properties: - - - name: label - value: g. - prose: - """ - Reporting the security and privacy status of the system to {{ ca-7_prm_4 }} - {{ ca-7_prm_5 }}. - """ - - - id: ca-7_gdn - name: guidance - prose: - """ - Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. - Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4. - """ - controls: - - - id: ca-7.1 - class: SP800-53-enhancement - title: Independent Assessment - properties: - - - name: label - value: CA-7(1) - - - name: sort-id - value: CA-07(01) - parts: - - - id: ca-7.1_smt - name: statement - prose: Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis. - - - id: ca-7.1_gdn - name: guidance - prose: Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in advocacy positions for the organizations acquiring their services. - - - id: ca-7.4 - class: SP800-53-enhancement - title: Risk Monitoring - properties: - - - name: label - value: CA-7(4) - - - name: sort-id - value: CA-07(04) - parts: - - - id: ca-7.4_smt - name: statement - prose: Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: - parts: - - - id: ca-7.4_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Effectiveness monitoring; - - - id: ca-7.4_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Compliance monitoring; and - - - id: ca-7.4_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Change monitoring. - - - id: ca-7.4_gdn - name: guidance - prose: Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk. - - - id: ca-8 - class: SP800-53 - title: Penetration Testing - parameters: - - - id: ca-8_prm_1 - label: organization-defined frequency - - - id: ca-8_prm_2 - label: organization-defined systems or system components - properties: - - - name: label - value: CA-8 - - - name: sort-id - value: CA-08 - links: - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - parts: - - - id: ca-8_smt - name: statement - prose: Conduct penetration testing {{ ca-8_prm_1 }} on {{ ca-8_prm_2 }}. - - - id: ca-8_gdn - name: guidance - prose: - """ - Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries in carrying out attacks and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). - Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes pretest analysis based on full knowledge of the system; pretest identification of potential vulnerabilities based on pretest analysis; and testing designed to determine exploitability of vulnerabilities. All parties agree to the rules of engagement before commencement of penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing. - """ - controls: - - - id: ca-8.1 - class: SP800-53-enhancement - title: Independent Penetration Testing Agent or Team - properties: - - - name: label - value: CA-8(1) - - - name: sort-id - value: CA-08(01) - links: - - - href: #ca-2 - rel: related - text: CA-2 - parts: - - - id: ca-8.1_smt - name: statement - prose: Employ an independent penetration testing agent or team to perform penetration testing on the system or system components. - - - id: ca-8.1_gdn - name: guidance - prose: Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. CA-2(1) provides additional information on independent assessments that can be applied to penetration testing. - - - id: ca-9 - class: SP800-53 - title: Internal System Connections - parameters: - - - id: ca-9_prm_1 - label: organization-defined system components or classes of components - - - id: ca-9_prm_2 - label: organization-defined conditions - - - id: ca-9_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: CA-9 - - - name: sort-id - value: CA-09 - links: - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-9_smt - name: statement - parts: - - - id: ca-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Authorize internal connections of {{ ca-9_prm_1 }} to the system; - - - id: ca-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; - - - id: ca-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Terminate internal system connections after {{ ca-9_prm_2 }}; and - - - id: ca-9_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review {{ ca-9_prm_3 }} the continued need for each internal connection. - - - id: ca-9_gdn - name: guidance - prose: Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions. - - - id: cm - class: family - title: Configuration Management - controls: - - - id: cm-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: cm-1_prm_1 - label: organization-defined personnel or roles - - - id: cm-1_prm_2 - - - id: cm-1_prm_3 - label: organization-defined official - - - id: cm-1_prm_4 - label: organization-defined frequency - - - id: cm-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CM-1 - - - name: sort-id - value: CM-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cm-1_smt - name: statement - parts: - - - id: cm-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ cm-1_prm_1 }}: - parts: - - - id: cm-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ cm-1_prm_2 }} configuration management policy that: - """ - parts: - - - id: cm-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: cm-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: cm-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; - - - id: cm-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and - - - id: cm-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current configuration management: - parts: - - - id: cm-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ cm-1_prm_4 }}; and - - - id: cm-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ cm-1_prm_5 }}. - - - id: cm-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: cm-2 - class: SP800-53 - title: Baseline Configuration - parameters: - - - id: cm-2_prm_1 - label: organization-defined frequency - - - id: cm-2_prm_2 - label: Assignment organization-defined circumstances - properties: - - - name: label - value: CM-2 - - - name: sort-id - value: CM-02 - links: - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #cp-12 - rel: related - text: CP-12 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-18 - rel: related - text: SC-18 - parts: - - - id: cm-2_smt - name: statement - parts: - - - id: cm-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and maintain under configuration control, a current baseline configuration of the system; and - - - id: cm-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the baseline configuration of the system: - parts: - - - id: cm-2_smt.b.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ cm-2_prm_1 }}; - """ - - - id: cm-2_smt.b.2 - name: item - properties: - - - name: label - value: 2. - prose: When required due to {{ cm-2_prm_2 }}; and - - - id: cm-2_smt.b.3 - name: item - properties: - - - name: label - value: 3. - prose: When system components are installed or upgraded. - - - id: cm-2_gdn - name: guidance - prose: Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture. - controls: - - - id: cm-2.2 - class: SP800-53-enhancement - title: Automation Support for Accuracy and Currency - parameters: - - - id: cm-2.2_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: CM-2(2) - - - name: sort-id - value: CM-02(02) - links: - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ra-5 - rel: related - text: RA-5 - parts: - - - id: cm-2.2_smt - name: statement - prose: Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ cm-2.2_prm_1 }}. - - - id: cm-2.2_gdn - name: guidance - prose: Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, and firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission/business process level or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities. - - - id: cm-2.3 - class: SP800-53-enhancement - title: Retention of Previous Configurations - parameters: - - - id: cm-2.3_prm_1 - label: organization-defined number - properties: - - - name: label - value: CM-2(3) - - - name: sort-id - value: CM-02(03) - parts: - - - id: cm-2.3_smt - name: statement - prose: Retain {{ cm-2.3_prm_1 }} of previous versions of baseline configurations of the system to support rollback. - - - id: cm-2.3_gdn - name: guidance - prose: Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, and configuration records. - - - id: cm-2.7 - class: SP800-53-enhancement - title: Configure Systems and Components for High-risk Areas - parameters: - - - id: cm-2.7_prm_1 - label: organization-defined systems or system components - - - id: cm-2.7_prm_2 - label: organization-defined configurations - - - id: cm-2.7_prm_3 - label: organization-defined controls - properties: - - - name: label - value: CM-2(7) - - - name: sort-id - value: CM-02(07) - links: - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - parts: - - - id: cm-2.7_smt - name: statement - parts: - - - id: cm-2.7_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Issue {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems to be of significant risk; and - - - id: cm-2.7_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Apply the following controls to the systems or components when the individuals return from travel: {{ cm-2.7_prm_3 }}. - - - id: cm-2.7_gdn - name: guidance - prose: When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family. - - - id: cm-3 - class: SP800-53 - title: Configuration Change Control - parameters: - - - id: cm-3_prm_1 - label: organization-defined time-period - - - id: cm-3_prm_2 - label: organization-defined configuration change control element - - - id: cm-3_prm_3 - - - id: cm-3_prm_4 - depends-on: cm-3_prm_3 - label: organization-defined frequency - - - id: cm-3_prm_5 - depends-on: cm-3_prm_3 - label: organization-defined configuration change conditions - properties: - - - name: label - value: CM-3 - - - name: sort-id - value: CM-03 - links: - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pt-7 - rel: related - text: PT-7 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-10 - rel: related - text: SI-10 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: cm-3_smt - name: statement - parts: - - - id: cm-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Determine and document the types of changes to the system that are configuration-controlled; - - - id: cm-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; - - - id: cm-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document configuration change decisions associated with the system; - - - id: cm-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Implement approved configuration-controlled changes to the system; - - - id: cm-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Retain records of configuration-controlled changes to the system for {{ cm-3_prm_1 }}; - - - id: cm-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Monitor and review activities associated with configuration-controlled changes to the system; and - - - id: cm-3_smt.g - name: item - properties: - - - name: label - value: g. - prose: Coordinate and provide oversight for configuration change control activities through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}. - - - id: cm-3_gdn - name: guidance - prose: Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations and configuration items of systems; changes to operational procedures; changes to configuration settings for system components; unscheduled or unauthorized changes; and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes impacting privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10. - controls: - - - id: cm-3.1 - class: SP800-53-enhancement - title: Automated Documentation, Notification, and Prohibition of Changes - parameters: - - - id: cm-3.1_prm_1 - label: organization-defined automated mechanisms - - - id: cm-3.1_prm_2 - label: organization-defined approval authorities - - - id: cm-3.1_prm_3 - label: organization-defined time-period - - - id: cm-3.1_prm_4 - label: organization-defined personnel - properties: - - - name: label - value: CM-3(1) - - - name: sort-id - value: CM-03(01) - parts: - - - id: cm-3.1_smt - name: statement - prose: Use {{ cm-3.1_prm_1 }} to: - parts: - - - id: cm-3.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Document proposed changes to the system; - - - id: cm-3.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Notify {{ cm-3.1_prm_2 }} of proposed changes to the system and request change approval; - - - id: cm-3.1_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Highlight proposed changes to the system that have not been approved or disapproved within {{ cm-3.1_prm_3 }}; - - - id: cm-3.1_smt.d - name: item - properties: - - - name: label - value: (d) - prose: Prohibit changes to the system until designated approvals are received; - - - id: cm-3.1_smt.e - name: item - properties: - - - name: label - value: (e) - prose: Document all changes to the system; and - - - id: cm-3.1_smt.f - name: item - properties: - - - name: label - value: (f) - prose: Notify {{ cm-3.1_prm_4 }} when approved changes to the system are completed. - - - id: cm-3.1_gdn - name: guidance - prose: None. - - - id: cm-3.2 - class: SP800-53-enhancement - title: Testing, Validation, and Documentation of Changes - properties: - - - name: label - value: CM-3(2) - - - name: sort-id - value: CM-03(02) - parts: - - - id: cm-3.2_smt - name: statement - prose: Test, validate, and document changes to the system before finalizing the implementation of the changes. - - - id: cm-3.2_gdn - name: guidance - prose: Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with system operations supporting organizational missions and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls. - - - id: cm-3.4 - class: SP800-53-enhancement - title: Security and Privacy Representatives - parameters: - - - id: cm-3.4_prm_1 - label: organization-defined security and privacy representatives - - - id: cm-3.4_prm_2 - label: organization-defined configuration change control element - properties: - - - name: label - value: CM-3(4) - - - name: sort-id - value: CM-03(04) - parts: - - - id: cm-3.4_smt - name: statement - prose: Require {{ cm-3.4_prm_1 }} to be members of the {{ cm-3.4_prm_2 }}. - - - id: cm-3.4_gdn - name: guidance - prose: Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3. - - - id: cm-3.6 - class: SP800-53-enhancement - title: Cryptography Management - parameters: - - - id: cm-3.6_prm_1 - label: organization-defined controls - properties: - - - name: label - value: CM-3(6) - - - name: sort-id - value: CM-03(06) - links: - - - href: #sc-12 - rel: related - text: SC-12 - parts: - - - id: cm-3.6_smt - name: statement - prose: Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ cm-3.6_prm_1 }}. - - - id: cm-3.6_gdn - name: guidance - prose: The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates. - - - id: cm-4 - class: SP800-53 - title: Impact Analyses - properties: - - - name: label - value: CM-4 - - - name: sort-id - value: CM-04 - links: - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #si-2 - rel: related - text: SI-2 - parts: - - - id: cm-4_smt - name: statement - prose: Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. - - - id: cm-4_gdn - name: guidance - prose: Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required. - controls: - - - id: cm-4.1 - class: SP800-53-enhancement - title: Separate Test Environments - properties: - - - name: label - value: CM-4(1) - - - name: sort-id - value: CM-04(01) - links: - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-7 - rel: related - text: SC-7 - parts: - - - id: cm-4.1_smt - name: statement - prose: Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice. - - - id: cm-4.1_gdn - name: guidance - prose: A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation. - - - id: cm-4.2 - class: SP800-53-enhancement - title: Verification of Controls - properties: - - - name: label - value: CM-4(2) - - - name: sort-id - value: CM-04(02) - links: - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #si-6 - rel: related - text: SI-6 - parts: - - - id: cm-4.2_smt - name: statement - prose: After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system. - - - id: cm-4.2_gdn - name: guidance - prose: Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls. - - - id: cm-5 - class: SP800-53 - title: Access Restrictions for Change - properties: - - - name: label - value: CM-5 - - - name: sort-id - value: CM-05 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-10 - rel: related - text: SI-10 - parts: - - - id: cm-5_smt - name: statement - prose: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. - - - id: cm-5_gdn - name: guidance - prose: Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times). - controls: - - - id: cm-5.1 - class: SP800-53-enhancement - title: Automated Access Enforcement and Audit Records - parameters: - - - id: cm-5.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: CM-5(1) - - - name: sort-id - value: CM-05(01) - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cm-5.1_smt - name: statement - parts: - - - id: cm-5.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Enforce access restrictions using {{ cm-5.1_prm_1 }}; and - - - id: cm-5.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Automatically generate audit records of the enforcement actions. - - - id: cm-5.1_gdn - name: guidance - prose: Organizations log access records associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. - - - id: cm-5.3 - class: SP800-53-enhancement - title: Signed Components - parameters: - - - id: cm-5.3_prm_1 - label: organization-defined software and firmware components - properties: - - - name: label - value: CM-5(3) - - - name: sort-id - value: CM-05(03) - links: - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: cm-5.3_smt - name: statement - prose: Prevent the installation of {{ cm-5.3_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. - - - id: cm-5.3_gdn - name: guidance - prose: Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication. - - - id: cm-6 - class: SP800-53 - title: Configuration Settings - parameters: - - - id: cm-6_prm_1 - label: organization-defined common secure configurations - - - id: cm-6_prm_2 - label: organization-defined system components - - - id: cm-6_prm_3 - label: organization-defined operational requirements - properties: - - - name: label - value: CM-6 - - - name: sort-id - value: CM-06 - links: - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f - rel: reference - text: [SP 800-126] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #06842bea-64c9-4e20-807a-b8fc003fa737 - rel: reference - text: [USGCB] - - - href: #5cc04a1c-5489-4751-a493-746a9639067b - rel: reference - text: [NCPR] - - - href: #294eed19-7471-4517-9480-2ec73e7c6a78 - rel: reference - text: [DOD STIG] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-6 - rel: related - text: SI-6 - parts: - - - id: cm-6_smt - name: statement - parts: - - - id: cm-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish and document configuration settings for components employed within the system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements; - - - id: cm-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the configuration settings; - - - id: cm-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Identify, document, and approve any deviations from established configuration settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and - - - id: cm-6_smt.d - name: item - properties: - - - name: label - value: d. - prose: Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. - - - id: cm-6_gdn - name: guidance - prose: - """ - Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. - Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. - Implementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings. - """ - controls: - - - id: cm-6.1 - class: SP800-53-enhancement - title: Automated Management, Application, and Verification - parameters: - - - id: cm-6.1_prm_1 - label: organization-defined system components - - - id: cm-6.1_prm_2 - label: organization-defined automated mechanisms - properties: - - - name: label - value: CM-6(1) - - - name: sort-id - value: CM-06(01) - links: - - - href: #ca-7 - rel: related - text: CA-7 - parts: - - - id: cm-6.1_smt - name: statement - prose: Centrally manage, apply, and verify configuration settings for {{ cm-6.1_prm_1 }} using {{ cm-6.1_prm_2 }}. - - - id: cm-6.1_gdn - name: guidance - prose: Automated tools (e.g., security information and event management tools or enterprise security monitoring tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision making within the organization. - - - id: cm-6.2 - class: SP800-53-enhancement - title: Respond to Unauthorized Changes - parameters: - - - id: cm-6.2_prm_1 - label: organization-defined configuration settings - - - id: cm-6.2_prm_2 - label: organization-defined actions - properties: - - - name: label - value: CM-6(2) - - - name: sort-id - value: CM-06(02) - links: - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: cm-6.2_smt - name: statement - prose: Take the following actions in response to unauthorized changes to {{ cm-6.2_prm_1 }}: {{ cm-6.2_prm_2 }}. - - - id: cm-6.2_gdn - name: guidance - prose: Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected system processing. - - - id: cm-7 - class: SP800-53 - title: Least Functionality - parameters: - - - id: cm-7_prm_1 - label: organization-defined mission essential capabilities - - - id: cm-7_prm_2 - label: organization-defined prohibited or restricted functions, ports, protocols, software, and/or services - properties: - - - name: label - value: CM-7 - - - name: sort-id - value: CM-07 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #893d1736-324c-41d6-a5f4-d526b5ca981a - rel: reference - text: [SP 800-167] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: cm-7_smt - name: statement - parts: - - - id: cm-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Configure the system to provide only {{ cm-7_prm_1 }}; and - - - id: cm-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ cm-7_prm_2 }}. - - - id: cm-7_gdn - name: guidance - prose: Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3). - controls: - - - id: cm-7.1 - class: SP800-53-enhancement - title: Periodic Review - parameters: - - - id: cm-7.1_prm_1 - label: organization-defined frequency - - - id: cm-7.1_prm_2 - label: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure - properties: - - - name: label - value: CM-7(1) - - - name: sort-id - value: CM-07(01) - links: - - - href: #ac-18 - rel: related - text: AC-18 - parts: - - - id: cm-7.1_smt - name: statement - parts: - - - id: cm-7.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Review the system {{ cm-7.1_prm_1 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and - - - id: cm-7.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Disable or remove {{ cm-7.1_prm_2 }}. - - - id: cm-7.1_gdn - name: guidance - prose: Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking. - - - id: cm-7.2 - class: SP800-53-enhancement - title: Prevent Program Execution - parameters: - - - id: cm-7.2_prm_1 - - - id: cm-7.2_prm_2 - depends-on: cm-7.2_prm_1 - label: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions - properties: - - - name: label - value: CM-7(2) - - - name: sort-id - value: CM-07(02) - links: - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #ps-6 - rel: related - text: PS-6 - parts: - - - id: cm-7.2_smt - name: statement - prose: Prevent program execution in accordance with {{ cm-7.2_prm_1 }}. - - - id: cm-7.2_gdn - name: guidance - prose: Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements restricting software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features; restricting roles allowed to approve program execution; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. - - - id: cm-7.5 - class: SP800-53-enhancement - title: Authorized Software — Whitelisting - parameters: - - - id: cm-7.5_prm_1 - label: organization-defined software programs authorized to execute on the system - - - id: cm-7.5_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: CM-7(5) - - - name: sort-id - value: CM-07(05) - links: - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: cm-7.5_smt - name: statement - parts: - - - id: cm-7.5_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Identify {{ cm-7.5_prm_1 }}; - - - id: cm-7.5_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and - - - id: cm-7.5_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Review and update the list of authorized software programs {{ cm-7.5_prm_2 }}. - - - id: cm-7.5_gdn - name: guidance - prose: The process used to identify specific software programs or entire categories of software programs that are authorized to execute on organizational systems is commonly referred to as whitelisting. Software programs identified can be limited to specific versions or from a specific source. To facilitate comprehensive whitelisting and increase the strength of protection for attacks that bypass application level whitelisting, software programs may be decomposed into and monitored at different levels of detail. Software program levels of detail include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of whitelisting may also be applied to user actions, ports, IP addresses, and media access control (MAC) addresses. Organizations consider verifying the integrity of white-listed software programs using, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Whitelisting of URLs for websites is addressed in CA-3(5) and SC-7. - - - id: cm-8 - class: SP800-53 - title: System Component Inventory - parameters: - - - id: cm-8_prm_1 - label: organization-defined information deemed necessary to achieve effective system component accountability - - - id: cm-8_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: CM-8 - - - name: sort-id - value: CM-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: cm-8_smt - name: statement - parts: - - - id: cm-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and document an inventory of system components that: - parts: - - - id: cm-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Accurately reflects the system; - - - id: cm-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Includes all components within the system; - - - id: cm-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Is at the level of granularity deemed necessary for tracking and reporting; and - - - id: cm-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Includes the following information to achieve system component accountability: {{ cm-8_prm_1 }}; and - - - id: cm-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the system component inventory {{ cm-8_prm_2 }}. - - - id: cm-8_gdn - name: guidance - prose: System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location. - controls: - - - id: cm-8.1 - class: SP800-53-enhancement - title: Updates During Installation and Removal - properties: - - - name: label - value: CM-8(1) - - - name: sort-id - value: CM-08(01) - links: - - - href: #pm-16 - rel: related - text: PM-16 - parts: - - - id: cm-8.1_smt - name: statement - prose: Update the inventory of system components as part of component installations, removals, and system updates. - - - id: cm-8.1_gdn - name: guidance - prose: Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated routinely as part of component installations or removals, or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components. - - - id: cm-8.2 - class: SP800-53-enhancement - title: Automated Maintenance - parameters: - - - id: cm-8.2_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: CM-8(2) - - - name: sort-id - value: CM-08(02) - parts: - - - id: cm-8.2_smt - name: statement - prose: Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ cm-8.2_prm_1 }}. - - - id: cm-8.2_gdn - name: guidance - prose: Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of CM-2(2) for organizations that combine system component inventory and baseline configuration activities. - - - id: cm-8.3 - class: SP800-53-enhancement - title: Automated Unauthorized Component Detection - parameters: - - - id: cm-8.3_prm_1 - label: organization-defined automated mechanisms - - - id: cm-8.3_prm_2 - label: organization-defined frequency - - - id: cm-8.3_prm_3 - - - id: cm-8.3_prm_4 - depends-on: cm-8.3_prm_3 - label: organization-defined personnel or roles - properties: - - - name: label - value: CM-8(3) - - - name: sort-id - value: CM-08(03) - links: - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-39 - rel: related - text: SC-39 - - - href: #sc-44 - rel: related - text: SC-44 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: cm-8.3_smt - name: statement - parts: - - - id: cm-8.3_smt.a - name: item - properties: - - - name: label - value: (a) - prose: - """ - Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ cm-8.3_prm_1 }} - {{ cm-8.3_prm_2 }}; and - """ - - - id: cm-8.3_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Take the following actions when unauthorized components are detected: {{ cm-8.3_prm_3 }}. - - - id: cm-8.3_gdn - name: guidance - prose: Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices). Isolation can be achieved, for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing. - - - id: cm-8.4 - class: SP800-53-enhancement - title: Accountability Information - parameters: - - - id: cm-8.4_prm_1 - properties: - - - name: label - value: CM-8(4) - - - name: sort-id - value: CM-08(04) - parts: - - - id: cm-8.4_smt - name: statement - prose: Include in the system component inventory information, a means for identifying by {{ cm-8.4_prm_1 }}, individuals responsible and accountable for administering those components. - - - id: cm-8.4_gdn - name: guidance - prose: Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required, for example, the component is determined to be the source of a breach; the component needs to be recalled or replaced; or the component needs to be relocated. - - - id: cm-9 - class: SP800-53 - title: Configuration Management Plan - parameters: - - - id: cm-9_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: CM-9 - - - name: sort-id - value: CM-09 - links: - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cm-9_smt - name: statement - prose: Develop, document, and implement a configuration management plan for the system that: - parts: - - - id: cm-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Addresses roles, responsibilities, and configuration management processes and procedures; - - - id: cm-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; - - - id: cm-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Defines the configuration items for the system and places the configuration items under configuration management; - - - id: cm-9_smt.d - name: item - properties: - - - name: label - value: d. - prose: Is reviewed and approved by {{ cm-9_prm_1 }}; and - - - id: cm-9_smt.e - name: item - properties: - - - name: label - value: e. - prose: Protects the configuration management plan from unauthorized disclosure and modification. - - - id: cm-9_gdn - name: guidance - prose: - """ - Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities. - Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes, how to update configuration settings and baselines, how to maintain component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. - Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Templates can represent a master configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, for example, the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control. - """ - - - id: cm-10 - class: SP800-53 - title: Software Usage Restrictions - properties: - - - name: label - value: CM-10 - - - name: sort-id - value: CM-10 - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #sc-7 - rel: related - text: SC-7 - parts: - - - id: cm-10_smt - name: statement - parts: - - - id: cm-10_smt.a - name: item - properties: - - - name: label - value: a. - prose: Use software and associated documentation in accordance with contract agreements and copyright laws; - - - id: cm-10_smt.b - name: item - properties: - - - name: label - value: b. - prose: Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and - - - id: cm-10_smt.c - name: item - properties: - - - name: label - value: c. - prose: Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. - - - id: cm-10_gdn - name: guidance - prose: Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement. - - - id: cm-11 - class: SP800-53 - title: User-installed Software - parameters: - - - id: cm-11_prm_1 - label: organization-defined policies - - - id: cm-11_prm_2 - label: organization-defined methods - - - id: cm-11_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: CM-11 - - - name: sort-id - value: CM-11 - links: - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: cm-11_smt - name: statement - parts: - - - id: cm-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish {{ cm-11_prm_1 }} governing the installation of software by users; - - - id: cm-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Enforce software installation policies through the following methods: {{ cm-11_prm_2 }}; and - - - id: cm-11_smt.c - name: item - properties: - - - name: label - value: c. - prose: Monitor policy compliance {{ cm-11_prm_3 }}. - - - id: cm-11_gdn - name: guidance - prose: If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods. - - - id: cm-12 - class: SP800-53 - title: Information Location - parameters: - - - id: cm-12_prm_1 - label: organization-defined information - properties: - - - name: label - value: CM-12 - - - name: sort-id - value: CM-12 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-23 - rel: related - text: AC-23 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sc-4 - rel: related - text: SC-4 - - - href: #sc-16 - rel: related - text: SC-16 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: cm-12_smt - name: statement - parts: - - - id: cm-12_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify and document the location of {{ cm-12_prm_1 }} and the specific system components on which the information is processed and stored; - - - id: cm-12_smt.b - name: item - properties: - - - name: label - value: b. - prose: Identify and document the users who have access to the system and system components where the information is processed and stored; and - - - id: cm-12_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document changes to the location (i.e., system or system components) where the information is processed and stored. - - - id: cm-12_gdn - name: guidance - prose: Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and associated information reside in the system components; and how information is being processed so that information flow can be understood, and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17). - controls: - - - id: cm-12.1 - class: SP800-53-enhancement - title: Automated Tools to Support Information Location - parameters: - - - id: cm-12.1_prm_1 - label: organization-defined information by information type - - - id: cm-12.1_prm_2 - label: organization-defined system components - properties: - - - name: label - value: CM-12(1) - - - name: sort-id - value: CM-12(01) - parts: - - - id: cm-12.1_smt - name: statement - prose: Use automated tools to identify {{ cm-12.1_prm_1 }} on {{ cm-12.1_prm_2 }} to ensure controls are in place to protect organizational information and individual privacy. - - - id: cm-12.1_gdn - name: guidance - prose: The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information organization-wide. The output of automated information location tools can be used to guide and inform system architecture and design decisions. - - - id: cp - class: family - title: Contingency Planning - controls: - - - id: cp-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: cp-1_prm_1 - label: organization-defined personnel or roles - - - id: cp-1_prm_2 - - - id: cp-1_prm_3 - label: organization-defined official - - - id: cp-1_prm_4 - label: organization-defined frequency - - - id: cp-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CP-1 - - - name: sort-id - value: CP-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cp-1_smt - name: statement - parts: - - - id: cp-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ cp-1_prm_1 }}: - parts: - - - id: cp-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ cp-1_prm_2 }} contingency planning policy that: - """ - parts: - - - id: cp-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: cp-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: cp-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; - - - id: cp-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ cp-1_prm_3 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and - - - id: cp-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current contingency planning: - parts: - - - id: cp-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ cp-1_prm_4 }}; and - - - id: cp-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ cp-1_prm_5 }}. - - - id: cp-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: cp-2 - class: SP800-53 - title: Contingency Plan - parameters: - - - id: cp-2_prm_1 - label: organization-defined personnel or roles - - - id: cp-2_prm_2 - label: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - - - id: cp-2_prm_3 - label: organization-defined frequency - - - id: cp-2_prm_4 - label: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - properties: - - - name: label - value: CP-2 - - - name: sort-id - value: CP-02 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #7a93e915-fd58-4147-be12-e48044c367e6 - rel: reference - text: [IR 8179] - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #cp-11 - rel: related - text: CP-11 - - - href: #cp-13 - rel: related - text: CP-13 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-20 - rel: related - text: SA-20 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-23 - rel: related - text: SC-23 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cp-2_smt - name: statement - parts: - - - id: cp-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a contingency plan for the system that: - parts: - - - id: cp-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Identifies essential missions and business functions and associated contingency requirements; - - - id: cp-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Provides recovery objectives, restoration priorities, and metrics; - - - id: cp-2_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Addresses contingency roles, responsibilities, assigned individuals with contact information; - - - id: cp-2_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure; - - - id: cp-2_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and - - - id: cp-2_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Is reviewed and approved by {{ cp-2_prm_1 }}; - - - id: cp-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute copies of the contingency plan to {{ cp-2_prm_2 }}; - - - id: cp-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Coordinate contingency planning activities with incident handling activities; - - - id: cp-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review the contingency plan for the system {{ cp-2_prm_3 }}; - - - id: cp-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; - - - id: cp-2_smt.f - name: item - properties: - - - name: label - value: f. - prose: Communicate contingency plan changes to {{ cp-2_prm_4 }}; and - - - id: cp-2_smt.g - name: item - properties: - - - name: label - value: g. - prose: Protect the contingency plan from unauthorized disclosure and modification. - - - id: cp-2_gdn - name: guidance - prose: - """ - Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - In addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family. - """ - controls: - - - id: cp-2.1 - class: SP800-53-enhancement - title: Coordinate with Related Plans - properties: - - - name: label - value: CP-2(1) - - - name: sort-id - value: CP-02(01) - parts: - - - id: cp-2.1_smt - name: statement - prose: Coordinate contingency plan development with organizational elements responsible for related plans. - - - id: cp-2.1_gdn - name: guidance - prose: Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. - - - id: cp-2.2 - class: SP800-53-enhancement - title: Capacity Planning - properties: - - - name: label - value: CP-2(2) - - - name: sort-id - value: CP-02(02) - links: - - - href: #pe-11 - rel: related - text: PE-11 - - - href: #pe-12 - rel: related - text: PE-12 - - - href: #pe-13 - rel: related - text: PE-13 - - - href: #pe-14 - rel: related - text: PE-14 - - - href: #pe-18 - rel: related - text: PE-18 - - - href: #sc-5 - rel: related - text: SC-5 - parts: - - - id: cp-2.2_smt - name: statement - prose: Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. - - - id: cp-2.2_gdn - name: guidance - prose: Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential missions and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance. - - - id: cp-2.3 - class: SP800-53-enhancement - title: Resume Missions and Business Functions - parameters: - - - id: cp-2.3_prm_1 - - - id: cp-2.3_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: CP-2(3) - - - name: sort-id - value: CP-02(03) - parts: - - - id: cp-2.3_smt - name: statement - prose: Plan for the resumption of {{ cp-2.3_prm_1 }} missions and business functions within {{ cp-2.3_prm_2 }} of contingency plan activation. - - - id: cp-2.3_gdn - name: guidance - prose: Organizations may choose to conduct contingency planning activities to resume missions and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of missions and business functions. The time-period for the resumption of missions and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure. - - - id: cp-2.5 - class: SP800-53-enhancement - title: Continue Missions and Business Functions - parameters: - - - id: cp-2.5_prm_1 - properties: - - - name: label - value: CP-2(5) - - - name: sort-id - value: CP-02(05) - parts: - - - id: cp-2.5_smt - name: statement - prose: Plan for the continuance of {{ cp-2.5_prm_1 }} missions and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. - - - id: cp-2.5_gdn - name: guidance - prose: Organizations may choose to conduct the contingency planning activities to continue missions and business functions as part of business continuity planning or as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency. - - - id: cp-2.8 - class: SP800-53-enhancement - title: Identify Critical Assets - parameters: - - - id: cp-2.8_prm_1 - properties: - - - name: label - value: CP-2(8) - - - name: sort-id - value: CP-02(08) - links: - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ra-9 - rel: related - text: RA-9 - parts: - - - id: cp-2.8_smt - name: statement - prose: Identify critical system assets supporting {{ cp-2.8_prm_1 }} missions and business functions. - - - id: cp-2.8_gdn - name: guidance - prose: Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational missions and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (manually executed operations) and personnel (individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement. - - - id: cp-3 - class: SP800-53 - title: Contingency Training - parameters: - - - id: cp-3_prm_1 - label: organization-defined time-period - - - id: cp-3_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: CP-3 - - - name: sort-id - value: CP-03 - links: - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-9 - rel: related - text: IR-9 - parts: - - - id: cp-3_smt - name: statement - prose: Provide contingency training to system users consistent with assigned roles and responsibilities: - parts: - - - id: cp-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Within {{ cp-3_prm_1 }} of assuming a contingency role or responsibility; - - - id: cp-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: When required by system changes; and - - - id: cp-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: - """ - - {{ cp-3_prm_2 }} thereafter. - """ - - - id: cp-3_gdn - name: guidance - prose: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. - controls: - - - id: cp-3.1 - class: SP800-53-enhancement - title: Simulated Events - properties: - - - name: label - value: CP-3(1) - - - name: sort-id - value: CP-03(01) - parts: - - - id: cp-3.1_smt - name: statement - prose: Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. - - - id: cp-3.1_gdn - name: guidance - prose: The use of simulated events creates an environment for personnel to experience actual threat events including cyber-attacks that disable web sites, ransom-ware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures. - - - id: cp-4 - class: SP800-53 - title: Contingency Plan Testing - parameters: - - - id: cp-4_prm_1 - label: organization-defined frequency - - - id: cp-4_prm_2 - label: organization-defined tests - properties: - - - name: label - value: CP-4 - - - name: sort-id - value: CP-04 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #20bf433b-074c-47a0-8fca-cd591772ccd6 - rel: reference - text: [SP 800-84] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: cp-4_smt - name: statement - parts: - - - id: cp-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Test the contingency plan for the system {{ cp-4_prm_1 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ cp-4_prm_2 }}. - - - id: cp-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review the contingency plan test results; and - - - id: cp-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Initiate corrective actions, if needed. - - - id: cp-4_gdn - name: guidance - prose: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. - controls: - - - id: cp-4.1 - class: SP800-53-enhancement - title: Coordinate with Related Plans - properties: - - - name: label - value: CP-4(1) - - - name: sort-id - value: CP-04(01) - links: - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pm-8 - rel: related - text: PM-8 - parts: - - - id: cp-4.1_smt - name: statement - prose: Coordinate contingency plan testing with organizational elements responsible for related plans. - - - id: cp-4.1_gdn - name: guidance - prose: Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations coordinate with those elements. - - - id: cp-4.2 - class: SP800-53-enhancement - title: Alternate Processing Site - properties: - - - name: label - value: CP-4(2) - - - name: sort-id - value: CP-04(02) - links: - - - href: #cp-7 - rel: related - text: CP-7 - parts: - - - id: cp-4.2_smt - name: statement - prose: Test the contingency plan at the alternate processing site: - parts: - - - id: cp-4.2_smt.a - name: item - properties: - - - name: label - value: (a) - prose: To familiarize contingency personnel with the facility and available resources; and - - - id: cp-4.2_smt.b - name: item - properties: - - - name: label - value: (b) - prose: To evaluate the capabilities of the alternate processing site to support contingency operations. - - - id: cp-4.2_gdn - name: guidance - prose: Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience, firsthand, the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational missions and functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing. - - - id: cp-6 - class: SP800-53 - title: Alternate Storage Site - properties: - - - name: label - value: CP-6 - - - name: sort-id - value: CP-06 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sc-36 - rel: related - text: SC-36 - - - href: #si-13 - rel: related - text: SI-13 - parts: - - - id: cp-6_smt - name: statement - parts: - - - id: cp-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and - - - id: cp-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Ensure that the alternate storage site provides controls equivalent to that of the primary site. - - - id: cp-6_gdn - name: guidance - prose: Alternate storage sites are sites that are geographically distinct from primary storage sites and that maintain duplicate copies of information and data if the primary storage site is not available. In contrast to alternate storage sites, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may also be considered as alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems. - controls: - - - id: cp-6.1 - class: SP800-53-enhancement - title: Separation from Primary Site - properties: - - - name: label - value: CP-6(1) - - - name: sort-id - value: CP-06(01) - links: - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: cp-6.1_smt - name: statement - prose: Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. - - - id: cp-6.1_gdn - name: guidance - prose: Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant. - - - id: cp-6.2 - class: SP800-53-enhancement - title: Recovery Time and Recovery Point Objectives - properties: - - - name: label - value: CP-6(2) - - - name: sort-id - value: CP-06(02) - parts: - - - id: cp-6.2_smt - name: statement - prose: Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. - - - id: cp-6.2_gdn - name: guidance - prose: Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations ensuring accessibility and correct execution. - - - id: cp-6.3 - class: SP800-53-enhancement - title: Accessibility - properties: - - - name: label - value: CP-6(3) - - - name: sort-id - value: CP-06(03) - links: - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: cp-6.3_smt - name: statement - prose: Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions. - - - id: cp-6.3_gdn - name: guidance - prose: Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted. - - - id: cp-7 - class: SP800-53 - title: Alternate Processing Site - parameters: - - - id: cp-7_prm_1 - label: organization-defined system operations - - - id: cp-7_prm_2 - label: organization-defined time-period consistent with recovery time and recovery point objectives - properties: - - - name: label - value: CP-7 - - - name: sort-id - value: CP-07 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-11 - rel: related - text: PE-11 - - - href: #pe-12 - rel: related - text: PE-12 - - - href: #pe-17 - rel: related - text: PE-17 - - - href: #sc-36 - rel: related - text: SC-36 - - - href: #si-13 - rel: related - text: SI-13 - parts: - - - id: cp-7_smt - name: statement - parts: - - - id: cp-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ cp-7_prm_1 }} for essential missions and business functions within {{ cp-7_prm_2 }} when the primary processing capabilities are unavailable; - - - id: cp-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time-period for transfer and resumption; and - - - id: cp-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Provide controls at the alternate processing site that are equivalent to those at the primary site. - - - id: cp-7_gdn - name: guidance - prose: Alternate processing sites are sites that are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives such as failover to a cloud-based service provider or other internally- or externally-provided processing service. Geographically distributed architectures that support contingency requirements may also be considered as alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites; access rules; physical and environmental protection requirements; and the coordination for the transfer and assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems. - controls: - - - id: cp-7.1 - class: SP800-53-enhancement - title: Separation from Primary Site - properties: - - - name: label - value: CP-7(1) - - - name: sort-id - value: CP-07(01) - links: - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: cp-7.1_smt - name: statement - prose: Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. - - - id: cp-7.1_gdn - name: guidance - prose: Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant. - - - id: cp-7.2 - class: SP800-53-enhancement - title: Accessibility - properties: - - - name: label - value: CP-7(2) - - - name: sort-id - value: CP-07(02) - links: - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: cp-7.2_smt - name: statement - prose: Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. - - - id: cp-7.2_gdn - name: guidance - prose: Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. - - - id: cp-7.3 - class: SP800-53-enhancement - title: Priority of Service - properties: - - - name: label - value: CP-7(3) - - - name: sort-id - value: CP-07(03) - parts: - - - id: cp-7.3_smt - name: statement - prose: Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). - - - id: cp-7.3_gdn - name: guidance - prose: Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning. - - - id: cp-7.4 - class: SP800-53-enhancement - title: Preparation for Use - properties: - - - name: label - value: CP-7(4) - - - name: sort-id - value: CP-07(04) - links: - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cp-4 - rel: related - text: CP-4 - parts: - - - id: cp-7.4_smt - name: statement - prose: Prepare the alternate processing site so that the site can serve as the operational site supporting essential missions and business functions. - - - id: cp-7.4_gdn - name: guidance - prose: Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place. - - - id: cp-8 - class: SP800-53 - title: Telecommunications Services - parameters: - - - id: cp-8_prm_1 - label: organization-defined system operations - - - id: cp-8_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: CP-8 - - - name: sort-id - value: CP-08 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-11 - rel: related - text: CP-11 - - - href: #sc-7 - rel: related - text: SC-7 - parts: - - - id: cp-8_smt - name: statement - prose: Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for essential missions and business functions within {{ cp-8_prm_2 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. - - - id: cp-8_gdn - name: guidance - prose: This control applies to telecommunications services (for data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions and business functions despite the loss of primary telecommunications services. Organizations may specify different time-periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines or the use of satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. - controls: - - - id: cp-8.1 - class: SP800-53-enhancement - title: Priority of Service Provisions - properties: - - - name: label - value: CP-8(1) - - - name: sort-id - value: CP-08(01) - parts: - - - id: cp-8.1_smt - name: statement - parts: - - - id: cp-8.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and - - - id: cp-8.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier. - - - id: cp-8.1_gdn - name: guidance - prose: Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program and the Department of Homeland Security, manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program. - - - id: cp-8.2 - class: SP800-53-enhancement - title: Single Points of Failure - properties: - - - name: label - value: CP-8(2) - - - name: sort-id - value: CP-08(02) - parts: - - - id: cp-8.2_smt - name: statement - prose: Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. - - - id: cp-8.2_gdn - name: guidance - prose: In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services. - - - id: cp-8.3 - class: SP800-53-enhancement - title: Separation of Primary and Alternate Providers - properties: - - - name: label - value: CP-8(3) - - - name: sort-id - value: CP-08(03) - parts: - - - id: cp-8.3_smt - name: statement - prose: Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. - - - id: cp-8.3_gdn - name: guidance - prose: Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment. - - - id: cp-8.4 - class: SP800-53-enhancement - title: Provider Contingency Plan - parameters: - - - id: cp-8.4_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: CP-8(4) - - - name: sort-id - value: CP-08(04) - links: - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-4 - rel: related - text: CP-4 - parts: - - - id: cp-8.4_smt - name: statement - parts: - - - id: cp-8.4_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Require primary and alternate telecommunications service providers to have contingency plans; - - - id: cp-8.4_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and - - - id: cp-8.4_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Obtain evidence of contingency testing and training by providers {{ cp-8.4_prm_1 }}. - - - id: cp-8.4_gdn - name: guidance - prose: Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. - - - id: cp-9 - class: SP800-53 - title: System Backup - parameters: - - - id: cp-9_prm_1 - label: organization-defined system components - - - id: cp-9_prm_2 - label: organization-defined frequency consistent with recovery time and recovery point objectives - - - id: cp-9_prm_3 - label: organization-defined frequency consistent with recovery time and recovery point objectives - - - id: cp-9_prm_4 - label: organization-defined frequency consistent with recovery time and recovery point objectives - properties: - - - name: label - value: CP-9 - - - name: sort-id - value: CP-09 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #ae412317-c2b4-47bb-b47b-c329ce0d7a0b - rel: reference - text: [SP 800-130] - - - href: #38dbdf55-9a14-446f-b563-c48e4e3d37fb - rel: reference - text: [SP 800-152] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-13 - rel: related - text: SI-13 - parts: - - - id: cp-9_smt - name: statement - parts: - - - id: cp-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: - """ - Conduct backups of user-level information contained in {{ cp-9_prm_1 }} - {{ cp-9_prm_2 }}; - """ - - - id: cp-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Conduct backups of system-level information contained in the system {{ cp-9_prm_3 }}; - - - id: cp-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Conduct backups of system documentation, including security and privacy-related documentation {{ cp-9_prm_4 }}; and - - - id: cp-9_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect the confidentiality, integrity, and availability of backup information. - - - id: cp-9_gdn - name: guidance - prose: System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements. - controls: - - - id: cp-9.1 - class: SP800-53-enhancement - title: Testing for Reliability and Integrity - parameters: - - - id: cp-9.1_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: CP-9(1) - - - name: sort-id - value: CP-09(01) - links: - - - href: #cp-4 - rel: related - text: CP-4 - parts: - - - id: cp-9.1_smt - name: statement - prose: Test backup information {{ cp-9.1_prm_1 }} to verify media reliability and information integrity. - - - id: cp-9.1_gdn - name: guidance - prose: Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance. - - - id: cp-9.2 - class: SP800-53-enhancement - title: Test Restoration Using Sampling - properties: - - - name: label - value: CP-9(2) - - - name: sort-id - value: CP-09(02) - links: - - - href: #cp-4 - rel: related - text: CP-4 - parts: - - - id: cp-9.2_smt - name: statement - prose: Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing. - - - id: cp-9.2_gdn - name: guidance - prose: Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is used to determine if the functions operate as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed. - - - id: cp-9.3 - class: SP800-53-enhancement - title: Separate Storage for Critical Information - parameters: - - - id: cp-9.3_prm_1 - label: organization-defined critical system software and other security-related information - properties: - - - name: label - value: CP-9(3) - - - name: sort-id - value: CP-09(03) - links: - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - parts: - - - id: cp-9.3_smt - name: statement - prose: Store backup copies of {{ cp-9.3_prm_1 }} in a separate facility or in a fire-rated container that is not collocated with the operational system. - - - id: cp-9.3_gdn - name: guidance - prose: Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire-rated containers. - - - id: cp-9.5 - class: SP800-53-enhancement - title: Transfer to Alternate Storage Site - parameters: - - - id: cp-9.5_prm_1 - label: organization-defined time-period and transfer rate consistent with the recovery time and recovery point objectives - properties: - - - name: label - value: CP-9(5) - - - name: sort-id - value: CP-09(05) - links: - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #mp-3 - rel: related - text: MP-3 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - parts: - - - id: cp-9.5_smt - name: statement - prose: Transfer system backup information to the alternate storage site {{ cp-9.5_prm_1 }}. - - - id: cp-9.5_gdn - name: guidance - prose: System backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media. - - - id: cp-9.8 - class: SP800-53-enhancement - title: Cryptographic Protection - parameters: - - - id: cp-9.8_prm_1 - label: organization-defined backup information - properties: - - - name: label - value: CP-9(8) - - - name: sort-id - value: CP-09(08) - links: - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - parts: - - - id: cp-9.8_smt - name: statement - prose: Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ cp-9.8_prm_1 }}. - - - id: cp-9.8_gdn - name: guidance - prose: The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. This control enhancement applies to system backup information in storage at primary and alternate locations. Organizations implementing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. - - - id: cp-10 - class: SP800-53 - title: System Recovery and Reconstitution - parameters: - - - id: cp-10_prm_1 - label: organization-defined time-period consistent with recovery time and recovery point objectives - properties: - - - name: label - value: CP-10 - - - name: sort-id - value: CP-10 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-24 - rel: related - text: SC-24 - - - href: #si-13 - rel: related - text: SI-13 - parts: - - - id: cp-10_smt - name: statement - prose: Provide for the recovery and reconstitution of the system to a known state within {{ cp-10_prm_1 }} after a disruption, compromise, or failure. - - - id: cp-10_gdn - name: guidance - prose: Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning. - controls: - - - id: cp-10.2 - class: SP800-53-enhancement - title: Transaction Recovery - properties: - - - name: label - value: CP-10(2) - - - name: sort-id - value: CP-10(02) - parts: - - - id: cp-10.2_smt - name: statement - prose: Implement transaction recovery for systems that are transaction-based. - - - id: cp-10.2_gdn - name: guidance - prose: Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling. - - - id: cp-10.4 - class: SP800-53-enhancement - title: Restore Within Time-period - parameters: - - - id: cp-10.4_prm_1 - label: organization-defined restoration time-periods - properties: - - - name: label - value: CP-10(4) - - - name: sort-id - value: CP-10(04) - links: - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - parts: - - - id: cp-10.4_smt - name: statement - prose: Provide the capability to restore system components within {{ cp-10.4_prm_1 }} from configuration-controlled and integrity-protected information representing a known, operational state for the components. - - - id: cp-10.4_gdn - name: guidance - prose: Restoration of system components includes reimaging which restores the components to known, operational states. - - - id: ia - class: family - title: Identification and Authentication - controls: - - - id: ia-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ia-1_prm_1 - label: organization-defined personnel or roles - - - id: ia-1_prm_2 - - - id: ia-1_prm_3 - label: organization-defined official - - - id: ia-1_prm_4 - label: organization-defined frequency - - - id: ia-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: IA-1 - - - name: sort-id - value: IA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ia-1_smt - name: statement - parts: - - - id: ia-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ia-1_prm_1 }}: - parts: - - - id: ia-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ia-1_prm_2 }} identification and authentication policy that: - """ - parts: - - - id: ia-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ia-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ia-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; - - - id: ia-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ia-1_prm_3 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and - - - id: ia-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current identification and authentication: - parts: - - - id: ia-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ia-1_prm_4 }}; and - - - id: ia-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ia-1_prm_5 }}. - - - id: ia-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ia-2 - class: SP800-53 - title: Identification and Authentication (organizational Users) - properties: - - - name: label - value: IA-2 - - - name: sort-id - value: IA-02 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #bb55e71a-e059-4263-8dd8-bc96fd3f063d - rel: reference - text: [SP 800-79-2] - - - href: #f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa - rel: reference - text: [SP 800-156] - - - href: #a8f55663-86c5-415b-aabe-d2a126981d65 - rel: reference - text: [SP 800-166] - - - href: #d4779b49-8acc-45ef-b4f0-30f945e81d1b - rel: reference - text: [IR 7539] - - - href: #daf69edb-a0ef-4447-9880-8c4bf553181f - rel: reference - text: [IR 7676] - - - href: #a49f67fc-827c-40e6-9a37-2b1cbe8142fd - rel: reference - text: [IR 7817] - - - href: #972c10bd-aedf-485f-b0db-f46a402127e2 - rel: reference - text: [IR 7849] - - - href: #197f7ba7-9af8-4a67-b3a4-5523d850e53b - rel: reference - text: [IR 7870] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #30213e10-2aca-47b3-8cdb-61303e0959f5 - rel: reference - text: [IR 7966] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: ia-2_smt - name: statement - prose: Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. - - - id: ia-2_gdn - name: guidance - prose: - """ - Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. - Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks. - The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8. - """ - controls: - - - id: ia-2.1 - class: SP800-53-enhancement - title: Multifactor Authentication to Privileged Accounts - properties: - - - name: label - value: IA-2(1) - - - name: sort-id - value: IA-02(01) - links: - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - parts: - - - id: ia-2.1_smt - name: statement - prose: Implement multifactor authentication for access to privileged accounts. - - - id: ia-2.1_gdn - name: guidance - prose: Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. - - - id: ia-2.2 - class: SP800-53-enhancement - title: Multifactor Authentication to Non-privileged Accounts - properties: - - - name: label - value: IA-2(2) - - - name: sort-id - value: IA-02(02) - links: - - - href: #ac-5 - rel: related - text: AC-5 - parts: - - - id: ia-2.2_smt - name: statement - prose: Implement multifactor authentication for access to non-privileged accounts. - - - id: ia-2.2_gdn - name: guidance - prose: Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. - - - id: ia-2.5 - class: SP800-53-enhancement - title: Individual Authentication with Group Authentication - properties: - - - name: label - value: IA-2(5) - - - name: sort-id - value: IA-02(05) - parts: - - - id: ia-2.5_smt - name: statement - prose: When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources. - - - id: ia-2.5_gdn - name: guidance - prose: Individual authentication prior to shared group authentication helps to mitigate the risk of using group accounts or authenticators. - - - id: ia-2.8 - class: SP800-53-enhancement - title: Access to Accounts — Replay Resistant - parameters: - - - id: ia-2.8_prm_1 - properties: - - - name: label - value: IA-2(8) - - - name: sort-id - value: IA-02(08) - parts: - - - id: ia-2.8_smt - name: statement - prose: Implement replay-resistant authentication mechanisms for access to {{ ia-2.8_prm_1 }}. - - - id: ia-2.8_gdn - name: guidance - prose: Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. - - - id: ia-2.12 - class: SP800-53-enhancement - title: Acceptance of PIV Credentials - properties: - - - name: label - value: IA-2(12) - - - name: sort-id - value: IA-02(12) - parts: - - - id: ia-2.12_smt - name: statement - prose: Accept and electronically verify Personal Identity Verification-compliant credentials. - - - id: ia-2.12_gdn - name: guidance - prose: Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential. - - - id: ia-3 - class: SP800-53 - title: Device Identification and Authentication - parameters: - - - id: ia-3_prm_1 - label: organization-defined devices and/or types of devices - - - id: ia-3_prm_2 - properties: - - - name: label - value: IA-3 - - - name: sort-id - value: IA-03 - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-9 - rel: related - text: IA-9 - - - href: #ia-11 - rel: related - text: IA-11 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ia-3_smt - name: statement - prose: Uniquely identify and authenticate {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }} connection. - - - id: ia-3_gdn - name: guidance - prose: Devices that require unique device-to-device identification and authentication are defined by type, by device, or by a combination of type and device. Organization-defined device types can include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on large scale, organizations can restrict the application of the control to a limited number (and type) of devices based on need. - - - id: ia-4 - class: SP800-53 - title: Identifier Management - parameters: - - - id: ia-4_prm_1 - label: organization-defined personnel or roles - - - id: ia-4_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: IA-4 - - - name: sort-id - value: IA-04 - links: - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ia-9 - rel: related - text: IA-9 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #sc-37 - rel: related - text: SC-37 - parts: - - - id: ia-4_smt - name: statement - prose: Manage system identifiers by: - parts: - - - id: ia-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Receiving authorization from {{ ia-4_prm_1 }} to assign an individual, group, role, service, or device identifier; - - - id: ia-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Selecting an identifier that identifies an individual, group, role, service, or device; - - - id: ia-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Assigning the identifier to the intended individual, group, role, service, or device; and - - - id: ia-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Preventing reuse of identifiers for {{ ia-4_prm_2 }}. - - - id: ia-4_gdn - name: guidance - prose: Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices. - controls: - - - id: ia-4.4 - class: SP800-53-enhancement - title: Identify User Status - parameters: - - - id: ia-4.4_prm_1 - label: organization-defined characteristic identifying individual status - properties: - - - name: label - value: IA-4(4) - - - name: sort-id - value: IA-04(04) - parts: - - - id: ia-4.4_smt - name: statement - prose: Manage individual identifiers by uniquely identifying each individual as {{ ia-4.4_prm_1 }}. - - - id: ia-4.4_gdn - name: guidance - prose: Characteristics identifying the status of individuals include contractors and foreign nationals. Identifying the status of individuals by characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor. - - - id: ia-5 - class: SP800-53 - title: Authenticator Management - parameters: - - - id: ia-5_prm_1 - label: organization-defined time-period by authenticator type - properties: - - - name: label - value: IA-5 - - - name: sort-id - value: IA-05 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #d4779b49-8acc-45ef-b4f0-30f945e81d1b - rel: reference - text: [IR 7539] - - - href: #a49f67fc-827c-40e6-9a37-2b1cbe8142fd - rel: reference - text: [IR 7817] - - - href: #972c10bd-aedf-485f-b0db-f46a402127e2 - rel: reference - text: [IR 7849] - - - href: #197f7ba7-9af8-4a67-b3a4-5523d850e53b - rel: reference - text: [IR 7870] - - - href: #24738ee6-b3f3-4e37-825b-58775846bdbc - rel: reference - text: [IR 8040] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ia-9 - rel: related - text: IA-9 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - parts: - - - id: ia-5_smt - name: statement - prose: Manage system authenticators by: - parts: - - - id: ia-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; - - - id: ia-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishing initial authenticator content for any authenticators issued by the organization; - - - id: ia-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ensuring that authenticators have sufficient strength of mechanism for their intended use; - - - id: ia-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; - - - id: ia-5_smt.e - name: item - properties: - - - name: label - value: e. - prose: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; - - - id: ia-5_smt.f - name: item - properties: - - - name: label - value: f. - prose: Changing default authenticators prior to first use; - - - id: ia-5_smt.g - name: item - properties: - - - name: label - value: g. - prose: Changing or refreshing authenticators {{ ia-5_prm_1 }}; - - - id: ia-5_smt.h - name: item - properties: - - - name: label - value: h. - prose: Protecting authenticator content from unauthorized disclosure and modification; - - - id: ia-5_smt.i - name: item - properties: - - - name: label - value: i. - prose: Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and - - - id: ia-5_smt.j - name: item - properties: - - - name: label - value: j. - prose: Changing authenticators for group or role accounts when membership to those accounts changes. - - - id: ia-5_gdn - name: guidance - prose: - """ - Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. - Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. - """ - controls: - - - id: ia-5.1 - class: SP800-53-enhancement - title: Password-based Authentication - parameters: - - - id: ia-5.1_prm_1 - label: organization-defined frequency - - - id: ia-5.1_prm_2 - label: organization-defined composition and complexity rules - properties: - - - name: label - value: IA-5(1) - - - name: sort-id - value: IA-05(01) - links: - - - href: #ia-6 - rel: related - text: IA-6 - parts: - - - id: ia-5.1_smt - name: statement - prose: For password-based authentication: - parts: - - - id: ia-5.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ ia-5.1_prm_1 }} and when organizational passwords are suspected to have been compromised directly or indirectly; - - - id: ia-5.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords; - - - id: ia-5.1_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Transmit only cryptographically-protected passwords; - - - id: ia-5.1_smt.d - name: item - properties: - - - name: label - value: (d) - prose: Store passwords using an approved hash algorithm and salt, preferably using a keyed hash; - - - id: ia-5.1_smt.e - name: item - properties: - - - name: label - value: (e) - prose: Require immediate selection of a new password upon account recovery; - - - id: ia-5.1_smt.f - name: item - properties: - - - name: label - value: (f) - prose: Allow user selection of long passwords and passphrases, including spaces and all printable characters; - - - id: ia-5.1_smt.g - name: item - properties: - - - name: label - value: (g) - prose: Employ automated tools to assist the user in selecting strong password authenticators; and - - - id: ia-5.1_smt.h - name: item - properties: - - - name: label - value: (h) - prose: Enforce the following composition and complexity rules: {{ ia-5.1_prm_2 }}. - - - id: ia-5.1_gdn - name: guidance - prose: Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof. - - - id: ia-5.2 - class: SP800-53-enhancement - title: Implement a local cache of revocation data to support path discovery and validation. - properties: - - - name: label - value: IA-5(2) - - - name: sort-id - value: IA-05(02) - links: - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #sc-17 - rel: related - text: SC-17 - parts: - - - id: ia-5.2_smt - name: statement - prose: Discussion: Public key cryptography is a valid authentication mechanism for individuals and machines or devices. When PKI is implemented, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation supports system availability in situations where organizations are unable to access revocation information via the network. - - - id: ia-5.2_gdn - name: guidance - - - id: ia-5.6 - class: SP800-53-enhancement - title: Protection of Authenticators - properties: - - - name: label - value: IA-5(6) - - - name: sort-id - value: IA-05(06) - links: - - - href: #ra-2 - rel: related - text: RA-2 - parts: - - - id: ia-5.6_smt - name: statement - prose: Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access. - - - id: ia-5.6_gdn - name: guidance - prose: For systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process. - - - id: ia-6 - class: SP800-53 - title: Authenticator Feedback - properties: - - - name: label - value: IA-6 - - - name: sort-id - value: IA-06 - links: - - - href: #ac-3 - rel: related - text: AC-3 - parts: - - - id: ia-6_smt - name: statement - prose: Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. - - - id: ia-6_gdn - name: guidance - prose: Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it. - - - id: ia-7 - class: SP800-53 - title: Cryptographic Module Authentication - properties: - - - name: label - value: IA-7 - - - name: sort-id - value: IA-07 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: ia-7_smt - name: statement - prose: Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. - - - id: ia-7_gdn - name: guidance - prose: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. - - - id: ia-8 - class: SP800-53 - title: Identification and Authentication (non-organizational Users) - properties: - - - name: label - value: IA-8 - - - name: sort-id - value: IA-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #bb55e71a-e059-4263-8dd8-bc96fd3f063d - rel: reference - text: [SP 800-79-2] - - - href: #ad7d575f-b5fe-489b-8d48-36a93d964a5f - rel: reference - text: [SP 800-116] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-10 - rel: related - text: IA-10 - - - href: #ia-11 - rel: related - text: IA-11 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sc-8 - rel: related - text: SC-8 - parts: - - - id: ia-8_smt - name: statement - prose: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. - - - id: ia-8_gdn - name: guidance - prose: Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk. - controls: - - - id: ia-8.1 - class: SP800-53-enhancement - title: Acceptance of PIV Credentials from Other Agencies - properties: - - - name: label - value: IA-8(1) - - - name: sort-id - value: IA-08(01) - links: - - - href: #pe-3 - rel: related - text: PE-3 - parts: - - - id: ia-8.1_smt - name: statement - prose: Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. - - - id: ia-8.1_gdn - name: guidance - prose: Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2]. - - - id: ia-8.2 - class: SP800-53-enhancement - title: Acceptance of External Credentials - properties: - - - name: label - value: IA-8(2) - - - name: sort-id - value: IA-08(02) - parts: - - - id: ia-8.2_smt - name: statement - prose: Accept only external credentials that are NIST-compliant. - - - id: ia-8.2_gdn - name: guidance - prose: Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels. - - - id: ia-8.4 - class: SP800-53-enhancement - title: Use of Nist-issued Profiles - properties: - - - name: label - value: IA-8(4) - - - name: sort-id - value: IA-08(04) - parts: - - - id: ia-8.4_smt - name: statement - prose: Conform to NIST-issued profiles for identity management. - - - id: ia-8.4_gdn - name: guidance - prose: Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols. - - - id: ia-11 - class: SP800-53 - title: Re-authentication - parameters: - - - id: ia-11_prm_1 - label: organization-defined circumstances or situations requiring re-authentication - properties: - - - name: label - value: IA-11 - - - name: sort-id - value: IA-11 - links: - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-11 - rel: related - text: AC-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - parts: - - - id: ia-11_smt - name: statement - prose: Require users to re-authenticate when {{ ia-11_prm_1 }}. - - - id: ia-11_gdn - name: guidance - prose: In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically. - - - id: ia-12 - class: SP800-53 - title: Identity Proofing - properties: - - - name: label - value: IA-12 - - - name: sort-id - value: IA-12 - links: - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3c50fa31-7f4d-4d30-91d7-27ee87cd5f75 - rel: reference - text: [SP 800-63A] - - - href: #bb55e71a-e059-4263-8dd8-bc96fd3f063d - rel: reference - text: [SP 800-79-2] - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-6 - rel: related - text: IA-6 - - - href: #ia-8 - rel: related - text: IA-8 - parts: - - - id: ia-12_smt - name: statement - parts: - - - id: ia-12_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; - - - id: ia-12_smt.b - name: item - properties: - - - name: label - value: b. - prose: Resolve user identities to a unique individual; and - - - id: ia-12_smt.c - name: item - properties: - - - name: label - value: c. - prose: Collect, validate, and verify identity evidence. - - - id: ia-12_gdn - name: guidance - prose: Identity proofing is the process of collecting, validating, and verifying user’s identity information for the purposes of issuing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3] and [SP 800-63A]. - controls: - - - id: ia-12.2 - class: SP800-53-enhancement - title: Identity Evidence - properties: - - - name: label - value: IA-12(2) - - - name: sort-id - value: IA-12(02) - parts: - - - id: ia-12.2_smt - name: statement - prose: Require evidence of individual identification be presented to the registration authority. - - - id: ia-12.2_gdn - name: guidance - prose: Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risk to the systems, roles, and privileges associated with the user’s account. - - - id: ia-12.3 - class: SP800-53-enhancement - title: Identity Evidence Validation and Verification - parameters: - - - id: ia-12.3_prm_1 - label: organizational defined methods of validation and verification - properties: - - - name: label - value: IA-12(3) - - - name: sort-id - value: IA-12(03) - parts: - - - id: ia-12.3_smt - name: statement - prose: Require that the presented identity evidence be validated and verified through {{ ia-12.3_prm_1 }}. - - - id: ia-12.3_gdn - name: guidance - prose: Validating and verifying identity evidence increases the assurance that accounts, identifiers, and authenticators are being issued to the correct user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an actual person or individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risk to the systems, roles, and privileges associated with the users account - - - id: ia-12.4 - class: SP800-53-enhancement - title: In-person Validation and Verification - properties: - - - name: label - value: IA-12(4) - - - name: sort-id - value: IA-12(04) - parts: - - - id: ia-12.4_smt - name: statement - prose: Require that the validation and verification of identity evidence be conducted in person before a designated registration authority. - - - id: ia-12.4_gdn - name: guidance - prose: In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities. - - - id: ia-12.5 - class: SP800-53-enhancement - title: Address Confirmation - parameters: - - - id: ia-12.5_prm_1 - properties: - - - name: label - value: IA-12(5) - - - name: sort-id - value: IA-12(05) - links: - - - href: #ia-12 - rel: related - text: IA-12 - parts: - - - id: ia-12.5_smt - name: statement - prose: Require that a {{ ia-12.5_prm_1 }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record. - - - id: ia-12.5_gdn - name: guidance - prose: To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to increase assurance that the individual associated with an address of record is the same person that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts are obtained from records and not self-asserted by the user. The address can include a physical or a digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses. - - - id: ir - class: family - title: Incident Response - controls: - - - id: ir-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ir-1_prm_1 - label: organization-defined personnel or roles - - - id: ir-1_prm_2 - - - id: ir-1_prm_3 - label: organization-defined official - - - id: ir-1_prm_4 - label: organization-defined frequency - - - id: ir-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: IR-1 - - - name: sort-id - value: IR-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - rel: reference - text: [SP 800-83] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ir-1_smt - name: statement - parts: - - - id: ir-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ir-1_prm_1 }}: - parts: - - - id: ir-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ir-1_prm_2 }} incident response policy that: - """ - parts: - - - id: ir-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ir-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ir-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; - - - id: ir-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and - - - id: ir-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current incident response: - parts: - - - id: ir-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ir-1_prm_4 }}; and - - - id: ir-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ir-1_prm_5 }}. - - - id: ir-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ir-2 - class: SP800-53 - title: Incident Response Training - parameters: - - - id: ir-2_prm_1 - label: organization-defined time-period - - - id: ir-2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: IR-2 - - - name: sort-id - value: IR-02 - links: - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-9 - rel: related - text: IR-9 - parts: - - - id: ir-2_smt - name: statement - prose: Provide incident response training to system users consistent with assigned roles and responsibilities: - parts: - - - id: ir-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Within {{ ir-2_prm_1 }} of assuming an incident response role or responsibility or acquiring system access; - - - id: ir-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: When required by system changes; and - - - id: ir-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: - """ - - {{ ir-2_prm_2 }} thereafter. - """ - - - id: ir-2_gdn - name: guidance - prose: Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3. - controls: - - - id: ir-2.1 - class: SP800-53-enhancement - title: Simulated Events - properties: - - - name: label - value: IR-2(1) - - - name: sort-id - value: IR-02(01) - parts: - - - id: ir-2.1_smt - name: statement - prose: Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations. - - - id: ir-2.1_gdn - name: guidance - prose: Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations. - - - id: ir-2.2 - class: SP800-53-enhancement - title: Automated Training Environments - parameters: - - - id: ir-2.2_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: IR-2(2) - - - name: sort-id - value: IR-02(02) - parts: - - - id: ir-2.2_smt - name: statement - prose: Provide an incident response training environment using {{ ir-2.2_prm_1 }}. - - - id: ir-2.2_gdn - name: guidance - prose: Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues; by selecting more realistic training scenarios and training environments; and by stressing the response capability. - - - id: ir-3 - class: SP800-53 - title: Incident Response Testing - parameters: - - - id: ir-3_prm_1 - label: organization-defined frequency - - - id: ir-3_prm_2 - label: organization-defined tests - properties: - - - name: label - value: IR-3 - - - name: sort-id - value: IR-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #20bf433b-074c-47a0-8fca-cd591772ccd6 - rel: reference - text: [SP 800-84] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pm-14 - rel: related - text: PM-14 - parts: - - - id: ir-3_smt - name: statement - prose: Test the effectiveness of the incident response capability for the system {{ ir-3_prm_1 }} using the following tests: {{ ir-3_prm_2 }}. - - - id: ir-3_gdn - name: guidance - prose: Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes. - controls: - - - id: ir-3.2 - class: SP800-53-enhancement - title: Coordination with Related Plans - properties: - - - name: label - value: IR-3(2) - - - name: sort-id - value: IR-03(02) - parts: - - - id: ir-3.2_smt - name: statement - prose: Coordinate incident response testing with organizational elements responsible for related plans. - - - id: ir-3.2_gdn - name: guidance - prose: Organizational plans related to incident response testing include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Contingency Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans. - - - id: ir-4 - class: SP800-53 - title: Incident Handling - properties: - - - name: label - value: IR-4 - - - name: sort-id - value: IR-04 - links: - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #35dfd59f-eef2-4f71-bdb5-6d878267456a - rel: reference - text: [SP 800-86] - - - href: #1e2c475a-84ae-4c60-b420-8fb2ea552b71 - rel: reference - text: [SP 800-101] - - - href: #ad3e8f21-07c6-4968-b002-00b64dfa70ae - rel: reference - text: [SP 800-150] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #08f518f7-f9b9-4bee-8986-860214f46b16 - rel: reference - text: [SP 800-184] - - - href: #09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - rel: reference - text: [IR 7559] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-10 - rel: related - text: IR-10 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: ir-4_smt - name: statement - parts: - - - id: ir-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; - - - id: ir-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Coordinate incident handling activities with contingency planning activities; - - - id: ir-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and - - - id: ir-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. - - - id: ir-4_gdn - name: guidance - prose: Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk. - controls: - - - id: ir-4.1 - class: SP800-53-enhancement - title: Automated Incident Handling Processes - parameters: - - - id: ir-4.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: IR-4(1) - - - name: sort-id - value: IR-04(01) - parts: - - - id: ir-4.1_smt - name: statement - prose: Support the incident handling process using {{ ir-4.1_prm_1 }}. - - - id: ir-4.1_gdn - name: guidance - prose: Automated mechanisms supporting incident handling processes include online incident management systems; and tools that support the collection of live response data, full network packet capture, and forensic analysis. - - - id: ir-4.4 - class: SP800-53-enhancement - title: Information Correlation - properties: - - - name: label - value: IR-4(4) - - - name: sort-id - value: IR-04(04) - parts: - - - id: ir-4.4_smt - name: statement - prose: Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. - - - id: ir-4.4_gdn - name: guidance - prose: Sometimes a threat event, for example, a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations. - - - id: ir-5 - class: SP800-53 - title: Incident Monitoring - properties: - - - name: label - value: IR-5 - - - name: sort-id - value: IR-05 - links: - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: ir-5_smt - name: statement - prose: Track and document security, privacy, and supply chain incidents. - - - id: ir-5_gdn - name: guidance - prose: Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports. - controls: - - - id: ir-5.1 - class: SP800-53-enhancement - title: Automated Tracking, Data Collection, and Analysis - parameters: - - - id: ir-5.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: IR-5(1) - - - name: sort-id - value: IR-05(01) - links: - - - href: #au-7 - rel: related - text: AU-7 - - - href: #ir-4 - rel: related - text: IR-4 - parts: - - - id: ir-5.1_smt - name: statement - prose: Track security and privacy incidents and collect and analyze incident information using {{ ir-5.1_prm_1 }}. - - - id: ir-5.1_gdn - name: guidance - prose: Automated mechanisms for tracking incidents and for collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices. - - - id: ir-6 - class: SP800-53 - title: Incident Reporting - parameters: - - - id: ir-6_prm_1 - label: organization-defined time-period - - - id: ir-6_prm_2 - label: organization-defined authorities - properties: - - - name: label - value: IR-6 - - - name: sort-id - value: IR-06 - links: - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-9 - rel: related - text: IR-9 - parts: - - - id: ir-6_smt - name: statement - parts: - - - id: ir-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and - - - id: ir-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}. - - - id: ir-6_gdn - name: guidance - prose: The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - controls: - - - id: ir-6.1 - class: SP800-53-enhancement - title: Automated Reporting - parameters: - - - id: ir-6.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: IR-6(1) - - - name: sort-id - value: IR-06(01) - links: - - - href: #ir-7 - rel: related - text: IR-7 - parts: - - - id: ir-6.1_smt - name: statement - prose: Report incidents using {{ ir-6.1_prm_1 }}. - - - id: ir-6.1_gdn - name: guidance - prose: Reporting recipients are as specified in IR-6b. Automated reporting mechanisms include email, posting on web sites, and automated incident response tools and programs. - - - id: ir-6.3 - class: SP800-53-enhancement - title: Supply Chain Coordination - properties: - - - name: label - value: IR-6(3) - - - name: sort-id - value: IR-06(03) - links: - - - href: #sr-8 - rel: related - text: SR-8 - parts: - - - id: ir-6.3_smt - name: statement - prose: Provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident. - - - id: ir-6.3_gdn - name: guidance - prose: Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents including the ability to improve processes or to identify the root cause of an incident. - - - id: ir-7 - class: SP800-53 - title: Incident Response Assistance - properties: - - - name: label - value: IR-7 - - - name: sort-id - value: IR-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - rel: reference - text: [IR 7559] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pm-26 - rel: related - text: PM-26 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: ir-7_smt - name: statement - prose: Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents. - - - id: ir-7_gdn - name: guidance - prose: Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required. - controls: - - - id: ir-7.1 - class: SP800-53-enhancement - title: Automation Support for Availability of Information and Support - parameters: - - - id: ir-7.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: IR-7(1) - - - name: sort-id - value: IR-07(01) - parts: - - - id: ir-7.1_smt - name: statement - prose: Increase the availability of incident response information and support using {{ ir-7.1_prm_1 }}. - - - id: ir-7.1_gdn - name: guidance - prose: Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. - - - id: ir-8 - class: SP800-53 - title: Incident Response Plan - parameters: - - - id: ir-8_prm_1 - label: organization-defined personnel or roles - - - id: ir-8_prm_2 - label: organization-defined frequency - - - id: ir-8_prm_3 - label: organization-defined entities, personnel, or roles - - - id: ir-8_prm_4 - label: organization-defined incident response personnel (identified by name and/or by role) and organizational elements - - - id: ir-8_prm_5 - label: organization-defined incident response personnel (identified by name and/or by role) and organizational elements - properties: - - - name: label - value: IR-8 - - - name: sort-id - value: IR-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #389fe193-866e-46b1-bf1d-38904b56aa7b - rel: reference - text: [OMB M-17-12] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-8 - rel: related - text: SR-8 - parts: - - - id: ir-8_smt - name: statement - parts: - - - id: ir-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop an incident response plan that: - parts: - - - id: ir-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Provides the organization with a roadmap for implementing its incident response capability; - - - id: ir-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Describes the structure and organization of the incident response capability; - - - id: ir-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Provides a high-level approach for how the incident response capability fits into the overall organization; - - - id: ir-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; - - - id: ir-8_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Defines reportable incidents; - - - id: ir-8_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Provides metrics for measuring the incident response capability within the organization; - - - id: ir-8_smt.a.7 - name: item - properties: - - - name: label - value: 7. - prose: Defines the resources and management support needed to effectively maintain and mature an incident response capability; - - - id: ir-8_smt.a.8 - name: item - properties: - - - name: label - value: 8. - prose: - """ - Is reviewed and approved by {{ ir-8_prm_1 }} - {{ ir-8_prm_2 }}; and - """ - - - id: ir-8_smt.a.9 - name: item - properties: - - - name: label - value: 9. - prose: Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}. - - - id: ir-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute copies of the incident response plan to {{ ir-8_prm_4 }}; - - - id: ir-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; - - - id: ir-8_smt.d - name: item - properties: - - - name: label - value: d. - prose: Communicate incident response plan changes to {{ ir-8_prm_5 }}; and - - - id: ir-8_smt.e - name: item - properties: - - - name: label - value: e. - prose: Protect the incident response plan from unauthorized disclosure and modification. - - - id: ir-8_gdn - name: guidance - prose: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly. - - - id: ir-10 - class: SP800-53 - title: Incident Analysis - properties: - - - name: label - value: IR-10 - - - name: status - value: Withdrawn - - - name: sort-id - value: IR-10 - links: - - - href: #ir-4.11 - rel: incorporated-into - text: IR-4(11) - - - id: ma - class: family - title: Maintenance - controls: - - - id: ma-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ma-1_prm_1 - label: organization-defined personnel or roles - - - id: ma-1_prm_2 - - - id: ma-1_prm_3 - label: organization-defined official - - - id: ma-1_prm_4 - label: organization-defined frequency - - - id: ma-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: MA-1 - - - name: sort-id - value: MA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ma-1_smt - name: statement - parts: - - - id: ma-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ma-1_prm_1 }}: - parts: - - - id: ma-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ma-1_prm_2 }} maintenance policy that: - """ - parts: - - - id: ma-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ma-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ma-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; - - - id: ma-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ma-1_prm_3 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and - - - id: ma-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current maintenance: - parts: - - - id: ma-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ma-1_prm_4 }}; and - - - id: ma-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ma-1_prm_5 }}. - - - id: ma-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ma-2 - class: SP800-53 - title: Controlled Maintenance - parameters: - - - id: ma-2_prm_1 - label: organization-defined personnel or roles - - - id: ma-2_prm_2 - label: organization-defined information - - - id: ma-2_prm_3 - label: organization-defined information - properties: - - - name: label - value: MA-2 - - - name: sort-id - value: MA-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: ma-2_smt - name: statement - parts: - - - id: ma-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; - - - id: ma-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; - - - id: ma-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Require that {{ ma-2_prm_1 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; - - - id: ma-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ ma-2_prm_2 }}; - - - id: ma-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and - - - id: ma-2_smt.f - name: item - properties: - - - name: label - value: f. - prose: Include the following information in organizational maintenance records: {{ ma-2_prm_3 }}. - - - id: ma-2_gdn - name: guidance - prose: Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems. - controls: - - - id: ma-2.2 - class: SP800-53-enhancement - title: Automated Maintenance Activities - parameters: - - - id: ma-2.2_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: MA-2(2) - - - name: sort-id - value: MA-02(02) - links: - - - href: #ma-3 - rel: related - text: MA-3 - parts: - - - id: ma-2.2_smt - name: statement - parts: - - - id: ma-2.2_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ ma-2.2_prm_1 }}; and - - - id: ma-2.2_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed. - - - id: ma-2.2_gdn - name: guidance - prose: The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records. - - - id: ma-3 - class: SP800-53 - title: Maintenance Tools - parameters: - - - id: ma-3_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: MA-3 - - - name: sort-id - value: MA-03 - links: - - - href: #fed6a3b5-2b74-499f-9172-46671f7c24c8 - rel: reference - text: [SP 800-88] - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #pe-16 - rel: related - text: PE-16 - parts: - - - id: ma-3_smt - name: statement - parts: - - - id: ma-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Approve, control, and monitor the use of system maintenance tools; and - - - id: ma-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review previously approved system maintenance tools {{ ma-3_prm_1 }}. - - - id: ma-3_gdn - name: guidance - prose: Approving, controlling, monitoring, and reviewing maintenance tools are intended to address security-related issues associated with maintenance tools that are not within system boundaries but are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for approval of maintenance tools and how that approval is documented. Periodic review of maintenance tools facilitates withdrawal of the approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items. Such tools can be vehicles for transporting malicious code, intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support system maintenance and are a part of the system, including the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch, are not addressed by maintenance tools. - controls: - - - id: ma-3.1 - class: SP800-53-enhancement - title: Inspect Tools - properties: - - - name: label - value: MA-3(1) - - - name: sort-id - value: MA-03(01) - links: - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: ma-3.1_smt - name: statement - prose: Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications. - - - id: ma-3.1_gdn - name: guidance - prose: Maintenance tools can be brought into a facility directly by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. - - - id: ma-3.2 - class: SP800-53-enhancement - title: Inspect Media - properties: - - - name: label - value: MA-3(2) - - - name: sort-id - value: MA-03(02) - links: - - - href: #si-3 - rel: related - text: SI-3 - parts: - - - id: ma-3.2_smt - name: statement - prose: Check media containing diagnostic and test programs for malicious code before the media are used in the system. - - - id: ma-3.2_gdn - name: guidance - prose: If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. - - - id: ma-3.3 - class: SP800-53-enhancement - title: Prevent Unauthorized Removal - parameters: - - - id: ma-3.3_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: MA-3(3) - - - name: sort-id - value: MA-03(03) - links: - - - href: #mp-6 - rel: related - text: MP-6 - parts: - - - id: ma-3.3_smt - name: statement - prose: Prevent the removal of maintenance equipment containing organizational information by: - parts: - - - id: ma-3.3_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Verifying that there is no organizational information contained on the equipment; - - - id: ma-3.3_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Sanitizing or destroying the equipment; - - - id: ma-3.3_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Retaining the equipment within the facility; or - - - id: ma-3.3_smt.d - name: item - properties: - - - name: label - value: (d) - prose: Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly authorizing removal of the equipment from the facility. - - - id: ma-3.3_gdn - name: guidance - prose: Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards. - - - id: ma-4 - class: SP800-53 - title: Nonlocal Maintenance - properties: - - - name: label - value: MA-4 - - - name: sort-id - value: MA-04 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #bbc7085f-b383-444e-af74-722a55cccc0f - rel: reference - text: [FIPS 197] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #fed6a3b5-2b74-499f-9172-46671f7c24c8 - rel: reference - text: [SP 800-88] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-10 - rel: related - text: SC-10 - parts: - - - id: ma-4_smt - name: statement - parts: - - - id: ma-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Approve and monitor nonlocal maintenance and diagnostic activities; - - - id: ma-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; - - - id: ma-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; - - - id: ma-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Maintain records for nonlocal maintenance and diagnostic activities; and - - - id: ma-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Terminate session and network connections when nonlocal maintenance is completed. - - - id: ma-4_gdn - name: guidance - prose: Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. - controls: - - - id: ma-4.3 - class: SP800-53-enhancement - title: Comparable Security and Sanitization - properties: - - - name: label - value: MA-4(3) - - - name: sort-id - value: MA-04(03) - links: - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: ma-4.3_smt - name: statement - parts: - - - id: ma-4.3_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or - - - id: ma-4.3_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system. - - - id: ma-4.3_gdn - name: guidance - prose: Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced. - - - id: ma-5 - class: SP800-53 - title: Maintenance Personnel - properties: - - - name: label - value: MA-5 - - - name: sort-id - value: MA-05 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: ma-5_smt - name: statement - parts: - - - id: ma-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; - - - id: ma-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and - - - id: ma-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. - - - id: ma-5_gdn - name: guidance - prose: Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods. - controls: - - - id: ma-5.1 - class: SP800-53-enhancement - title: Individuals Without Appropriate Access - parameters: - - - id: ma-5.1_prm_1 - label: organization-defined alternate controls - properties: - - - name: label - value: MA-5(1) - - - name: sort-id - value: MA-05(01) - links: - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pl-2 - rel: related - text: PL-2 - parts: - - - id: ma-5.1_smt - name: statement - parts: - - - id: ma-5.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: - parts: - - - id: ma-5.1_smt.a.1 - name: item - properties: - - - name: label - value: (1) - prose: Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; - - - id: ma-5.1_smt.a.2 - name: item - properties: - - - name: label - value: (2) - prose: Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and - - - id: ma-5.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Develop and implement {{ ma-5.1_prm_1 }} in the event a system component cannot be sanitized, removed, or disconnected from the system. - - - id: ma-5.1_gdn - name: guidance - prose: Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems. - - - id: ma-6 - class: SP800-53 - title: Timely Maintenance - parameters: - - - id: ma-6_prm_1 - label: organization-defined system components - - - id: ma-6_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: MA-6 - - - name: sort-id - value: MA-06 - links: - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #si-13 - rel: related - text: SI-13 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: ma-6_smt - name: statement - prose: Obtain maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure. - - - id: ma-6_gdn - name: guidance - prose: Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place. - - - id: mp - class: family - title: Media Protection - controls: - - - id: mp-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: mp-1_prm_1 - label: organization-defined personnel or roles - - - id: mp-1_prm_2 - - - id: mp-1_prm_3 - label: organization-defined official - - - id: mp-1_prm_4 - label: organization-defined frequency - - - id: mp-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: MP-1 - - - name: sort-id - value: MP-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: mp-1_smt - name: statement - parts: - - - id: mp-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ mp-1_prm_1 }}: - parts: - - - id: mp-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ mp-1_prm_2 }} media protection policy that: - """ - parts: - - - id: mp-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: mp-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: mp-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; - - - id: mp-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and - - - id: mp-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current media protection: - parts: - - - id: mp-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ mp-1_prm_4 }}; and - - - id: mp-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ mp-1_prm_5 }}. - - - id: mp-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: mp-2 - class: SP800-53 - title: Media Access - parameters: - - - id: mp-2_prm_1 - label: organization-defined types of digital and/or non-digital media - - - id: mp-2_prm_2 - label: organization-defined personnel or roles - properties: - - - name: label - value: MP-2 - - - name: sort-id - value: MP-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #1b14b50f-7154-4226-958c-7dfff8276755 - rel: reference - text: [SP 800-111] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: mp-2_smt - name: statement - prose: Restrict access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}. - - - id: mp-2_gdn - name: guidance - prose: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media. - - - id: mp-3 - class: SP800-53 - title: Media Marking - parameters: - - - id: mp-3_prm_1 - label: organization-defined types of system media - - - id: mp-3_prm_2 - label: organization-defined controlled areas - properties: - - - name: label - value: MP-3 - - - name: sort-id - value: MP-03 - links: - - - href: #742b7c0e-218e-4fca-9c3d-5f264bbaf2bc - rel: reference - text: [32 CFR 2002] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pe-22 - rel: related - text: PE-22 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: mp-3_smt - name: statement - parts: - - - id: mp-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and - - - id: mp-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Exempt {{ mp-3_prm_1 }} from marking if the media remain within {{ mp-3_prm_2 }}. - - - id: mp-3_gdn - name: guidance - prose: Security marking refers to the application or use of human-readable security attributes. Security labeling refers to the application or use of security attributes regarding internal data structures within systems. System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002]. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. - - - id: mp-4 - class: SP800-53 - title: Media Storage - parameters: - - - id: mp-4_prm_1 - label: organization-defined types of digital and/or non-digital media - - - id: mp-4_prm_2 - label: organization-defined controlled areas - properties: - - - name: label - value: MP-4 - - - name: sort-id - value: MP-04 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #77dc1838-3664-4faa-bc6e-4e2a16e52f35 - rel: reference - text: [SP 800-56A] - - - href: #f417e4ec-cadb-47a8-a363-6006b32c28ad - rel: reference - text: [SP 800-56B] - - - href: #7c3ba335-62bd-4f03-888f-960790409b11 - rel: reference - text: [SP 800-56C] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #1b14b50f-7154-4226-958c-7dfff8276755 - rel: reference - text: [SP 800-111] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: mp-4_smt - name: statement - parts: - - - id: mp-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Physically control and securely store {{ mp-4_prm_1 }} within {{ mp-4_prm_2 }}; and - - - id: mp-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures. - - - id: mp-4_gdn - name: guidance - prose: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet; or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. For media containing information determined to be in the public domain, to be publicly releasable, or to have limited adverse impact on organizations, operations, or individuals if accessed by other than authorized personnel, fewer controls may be needed. In these situations, physical access controls provide adequate protection. - - - id: mp-5 - class: SP800-53 - title: Media Transport - parameters: - - - id: mp-5_prm_1 - label: organization-defined types of system media - - - id: mp-5_prm_2 - label: organization-defined controls - properties: - - - name: label - value: MP-5 - - - name: sort-id - value: MP-05 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #mp-3 - rel: related - text: MP-3 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-34 - rel: related - text: SC-34 - parts: - - - id: mp-5_smt - name: statement - parts: - - - id: mp-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Protect and control {{ mp-5_prm_1 }} during transport outside of controlled areas using {{ mp-5_prm_2 }}; - - - id: mp-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Maintain accountability for system media during transport outside of controlled areas; - - - id: mp-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document activities associated with the transport of system media; and - - - id: mp-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Restrict the activities associated with the transport of system media to authorized personnel. - - - id: mp-5_gdn - name: guidance - prose: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state and magnetic), compact disks, and digital video disks. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel, and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records. - - - id: mp-6 - class: SP800-53 - title: Media Sanitization - parameters: - - - id: mp-6_prm_1 - label: organization-defined system media - - - id: mp-6_prm_2 - label: organization-defined sanitization techniques and procedures - properties: - - - name: label - value: MP-6 - - - name: sort-id - value: MP-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #fed6a3b5-2b74-499f-9172-46671f7c24c8 - rel: reference - text: [SP 800-88] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #a52271dc-11b5-423a-8b6f-14867bd94259 - rel: reference - text: [NSA MEDIA] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #si-18 - rel: related - text: SI-18 - - - href: #si-19 - rel: related - text: SI-19 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: mp-6_smt - name: statement - parts: - - - id: mp-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and - - - id: mp-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. - - - id: mp-6_gdn - name: guidance - prose: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information. - controls: - - - id: mp-6.1 - class: SP800-53-enhancement - title: Review, Approve, Track, Document, and Verify - properties: - - - name: label - value: MP-6(1) - - - name: sort-id - value: MP-06(01) - parts: - - - id: mp-6.1_smt - name: statement - prose: Review, approve, track, document, and verify media sanitization and disposal actions. - - - id: mp-6.1_gdn - name: guidance - prose: Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions; types of media sanitized; files stored on the media; sanitization methods used; date and time of the sanitization actions; personnel who performed the sanitization; verification actions taken and personnel who performed the verification; and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal. - - - id: mp-6.2 - class: SP800-53-enhancement - title: Equipment Testing - parameters: - - - id: mp-6.2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: MP-6(2) - - - name: sort-id - value: MP-06(02) - parts: - - - id: mp-6.2_smt - name: statement - prose: Test sanitization equipment and procedures {{ mp-6.2_prm_1 }} to verify that the intended sanitization is being achieved. - - - id: mp-6.2_gdn - name: guidance - prose: Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers. - - - id: mp-6.3 - class: SP800-53-enhancement - title: Nondestructive Techniques - parameters: - - - id: mp-6.3_prm_1 - label: organization-defined circumstances requiring sanitization of portable storage devices - properties: - - - name: label - value: MP-6(3) - - - name: sort-id - value: MP-06(03) - parts: - - - id: mp-6.3_smt - name: statement - prose: Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ mp-6.3_prm_1 }}. - - - id: mp-6.3_gdn - name: guidance - prose: Portable storage devices include external or removable hard disk drives (solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and can contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices. - - - id: mp-7 - class: SP800-53 - title: Media Use - parameters: - - - id: mp-7_prm_1 - - - id: mp-7_prm_2 - label: organization-defined types of system media - - - id: mp-7_prm_3 - label: organization-defined systems or system components - - - id: mp-7_prm_4 - label: organization-defined controls - properties: - - - name: label - value: MP-7 - - - name: sort-id - value: MP-07 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #1b14b50f-7154-4226-958c-7dfff8276755 - rel: reference - text: [SP 800-111] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #sc-41 - rel: related - text: SC-41 - parts: - - - id: mp-7_smt - name: statement - parts: - - - id: mp-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: - """ - - {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}; and - """ - - - id: mp-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. - - - id: mp-7_gdn - name: guidance - prose: System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices. - - - id: pe - class: family - title: Physical and Environmental Protection - controls: - - - id: pe-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: pe-1_prm_1 - label: organization-defined personnel or roles - - - id: pe-1_prm_2 - - - id: pe-1_prm_3 - label: organization-defined official - - - id: pe-1_prm_4 - label: organization-defined frequency - - - id: pe-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PE-1 - - - name: sort-id - value: PE-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pe-1_smt - name: statement - parts: - - - id: pe-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ pe-1_prm_1 }}: - parts: - - - id: pe-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ pe-1_prm_2 }} physical and environmental protection policy that: - """ - parts: - - - id: pe-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: pe-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: pe-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; - - - id: pe-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ pe-1_prm_3 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and - - - id: pe-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current physical and environmental protection: - parts: - - - id: pe-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ pe-1_prm_4 }}; and - - - id: pe-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ pe-1_prm_5 }}. - - - id: pe-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: pe-2 - class: SP800-53 - title: Physical Access Authorizations - parameters: - - - id: pe-2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PE-2 - - - name: sort-id - value: PE-02 - links: - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #pe-5 - rel: related - text: PE-5 - - - href: #pe-8 - rel: related - text: PE-8 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-6 - rel: related - text: PS-6 - parts: - - - id: pe-2_smt - name: statement - parts: - - - id: pe-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; - - - id: pe-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Issue authorization credentials for facility access; - - - id: pe-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review the access list detailing authorized facility access by individuals {{ pe-2_prm_1 }}; and - - - id: pe-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Remove individuals from the facility access list when access is no longer required. - - - id: pe-2_gdn - name: guidance - prose: Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible. - - - id: pe-3 - class: SP800-53 - title: Physical Access Control - parameters: - - - id: pe-3_prm_1 - label: organization-defined entry and exit points to the facility where the system resides - - - id: pe-3_prm_2 - - - id: pe-3_prm_3 - depends-on: pe-3_prm_2 - label: organization-defined physical access control systems or devices - - - id: pe-3_prm_4 - label: organization-defined entry or exit points - - - id: pe-3_prm_5 - label: organization-defined controls - - - id: pe-3_prm_6 - label: organization-defined circumstances requiring visitor escorts and monitoring - - - id: pe-3_prm_7 - label: organization-defined physical access devices - - - id: pe-3_prm_8 - label: organization-defined frequency - - - id: pe-3_prm_9 - label: organization-defined frequency - properties: - - - name: label - value: PE-3 - - - name: sort-id - value: PE-03 - links: - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #ad7d575f-b5fe-489b-8d48-36a93d964a5f - rel: reference - text: [SP 800-116] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #pe-5 - rel: related - text: PE-5 - - - href: #pe-8 - rel: related - text: PE-8 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #sr-3 - rel: related - text: SR-3 - parts: - - - id: pe-3_smt - name: statement - parts: - - - id: pe-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Enforce physical access authorizations at {{ pe-3_prm_1 }} by: - parts: - - - id: pe-3_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Verifying individual access authorizations before granting access to the facility; and - - - id: pe-3_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Controlling ingress and egress to the facility using {{ pe-3_prm_2 }}; - - - id: pe-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Maintain physical access audit logs for {{ pe-3_prm_4 }}; - - - id: pe-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ pe-3_prm_5 }}; - - - id: pe-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Escort visitors and monitor visitor activity {{ pe-3_prm_6 }}; - - - id: pe-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Secure keys, combinations, and other physical access devices; - - - id: pe-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Inventory {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }}; and - - - id: pe-3_smt.g - name: item - properties: - - - name: label - value: g. - prose: Change combinations and keys {{ pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. - - - id: pe-3_gdn - name: guidance - prose: Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components. - controls: - - - id: pe-3.1 - class: SP800-53-enhancement - title: System Access - parameters: - - - id: pe-3.1_prm_1 - label: organization-defined physical spaces containing one or more components of the system - properties: - - - name: label - value: PE-3(1) - - - name: sort-id - value: PE-03(01) - parts: - - - id: pe-3.1_smt - name: statement - prose: Enforce physical access authorizations to the system in addition to the physical access controls for the facility at {{ pe-3.1_prm_1 }}. - - - id: pe-3.1_gdn - name: guidance - prose: Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components. - - - id: pe-4 - class: SP800-53 - title: Access Control for Transmission - parameters: - - - id: pe-4_prm_1 - label: organization-defined system distribution and transmission lines - - - id: pe-4_prm_2 - label: organization-defined security controls - properties: - - - name: label - value: PE-4 - - - name: sort-id - value: PE-04 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-5 - rel: related - text: PE-5 - - - href: #pe-9 - rel: related - text: PE-9 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-8 - rel: related - text: SC-8 - parts: - - - id: pe-4_smt - name: statement - prose: Control physical access to {{ pe-4_prm_1 }} within organizational facilities using {{ pe-4_prm_2 }}. - - - id: pe-4_gdn - name: guidance - prose: Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors. - - - id: pe-5 - class: SP800-53 - title: Access Control for Output Devices - parameters: - - - id: pe-5_prm_1 - label: organization-defined output devices - properties: - - - name: label - value: PE-5 - - - name: sort-id - value: PE-05 - links: - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #pe-18 - rel: related - text: PE-18 - parts: - - - id: pe-5_smt - name: statement - prose: Control physical access to output from {{ pe-5_prm_1 }} to prevent unauthorized individuals from obtaining the output. - - - id: pe-5_gdn - name: guidance - prose: Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only; placing output devices in locations that can be monitored by personnel; installing monitor or screen filters; and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers. - - - id: pe-6 - class: SP800-53 - title: Monitoring Physical Access - parameters: - - - id: pe-6_prm_1 - label: organization-defined frequency - - - id: pe-6_prm_2 - label: organization-defined events or potential indications of events - properties: - - - name: label - value: PE-6 - - - name: sort-id - value: PE-06 - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - parts: - - - id: pe-6_smt - name: statement - parts: - - - id: pe-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; - - - id: pe-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review physical access logs {{ pe-6_prm_1 }} and upon occurrence of {{ pe-6_prm_2 }}; and - - - id: pe-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Coordinate results of reviews and investigations with the organizational incident response capability. - - - id: pe-6_gdn - name: guidance - prose: Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses. - controls: - - - id: pe-6.1 - class: SP800-53-enhancement - title: Intrusion Alarms and Surveillance Equipment - properties: - - - name: label - value: PE-6(1) - - - name: sort-id - value: PE-06(01) - parts: - - - id: pe-6.1_smt - name: statement - prose: Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment. - - - id: pe-6.1_gdn - name: guidance - prose: Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards, triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, for example, motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility. - - - id: pe-6.4 - class: SP800-53-enhancement - title: Monitoring Physical Access to Systems - parameters: - - - id: pe-6.4_prm_1 - label: organization-defined physical spaces containing one or more components of the system - properties: - - - name: label - value: PE-6(4) - - - name: sort-id - value: PE-06(04) - parts: - - - id: pe-6.4_smt - name: statement - prose: Monitor physical access to the system in addition to the physical access monitoring of the facility at {{ pe-6.4_prm_1 }}. - - - id: pe-6.4_gdn - name: guidance - prose: Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization. - - - id: pe-8 - class: SP800-53 - title: Visitor Access Records - parameters: - - - id: pe-8_prm_1 - label: organization-defined time-period - - - id: pe-8_prm_2 - label: organization-defined frequency - - - id: pe-8_prm_3 - label: organization-defined personnel - properties: - - - name: label - value: PE-8 - - - name: sort-id - value: PE-08 - links: - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - parts: - - - id: pe-8_smt - name: statement - parts: - - - id: pe-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Maintain visitor access records to the facility where the system resides for {{ pe-8_prm_1 }}; - - - id: pe-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review visitor access records {{ pe-8_prm_2 }}; and - - - id: pe-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: Report anomalies in visitor access records to {{ pe-8_prm_3 }}. - - - id: pe-8_gdn - name: guidance - prose: Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas. - controls: - - - id: pe-8.1 - class: SP800-53-enhancement - title: Automated Records Maintenance and Review - parameters: - - - id: pe-8.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: PE-8(1) - - - name: sort-id - value: PE-08(01) - parts: - - - id: pe-8.1_smt - name: statement - prose: Maintain and review visitor access records using {{ pe-8.1_prm_1 }}. - - - id: pe-8.1_gdn - name: guidance - prose: Visitor access records can be stored and maintained, for example, in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on regular basis to determine if access authorizations are current and still required to support organizational missions and business functions. - - - id: pe-9 - class: SP800-53 - title: Power Equipment and Cabling - properties: - - - name: label - value: PE-9 - - - name: sort-id - value: PE-09 - links: - - - href: #pe-4 - rel: related - text: PE-4 - parts: - - - id: pe-9_smt - name: statement - prose: Protect power equipment and power cabling for the system from damage and destruction. - - - id: pe-9_gdn - name: guidance - prose: Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. Power equipment and cabling includes generators and power cabling outside of buildings; internal cabling and uninterruptable power sources in offices or data centers; and power sources for self-contained components such as satellites, vehicles, and other deployable systems. - - - id: pe-10 - class: SP800-53 - title: Emergency Shutoff - parameters: - - - id: pe-10_prm_1 - label: organization-defined system or individual system components - - - id: pe-10_prm_2 - label: organization-defined location by system or system component - properties: - - - name: label - value: PE-10 - - - name: sort-id - value: PE-10 - links: - - - href: #pe-15 - rel: related - text: PE-15 - parts: - - - id: pe-10_smt - name: statement - parts: - - - id: pe-10_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide the capability of shutting off power to {{ pe-10_prm_1 }} in emergency situations; - - - id: pe-10_smt.b - name: item - properties: - - - name: label - value: b. - prose: Place emergency shutoff switches or devices in {{ pe-10_prm_2 }} to facilitate access for authorized personnel; and - - - id: pe-10_smt.c - name: item - properties: - - - name: label - value: c. - prose: Protect emergency power shutoff capability from unauthorized activation. - - - id: pe-10_gdn - name: guidance - prose: Emergency power shutoff applies primarily to organizational facilities containing concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery. - - - id: pe-11 - class: SP800-53 - title: Emergency Power - parameters: - - - id: pe-11_prm_1 - properties: - - - name: label - value: PE-11 - - - name: sort-id - value: PE-11 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-7 - rel: related - text: CP-7 - parts: - - - id: pe-11_smt - name: statement - prose: Provide an uninterruptible power supply to facilitate {{ pe-11_prm_1 }} in the event of a primary power source loss. - - - id: pe-11_gdn - name: guidance - prose: An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of most UPS is relatively short but provides sufficient time to start a standby power source such as a backup generator or properly shut down the system. - controls: - - - id: pe-11.1 - class: SP800-53-enhancement - title: Alternate Power Supply — Minimal Operational Capability - parameters: - - - id: pe-11.1_prm_1 - properties: - - - name: label - value: PE-11(1) - - - name: sort-id - value: PE-11(01) - parts: - - - id: pe-11.1_smt - name: statement - prose: Provide an alternate power supply for the system that is activated {{ pe-11.1_prm_1 }} and that can maintain minimally required operational capability in the event of an extended loss of the primary power source. - - - id: pe-11.1_gdn - name: guidance - prose: Provision of an alternate power supply with minimal operating capability can be satisfied, for example, by accessing a secondary commercial power supply or other external power supply. - - - id: pe-12 - class: SP800-53 - title: Emergency Lighting - properties: - - - name: label - value: PE-12 - - - name: sort-id - value: PE-12 - links: - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-7 - rel: related - text: CP-7 - parts: - - - id: pe-12_smt - name: statement - prose: Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. - - - id: pe-12_gdn - name: guidance - prose: The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites. - - - id: pe-13 - class: SP800-53 - title: Fire Protection - properties: - - - name: label - value: PE-13 - - - name: sort-id - value: PE-13 - links: - - - href: #at-3 - rel: related - text: AT-3 - parts: - - - id: pe-13_smt - name: statement - prose: Employ and maintain fire detection and suppression systems that are supported by an independent energy source. - - - id: pe-13_gdn - name: guidance - prose: The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors. - controls: - - - id: pe-13.1 - class: SP800-53-enhancement - title: Detection Systems – Automatic Activation and Notification - parameters: - - - id: pe-13.1_prm_1 - label: organization-defined personnel or roles - - - id: pe-13.1_prm_2 - label: organization-defined emergency responders - properties: - - - name: label - value: PE-13(1) - - - name: sort-id - value: PE-13(01) - parts: - - - id: pe-13.1_smt - name: statement - prose: Employ fire detection systems that activate automatically and notify {{ pe-13.1_prm_1 }} and {{ pe-13.1_prm_2 }} in the event of a fire. - - - id: pe-13.1_gdn - name: guidance - prose: Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances, for example, to enter to facilities where access is restricted due to the classification or impact level of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire. - - - id: pe-13.2 - class: SP800-53-enhancement - title: Suppression Systems – Automatic Activation and Notification - parameters: - - - id: pe-13.2_prm_1 - label: organization-defined personnel or roles - - - id: pe-13.2_prm_2 - label: organization-defined emergency responders - properties: - - - name: label - value: PE-13(2) - - - name: sort-id - value: PE-13(02) - parts: - - - id: pe-13.2_smt - name: statement - parts: - - - id: pe-13.2_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Employ fire suppression systems that activate automatically and notify {{ pe-13.2_prm_1 }} and {{ pe-13.2_prm_2 }}; and - - - id: pe-13.2_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis. - - - id: pe-13.2_gdn - name: guidance - prose: Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances, for example, to enter to facilities where access is restricted due to the impact level or classification of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire. - - - id: pe-14 - class: SP800-53 - title: Environmental Controls - parameters: - - - id: pe-14_prm_1 - - - id: pe-14_prm_2 - depends-on: pe-14_prm_1 - label: organization-defined environmental control - - - id: pe-14_prm_3 - label: organization-defined acceptable levels - - - id: pe-14_prm_4 - label: organization-defined frequency - properties: - - - name: label - value: PE-14 - - - name: sort-id - value: PE-14 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #pe-21 - rel: related - text: PE-21 - parts: - - - id: pe-14_smt - name: statement - parts: - - - id: pe-14_smt.a - name: item - properties: - - - name: label - value: a. - prose: Maintain {{ pe-14_prm_1 }} levels within the facility where the system resides at {{ pe-14_prm_3 }}; and - - - id: pe-14_smt.b - name: item - properties: - - - name: label - value: b. - prose: Monitor environmental control levels {{ pe-14_prm_4 }}. - - - id: pe-14_gdn - name: guidance - prose: The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure. - - - id: pe-15 - class: SP800-53 - title: Water Damage Protection - properties: - - - name: label - value: PE-15 - - - name: sort-id - value: PE-15 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pe-10 - rel: related - text: PE-10 - parts: - - - id: pe-15_smt - name: statement - prose: Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. - - - id: pe-15_gdn - name: guidance - prose: The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. - controls: - - - id: pe-15.1 - class: SP800-53-enhancement - title: Automation Support - parameters: - - - id: pe-15.1_prm_1 - label: organization-defined personnel or roles - - - id: pe-15.1_prm_2 - label: organization-defined automated mechanisms - properties: - - - name: label - value: PE-15(1) - - - name: sort-id - value: PE-15(01) - parts: - - - id: pe-15.1_smt - name: statement - prose: Detect the presence of water near the system and alert {{ pe-15.1_prm_1 }} using {{ pe-15.1_prm_2 }}. - - - id: pe-15.1_gdn - name: guidance - prose: Automated mechanisms include notification systems, water detection sensors, and alarms. - - - id: pe-16 - class: SP800-53 - title: Delivery and Removal - parameters: - - - id: pe-16_prm_1 - label: organization-defined types of system components - properties: - - - name: label - value: PE-16 - - - name: sort-id - value: PE-16 - links: - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-6 - rel: related - text: SR-6 - parts: - - - id: pe-16_smt - name: statement - parts: - - - id: pe-16_smt.a - name: item - properties: - - - name: label - value: a. - prose: Authorize and control {{ pe-16_prm_1 }} entering and exiting the facility; and - - - id: pe-16_smt.b - name: item - properties: - - - name: label - value: b. - prose: Maintain records of the system components. - - - id: pe-16_gdn - name: guidance - prose: Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries. - - - id: pe-17 - class: SP800-53 - title: Alternate Work Site - parameters: - - - id: pe-17_prm_1 - label: organization-defined alternate work sites - - - id: pe-17_prm_2 - label: organization-defined controls - properties: - - - name: label - value: PE-17 - - - name: sort-id - value: PE-17 - links: - - - href: #7768c184-088d-4ee8-a316-f9286b52df7f - rel: reference - text: [SP 800-46] - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #cp-7 - rel: related - text: CP-7 - parts: - - - id: pe-17_smt - name: statement - parts: - - - id: pe-17_smt.a - name: item - properties: - - - name: label - value: a. - prose: Determine and document the {{ pe-17_prm_1 }} allowed for use by employees; - - - id: pe-17_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ the following controls at alternate work sites: {{ pe-17_prm_2 }}; - - - id: pe-17_smt.c - name: item - properties: - - - name: label - value: c. - prose: Assess the effectiveness of controls at alternate work sites; and - - - id: pe-17_smt.d - name: item - properties: - - - name: label - value: d. - prose: Provide a means for employees to communicate with information security and privacy personnel in case of incidents. - - - id: pe-17_gdn - name: guidance - prose: Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations. - - - id: pe-18 - class: SP800-53 - title: Location of System Components - parameters: - - - id: pe-18_prm_1 - label: organization-defined physical and environmental hazards - properties: - - - name: label - value: PE-18 - - - name: sort-id - value: PE-18 - links: - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #pe-5 - rel: related - text: PE-5 - - - href: #pe-19 - rel: related - text: PE-19 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: pe-18_smt - name: statement - prose: Position system components within the facility to minimize potential damage from {{ pe-18_prm_1 }} and to minimize the opportunity for unauthorized access. - - - id: pe-18_gdn - name: guidance - prose: Physical and environmental hazards include floods, fires, tornados, earthquakes, hurricanes, terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications, including using wireless sniffers or microphones. - - - id: pl - class: family - title: Planning - controls: - - - id: pl-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: pl-1_prm_1 - label: organization-defined personnel or roles - - - id: pl-1_prm_2 - - - id: pl-1_prm_3 - label: organization-defined official - - - id: pl-1_prm_4 - label: organization-defined frequency - - - id: pl-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PL-1 - - - name: sort-id - value: PL-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pl-1_smt - name: statement - parts: - - - id: pl-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ pl-1_prm_1 }}: - parts: - - - id: pl-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ pl-1_prm_2 }} planning policy that: - """ - parts: - - - id: pl-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: pl-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: pl-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the planning policy and the associated planning controls; - - - id: pl-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and - - - id: pl-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current planning: - parts: - - - id: pl-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ pl-1_prm_4 }}; and - - - id: pl-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ pl-1_prm_5 }}. - - - id: pl-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: pl-2 - class: SP800-53 - title: System Security and Privacy Plans - parameters: - - - id: pl-2_prm_1 - label: organization-defined individuals or groups - - - id: pl-2_prm_2 - label: organization-defined personnel or roles - - - id: pl-2_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: PL-2 - - - name: sort-id - value: PL-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pl-7 - rel: related - text: PL-7 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-22 - rel: related - text: SA-22 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: pl-2_smt - name: statement - parts: - - - id: pl-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop security and privacy plans for the system that: - parts: - - - id: pl-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are consistent with the organization’s enterprise architecture; - - - id: pl-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Explicitly define the constituent system components; - - - id: pl-2_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Describe the operational context of the system in terms of missions and business processes; - - - id: pl-2_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Provide the security categorization of the system, including supporting rationale; - - - id: pl-2_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Describe any specific threats to the system that are of concern to the organization; - - - id: pl-2_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Provide the results of a privacy risk assessment for systems processing personally identifiable information; - - - id: pl-2_smt.a.7 - name: item - properties: - - - name: label - value: 7. - prose: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; - - - id: pl-2_smt.a.8 - name: item - properties: - - - name: label - value: 8. - prose: Provide an overview of the security and privacy requirements for the system; - - - id: pl-2_smt.a.9 - name: item - properties: - - - name: label - value: 9. - prose: Identify any relevant control baselines or overlays, if applicable; - - - id: pl-2_smt.a.10 - name: item - properties: - - - name: label - value: 10. - prose: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; - - - id: pl-2_smt.a.11 - name: item - properties: - - - name: label - value: 11. - prose: Include risk determinations for security and privacy architecture and design decisions; - - - id: pl-2_smt.a.12 - name: item - properties: - - - name: label - value: 12. - prose: Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and - - - id: pl-2_smt.a.13 - name: item - properties: - - - name: label - value: 13. - prose: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. - - - id: pl-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }}; - - - id: pl-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review the plans {{ pl-2_prm_3 }}; - - - id: pl-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and - - - id: pl-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Protect the plans from unauthorized disclosure and modification. - - - id: pl-2_gdn - name: guidance - prose: - """ - System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls. - Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation. - Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. - Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate. - """ - - - id: pl-4 - class: SP800-53 - title: Rules of Behavior - parameters: - - - id: pl-4_prm_1 - label: organization-defined frequency - - - id: pl-4_prm_2 - - - id: pl-4_prm_3 - depends-on: pl-4_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: PL-4 - - - name: sort-id - value: PL-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ac-9 - rel: related - text: AC-9 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pl-4_smt - name: statement - parts: - - - id: pl-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; - - - id: pl-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; - - - id: pl-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the rules of behavior {{ pl-4_prm_1 }}; and - - - id: pl-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}. - - - id: pl-4_gdn - name: guidance - prose: Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons. - controls: - - - id: pl-4.1 - class: SP800-53-enhancement - title: Social Media and External Site/application Usage Restrictions - properties: - - - name: label - value: PL-4(1) - - - name: sort-id - value: PL-04(01) - links: - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #au-13 - rel: related - text: AU-13 - parts: - - - id: pl-4.1_smt - name: statement - prose: Include in the rules of behavior, restrictions on: - parts: - - - id: pl-4.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Use of social media, social networking sites, and external sites/applications; - - - id: pl-4.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Posting organizational information on public websites; and - - - id: pl-4.1_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications. - - - id: pl-4.1_gdn - name: guidance - prose: Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information. - - - id: pl-8 - class: SP800-53 - title: Security and Privacy Architectures - parameters: - - - id: pl-8_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PL-8 - - - name: sort-id - value: PL-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-7 - rel: related - text: PL-7 - - - href: #pl-9 - rel: related - text: PL-9 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-17 - rel: related - text: SA-17 - parts: - - - id: pl-8_smt - name: statement - parts: - - - id: pl-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop security and privacy architectures for the system that: - parts: - - - id: pl-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; - - - id: pl-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; - - - id: pl-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Describe how the architectures are integrated into and support the enterprise architecture; and - - - id: pl-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Describe any assumptions about, and dependencies on, external systems and services; - - - id: pl-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the architectures {{ pl-8_prm_1 }} to reflect changes in the enterprise architecture; and - - - id: pl-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions. - - - id: pl-8_gdn - name: guidance - prose: - """ - The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs. - [SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews). - In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented. - PL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures. - """ - - - id: pl-10 - class: SP800-53 - title: Baseline Selection - properties: - - - name: label - value: PL-10 - - - name: sort-id - value: PL-10 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #31f3c9de-c57c-4281-929b-f9951f9640f1 - rel: reference - text: [SP 800-53B] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ee96f130-3f91-46ed-a4d8-57e5f220a623 - rel: reference - text: [CNSSI 1253] - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: pl-10_smt - name: statement - prose: Select a control baseline for the system. - - - id: pl-10_gdn - name: guidance - prose: Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments. - - - id: pl-11 - class: SP800-53 - title: Baseline Tailoring - properties: - - - name: label - value: PL-11 - - - name: sort-id - value: PL-11 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #31f3c9de-c57c-4281-929b-f9951f9640f1 - rel: reference - text: [SP 800-53B] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ee96f130-3f91-46ed-a4d8-57e5f220a623 - rel: reference - text: [CNSSI 1253] - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: pl-11_smt - name: statement - prose: Tailor the selected control baseline by applying specified tailoring actions. - - - id: pl-11_gdn - name: guidance - prose: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities. - - - id: pm - class: family - title: Program Management - controls: - - - id: pm-1 - class: SP800-53 - title: Information Security Program Plan - parameters: - - - id: pm-1_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-1 - - - name: sort-id - value: PM-01 - links: - - - href: #14958422-54f6-471f-a345-802dca594dd8 - rel: reference - text: [FISMA] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: pm-1_smt - name: statement - parts: - - - id: pm-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and disseminate an organization-wide information security program plan that: - parts: - - - id: pm-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; - - - id: pm-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; - - - id: pm-1_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Reflects the coordination among organizational entities responsible for information security; and - - - id: pm-1_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; - - - id: pm-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review the organization-wide information security program plan {{ pm-1_prm_1 }}; - - - id: pm-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and - - - id: pm-1_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect the information security program plan from unauthorized disclosure and modification. - - - id: pm-1_gdn - name: guidance - prose: - """ - An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents. - Information security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended. - Program management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization. - Common controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls. - """ - - - id: pm-2 - class: SP800-53 - title: Information Security Program Leadership Role - properties: - - - name: label - value: PM-2 - - - name: sort-id - value: PM-02 - links: - - - href: #ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3 - rel: reference - text: [OMB M-17-25] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - parts: - - - id: pm-2_smt - name: statement - prose: Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. - - - id: pm-2_gdn - name: guidance - prose: The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer. - - - id: pm-3 - class: SP800-53 - title: Information Security and Privacy Resources - properties: - - - name: label - value: PM-3 - - - name: sort-id - value: PM-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #sa-2 - rel: related - text: SA-2 - parts: - - - id: pm-3_smt - name: statement - parts: - - - id: pm-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; - - - id: pm-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and - - - id: pm-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Make available for expenditure, the planned information security and privacy resources. - - - id: pm-3_gdn - name: guidance - prose: Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process. - - - id: pm-4 - class: SP800-53 - title: Plan of Action and Milestones Process - properties: - - - name: label - value: PM-4 - - - name: sort-id - value: PM-04 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-3 - rel: related - text: PM-3 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pm-4_smt - name: statement - parts: - - - id: pm-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems: - parts: - - - id: pm-4_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are developed and maintained; - - - id: pm-4_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and - - - id: pm-4_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Are reported in accordance with established reporting requirements. - - - id: pm-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. - - - id: pm-4_gdn - name: guidance - prose: The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5. - - - id: pm-5 - class: SP800-53 - title: System Inventory - parameters: - - - id: pm-5_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-5 - - - name: sort-id - value: PM-05 - links: - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - parts: - - - id: pm-5_smt - name: statement - prose: Develop and update {{ pm-5_prm_1 }} an inventory of organizational systems. - - - id: pm-5_gdn - name: guidance - prose: [OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8. - controls: - - - id: pm-5.1 - class: SP800-53-enhancement - title: Inventory of Personally Identifiable Information - parameters: - - - id: pm-5.1_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-5(1) - - - name: sort-id - value: PM-05(01) - links: - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-12 - rel: related - text: CM-12 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pm-5.1_smt - name: statement - prose: Establish, maintain, and update {{ pm-5.1_prm_1 }} an inventory of all systems, applications, and projects that process personally identifiable information. - - - id: pm-5.1_gdn - name: guidance - prose: An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein. - - - id: pm-6 - class: SP800-53 - title: Measures of Performance - properties: - - - name: label - value: PM-6 - - - name: sort-id - value: PM-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #8ba0d54e-fa16-4f5d-baa1-763ec3e33e26 - rel: reference - text: [SP 800-55] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ca-7 - rel: related - text: CA-7 - parts: - - - id: pm-6_smt - name: statement - prose: Develop, monitor, and report on the results of information security and privacy measures of performance. - - - id: pm-6_gdn - name: guidance - prose: Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. - - - id: pm-7 - class: SP800-53 - title: Enterprise Architecture - properties: - - - name: label - value: PM-7 - - - name: sort-id - value: PM-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #au-6 - rel: related - text: AU-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-17 - rel: related - text: SA-17 - parts: - - - id: pm-7_smt - name: statement - prose: Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation. - - - id: pm-7_gdn - name: guidance - prose: The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines. - controls: - - - id: pm-7.1 - class: SP800-53-enhancement - title: Offloading - parameters: - - - id: pm-7.1_prm_1 - label: organization-defined non-essential functions or services - properties: - - - name: label - value: PM-7(1) - - - name: sort-id - value: PM-07(01) - links: - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: pm-7.1_smt - name: statement - prose: Offload {{ pm-7.1_prm_1 }} to other systems, system components, or an external provider. - - - id: pm-7.1_gdn - name: guidance - prose: Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services. - - - id: pm-8 - class: SP800-53 - title: Critical Infrastructure Plan - properties: - - - name: label - value: PM-8 - - - name: sort-id - value: PM-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #cde25174-38e0-4a00-8919-8ee3674b8088 - rel: reference - text: [HSPD 7] - - - href: #24b7b1ec-6430-41de-9353-29fdb1b488fc - rel: reference - text: [DHS NIPP] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #pe-18 - rel: related - text: PE-18 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pm-8_smt - name: statement - prose: Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. - - - id: pm-8_gdn - name: guidance - prose: Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. - - - id: pm-9 - class: SP800-53 - title: Risk Management Strategy - parameters: - - - id: pm-9_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-9 - - - name: sort-id - value: PM-09 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #at-1 - rel: related - text: AT-1 - - - href: #ca-1 - rel: related - text: CA-1 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cp-1 - rel: related - text: CP-1 - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ma-1 - rel: related - text: MA-1 - - - href: #mp-1 - rel: related - text: MP-1 - - - href: #pe-1 - rel: related - text: PE-1 - - - href: #pl-1 - rel: related - text: PL-1 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-2 - rel: related - text: PM-2 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #ps-1 - rel: related - text: PS-1 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-1 - rel: related - text: SA-1 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sc-1 - rel: related - text: SC-1 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-1 - rel: related - text: SI-1 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: pm-9_smt - name: statement - parts: - - - id: pm-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develops a comprehensive strategy to manage: - parts: - - - id: pm-9_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and - - - id: pm-9_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Privacy risk to individuals resulting from the authorized processing of personally identifiable information; - - - id: pm-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the risk management strategy consistently across the organization; and - - - id: pm-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes. - - - id: pm-9_gdn - name: guidance - prose: An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive. - - - id: pm-10 - class: SP800-53 - title: Authorization Process - properties: - - - name: label - value: PM-10 - - - name: sort-id - value: PM-10 - links: - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pl-2 - rel: related - text: PL-2 - parts: - - - id: pm-10_smt - name: statement - parts: - - - id: pm-10_smt.a - name: item - properties: - - - name: label - value: a. - prose: Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; - - - id: pm-10_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and - - - id: pm-10_smt.c - name: item - properties: - - - name: label - value: c. - prose: Integrate the authorization processes into an organization-wide risk management program. - - - id: pm-10_gdn - name: guidance - prose: Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation. - - - id: pm-11 - class: SP800-53 - title: Mission and Business Process Definition - parameters: - - - id: pm-11_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-11 - - - name: sort-id - value: PM-11 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-2 - rel: related - text: SA-2 - parts: - - - id: pm-11_smt - name: statement - parts: - - - id: pm-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and - - - id: pm-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and - - - id: pm-11_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and revise the mission and business processes {{ pm-11_prm_1 }}. - - - id: pm-11_gdn - name: guidance - prose: Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures. - - - id: pm-12 - class: SP800-53 - title: Insider Threat Program - properties: - - - name: label - value: PM-12 - - - name: sort-id - value: PM-12 - links: - - - href: #2b5e12fb-633f-49e6-8aff-81d75bf53545 - rel: reference - text: [EO 13587] - - - href: #286d42a1-efbe-49a2-9ce1-4c9bf68feb3b - rel: reference - text: [ODNI NITP] - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-16 - rel: related - text: PM-16 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #pm-14 - rel: related - text: PM-14 - parts: - - - id: pm-12_smt - name: statement - prose: Implement an insider threat program that includes a cross-discipline insider threat incident handling team. - - - id: pm-12_gdn - name: guidance - prose: - """ - Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture. - Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - """ - - - id: pm-13 - class: SP800-53 - title: Security and Privacy Workforce - properties: - - - name: label - value: PM-13 - - - name: sort-id - value: PM-13 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #f4c3f657-de83-47ae-9aec-e144de8268d1 - rel: reference - text: [SP 800-181] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - parts: - - - id: pm-13_smt - name: statement - prose: Establish a security and privacy workforce development and improvement program. - - - id: pm-13_gdn - name: guidance - prose: Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals. - - - id: pm-14 - class: SP800-53 - title: Testing, Training, and Monitoring - properties: - - - name: label - value: PM-14 - - - name: sort-id - value: PM-14 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: pm-14_smt - name: statement - parts: - - - id: pm-14_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: - parts: - - - id: pm-14_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are developed and maintained; and - - - id: pm-14_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Continue to be executed; and - - - id: pm-14_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. - - - id: pm-14_gdn - name: guidance - prose: This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. - - - id: pm-15 - class: SP800-53 - title: Security and Privacy Groups and Associations - properties: - - - name: label - value: PM-15 - - - name: sort-id - value: PM-15 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #si-5 - rel: related - text: SI-5 - parts: - - - id: pm-15_smt - name: statement - prose: Establish and institutionalize contact with selected groups and associations within the security and privacy communities: - parts: - - - id: pm-15_smt.a - name: item - properties: - - - name: label - value: a. - prose: To facilitate ongoing security and privacy education and training for organizational personnel; - - - id: pm-15_smt.b - name: item - properties: - - - name: label - value: b. - prose: To maintain currency with recommended security and privacy practices, techniques, and technologies; and - - - id: pm-15_smt.c - name: item - properties: - - - name: label - value: c. - prose: To share current security and privacy information, including threats, vulnerabilities, and incidents. - - - id: pm-15_gdn - name: guidance - prose: Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. - - - id: pm-16 - class: SP800-53 - title: Threat Awareness Program - properties: - - - name: label - value: PM-16 - - - name: sort-id - value: PM-16 - links: - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #pm-12 - rel: related - text: PM-12 - parts: - - - id: pm-16_smt - name: statement - prose: Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. - - - id: pm-16_gdn - name: guidance - prose: Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared. - controls: - - - id: pm-16.1 - class: SP800-53-enhancement - title: Automated Means for Sharing Threat Intelligence - properties: - - - name: label - value: PM-16(1) - - - name: sort-id - value: PM-16(01) - parts: - - - id: pm-16.1_smt - name: statement - prose: Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information. - - - id: pm-16.1_gdn - name: guidance - prose: To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures. - - - id: pm-17 - class: SP800-53 - title: Protecting Controlled Unclassified Information on External Systems - parameters: - - - id: pm-17_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-17 - - - name: sort-id - value: PM-17 - links: - - - href: #742b7c0e-218e-4fca-9c3d-5f264bbaf2bc - rel: reference - text: [32 CFR 2002] - - - href: #0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - rel: reference - text: [SP 800-171] - - - href: #dd87fdf0-840d-4392-9de4-220b2327e340 - rel: reference - text: [NARA CUI] - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #pm-10 - rel: related - text: PM-10 - parts: - - - id: pm-17_smt - name: statement - parts: - - - id: pm-17_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards. - - - id: pm-17_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update the policy and procedures {{ pm-17_prm_1 }}. - - - id: pm-17_gdn - name: guidance - prose: Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes. - - - id: pm-18 - class: SP800-53 - title: Privacy Program Plan - properties: - - - name: label - value: PM-18 - - - name: sort-id - value: PM-18 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-19 - rel: related - text: PM-19 - parts: - - - id: pm-18_smt - name: statement - parts: - - - id: pm-18_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: - parts: - - - id: pm-18_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; - - - id: pm-18_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements; - - - id: pm-18_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities; - - - id: pm-18_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; - - - id: pm-18_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Reflects coordination among organizational entities responsible for the different aspects of privacy; and - - - id: pm-18_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and - - - id: pm-18_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments. - - - id: pm-18_gdn - name: guidance - prose: - """ - A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents. - The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended. - Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization. - Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls. - """ - - - id: pm-19 - class: SP800-53 - title: Privacy Program Leadership Role - properties: - - - name: label - value: PM-19 - - - name: sort-id - value: PM-19 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #pm-20 - rel: related - text: PM-20 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-24 - rel: related - text: PM-24 - parts: - - - id: pm-19_smt - name: statement - prose: Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. - - - id: pm-19_gdn - name: guidance - prose: The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24). - - - id: pm-20 - class: SP800-53 - title: Dissemination of Privacy Program Information - properties: - - - name: label - value: PM-20 - - - name: sort-id - value: PM-20 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #f7d3617a-9a4f-4f1a-a688-845081b70390 - rel: reference - text: [OMB M-17-06] - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #pt-7 - rel: related - text: PT-7 - - - href: #ra-8 - rel: related - text: RA-8 - parts: - - - id: pm-20_smt - name: statement - prose: Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that: - parts: - - - id: pm-20_smt.a - name: item - properties: - - - name: label - value: a. - prose: Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; - - - id: pm-20_smt.b - name: item - properties: - - - name: label - value: b. - prose: Ensures that organizational privacy practices and reports are publicly available; and - - - id: pm-20_smt.c - name: item - properties: - - - name: label - value: c. - prose: Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. - - - id: pm-20_gdn - name: guidance - prose: Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications. - - - id: pm-21 - class: SP800-53 - title: Accounting of Disclosures - properties: - - - name: label - value: PM-21 - - - name: sort-id - value: PM-21 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #pt-2 - rel: related - text: PT-2 - parts: - - - id: pm-21_smt - name: statement - parts: - - - id: pm-21_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: - parts: - - - id: pm-21_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Date, nature, and purpose of each disclosure; and - - - id: pm-21_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Name and address, or other contact information of the person or organization to which the disclosure was made; - - - id: pm-21_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and - - - id: pm-21_smt.c - name: item - properties: - - - name: label - value: c. - prose: Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request. - - - id: pm-21_gdn - name: guidance - prose: - """ - The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision. - Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions. - """ - - - id: pm-22 - class: SP800-53 - title: Personally Identifiable Information Quality Management - properties: - - - name: label - value: PM-22 - - - name: sort-id - value: PM-22 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #eadef75e-7e4d-4554-b818-44946c1dde0e - rel: reference - text: [SP 800-188] - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pm-22_smt - name: statement - prose: Develop and document policies and procedures for: - parts: - - - id: pm-22_smt.a - name: item - properties: - - - name: label - value: a. - prose: Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle; - - - id: pm-22_smt.b - name: item - properties: - - - name: label - value: b. - prose: Correcting or deleting inaccurate or outdated personally identifiable information; - - - id: pm-22_smt.c - name: item - properties: - - - name: label - value: c. - prose: Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and - - - id: pm-22_smt.d - name: item - properties: - - - name: label - value: d. - prose: Appeals of adverse decisions on correction or deletion requests. - - - id: pm-22_gdn - name: guidance - prose: - """ - Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information. - The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations. - Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem. - """ - - - id: pm-23 - class: SP800-53 - title: Data Governance Body - parameters: - - - id: pm-23_prm_1 - label: organization-defined roles - - - id: pm-23_prm_2 - label: organization-defined responsibilities - properties: - - - name: label - value: PM-23 - - - name: sort-id - value: PM-23 - links: - - - href: #43facb7b-0afb-480f-8191-34790d5b444b - rel: reference - text: [EVIDACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #d843e915-eeb6-4bbe-8cab-ccc802088703 - rel: reference - text: [OMB M-19-23] - - - href: #eadef75e-7e4d-4554-b818-44946c1dde0e - rel: reference - text: [SP 800-188] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-19 - rel: related - text: SI-19 - parts: - - - id: pm-23_smt - name: statement - prose: Establish a Data Governance Body consisting of {{ pm-23_prm_1 }} with {{ pm-23_prm_2 }}. - - - id: pm-23_gdn - name: guidance - prose: A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23]. - - - id: pm-24 - class: SP800-53 - title: Data Integrity Board - properties: - - - name: label - value: PM-24 - - - name: sort-id - value: PM-24 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pt-8 - rel: related - text: PT-8 - parts: - - - id: pm-24_smt - name: statement - prose: Establish a Data Integrity Board to: - parts: - - - id: pm-24_smt.a - name: item - properties: - - - name: label - value: a. - prose: Review proposals to conduct or participate in a matching program; and - - - id: pm-24_smt.b - name: item - properties: - - - name: label - value: b. - prose: Conduct an annual review of all matching programs in which the agency has participated. - - - id: pm-24_gdn - name: guidance - prose: A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy. - - - id: pm-25 - class: SP800-53 - title: Minimization of Pii Used in Testing, Training, and Research - parameters: - - - id: pm-25_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-25 - - - name: sort-id - value: PM-25 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #sa-3 - rel: related - text: SA-3 - parts: - - - id: pm-25_smt - name: statement - parts: - - - id: pm-25_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; - - - id: pm-25_smt.b - name: item - properties: - - - name: label - value: b. - prose: Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; - - - id: pm-25_smt.c - name: item - properties: - - - name: label - value: c. - prose: Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and - - - id: pm-25_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review and update policies and procedures {{ pm-25_prm_1 }}. - - - id: pm-25_gdn - name: guidance - prose: The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2). - - - id: pm-26 - class: SP800-53 - title: Complaint Management - parameters: - - - id: pm-26_prm_1 - label: organization-defined time-period - - - id: pm-26_prm_2 - label: organization-defined time-period - - - id: pm-26_prm_3 - label: organization-defined time-period - properties: - - - name: label - value: PM-26 - - - name: sort-id - value: PM-26 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pm-26_smt - name: statement - prose: Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes: - parts: - - - id: pm-26_smt.a - name: item - properties: - - - name: label - value: a. - prose: Mechanisms that are easy to use and readily accessible by the public; - - - id: pm-26_smt.b - name: item - properties: - - - name: label - value: b. - prose: All information necessary for successfully filing complaints; - - - id: pm-26_smt.c - name: item - properties: - - - name: label - value: c. - prose: Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }}; - - - id: pm-26_smt.d - name: item - properties: - - - name: label - value: d. - prose: Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and - - - id: pm-26_smt.e - name: item - properties: - - - name: label - value: e. - prose: Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}. - - - id: pm-26_gdn - name: guidance - prose: Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information. - - - id: pm-27 - class: SP800-53 - title: Privacy Reporting - parameters: - - - id: pm-27_prm_1 - label: organization-defined privacy reports - - - id: pm-27_prm_2 - label: organization-defined officials - - - id: pm-27_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: PM-27 - - - name: sort-id - value: PM-27 - links: - - - href: #14958422-54f6-471f-a345-802dca594dd8 - rel: reference - text: [FISMA] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-19 - rel: related - text: PM-19 - parts: - - - id: pm-27_smt - name: statement - parts: - - - id: pm-27_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop {{ pm-27_prm_1 }} and disseminate to: - parts: - - - id: pm-27_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and - - - id: pm-27_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: - """ - - {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and - """ - - - id: pm-27_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update privacy reports {{ pm-27_prm_3 }}. - - - id: pm-27_gdn - name: guidance - prose: Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements. - - - id: pm-28 - class: SP800-53 - title: Risk Framing - parameters: - - - id: pm-28_prm_1 - label: organization-defined personnel - - - id: pm-28_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: PM-28 - - - name: sort-id - value: PM-28 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-7 - rel: related - text: RA-7 - parts: - - - id: pm-28_smt - name: statement - parts: - - - id: pm-28_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify and document: - parts: - - - id: pm-28_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Assumptions affecting risk assessments, risk responses, and risk monitoring; - - - id: pm-28_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Constraints affecting risk assessments, risk responses, and risk monitoring; - - - id: pm-28_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Priorities and trade-offs considered by the organization for managing risk; and - - - id: pm-28_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Organizational risk tolerance; and - - - id: pm-28_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute the results of risk framing activities to {{ pm-28_prm_1 }}; - - - id: pm-28_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update risk framing considerations {{ pm-28_prm_2 }}. - - - id: pm-28_gdn - name: guidance - prose: Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management. - - - id: pm-29 - class: SP800-53 - title: Risk Management Program Leadership Roles - properties: - - - name: label - value: PM-29 - - - name: sort-id - value: PM-29 - links: - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #pm-2 - rel: related - text: PM-2 - - - href: #pm-19 - rel: related - text: PM-19 - parts: - - - id: pm-29_smt - name: statement - parts: - - - id: pm-29_smt.a - name: item - properties: - - - name: label - value: a. - prose: Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and - - - id: pm-29_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization. - - - id: pm-29_gdn - name: guidance - prose: The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities. - - - id: pm-30 - class: SP800-53 - title: Supply Chain Risk Management Strategy - parameters: - - - id: pm-30_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-30 - - - name: sort-id - value: PM-30 - links: - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-7 - rel: related - text: SR-7 - - - href: #sr-8 - rel: related - text: SR-8 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: pm-30_smt - name: statement - parts: - - - id: pm-30_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; - - - id: pm-30_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the supply chain risk management strategy consistently across the organization; and - - - id: pm-30_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the supply chain risk management strategy on {{ pm-30_prm_1 }} or as required, to address organizational changes. - - - id: pm-30_gdn - name: guidance - prose: An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level. - - - id: pm-31 - class: SP800-53 - title: Continuous Monitoring Strategy - parameters: - - - id: pm-31_prm_1 - label: organization-defined metrics - - - id: pm-31_prm_2 - label: organization-defined frequencies - - - id: pm-31_prm_3 - label: organization-defined frequencies - - - id: pm-31_prm_4 - label: organization-defined personnel or roles - - - id: pm-31_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PM-31 - - - name: sort-id - value: PM-31 - links: - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pe-14 - rel: related - text: PE-14 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-6 - rel: related - text: PM-6 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: pm-31_smt - name: statement - prose: Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: - parts: - - - id: pm-31_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }}; - - - id: pm-31_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness; - - - id: pm-31_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; - - - id: pm-31_smt.d - name: item - properties: - - - name: label - value: d. - prose: Correlation and analysis of information generated by control assessments and monitoring; - - - id: pm-31_smt.e - name: item - properties: - - - name: label - value: e. - prose: Response actions to address results of the analysis of control assessment and monitoring information; and - - - id: pm-31_smt.f - name: item - properties: - - - name: label - value: f. - prose: - """ - Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }} - {{ pm-31_prm_5 }}. - """ - - - id: pm-31_gdn - name: guidance - prose: Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4. - - - id: pm-32 - class: SP800-53 - title: Purposing - parameters: - - - id: pm-32_prm_1 - label: organization-defined systems or systems components - properties: - - - name: label - value: PM-32 - - - name: sort-id - value: PM-32 - links: - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - parts: - - - id: pm-32_smt - name: statement - prose: Analyze {{ pm-32_prm_1 }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose. - - - id: pm-32_gdn - name: guidance - prose: Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures. - - - id: ps - class: family - title: Personnel Security - controls: - - - id: ps-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ps-1_prm_1 - label: organization-defined personnel or roles - - - id: ps-1_prm_2 - - - id: ps-1_prm_3 - label: organization-defined official - - - id: ps-1_prm_4 - label: organization-defined frequency - - - id: ps-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PS-1 - - - name: sort-id - value: PS-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ps-1_smt - name: statement - parts: - - - id: ps-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ps-1_prm_1 }}: - parts: - - - id: ps-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ps-1_prm_2 }} personnel security policy that: - """ - parts: - - - id: ps-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ps-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ps-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; - - - id: ps-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ps-1_prm_3 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and - - - id: ps-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current personnel security: - parts: - - - id: ps-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ps-1_prm_4 }}; and - - - id: ps-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ps-1_prm_5 }}. - - - id: ps-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ps-2 - class: SP800-53 - title: Position Risk Designation - parameters: - - - id: ps-2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PS-2 - - - name: sort-id - value: PS-02 - links: - - - href: #2383ccfd-d8a0-4e3a-bf40-21288ae1e07a - rel: reference - text: [5 CFR 731] - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-21 - rel: related - text: SA-21 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ps-2_smt - name: statement - parts: - - - id: ps-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Assign a risk designation to all organizational positions; - - - id: ps-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establish screening criteria for individuals filling those positions; and - - - id: ps-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update position risk designations {{ ps-2_prm_1 }}. - - - id: ps-2_gdn - name: guidance - prose: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions. - - - id: ps-3 - class: SP800-53 - title: Personnel Screening - parameters: - - - id: ps-3_prm_1 - label: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening - properties: - - - name: label - value: PS-3 - - - name: sort-id - value: PS-03 - links: - - - href: #52a8b0c6-0c6b-424b-928d-41c50ba87838 - rel: reference - text: [EO 13526] - - - href: #2b5e12fb-633f-49e6-8aff-81d75bf53545 - rel: reference - text: [EO 13587] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-21 - rel: related - text: SA-21 - parts: - - - id: ps-3_smt - name: statement - parts: - - - id: ps-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Screen individuals prior to authorizing access to the system; and - - - id: ps-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Rescreen individuals in accordance with {{ ps-3_prm_1 }}. - - - id: ps-3_gdn - name: guidance - prose: Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems. - - - id: ps-4 - class: SP800-53 - title: Personnel Termination - parameters: - - - id: ps-4_prm_1 - label: organization-defined time-period - - - id: ps-4_prm_2 - label: organization-defined information security topics - properties: - - - name: label - value: PS-4 - - - name: sort-id - value: PS-04 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - parts: - - - id: ps-4_smt - name: statement - prose: Upon termination of individual employment: - parts: - - - id: ps-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Disable system access within {{ ps-4_prm_1 }}; - - - id: ps-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Terminate or revoke any authenticators and credentials associated with the individual; - - - id: ps-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Conduct exit interviews that include a discussion of {{ ps-4_prm_2 }}; - - - id: ps-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Retrieve all security-related organizational system-related property; and - - - id: ps-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Retain access to organizational information and systems formerly controlled by terminated individual. - - - id: ps-4_gdn - name: guidance - prose: System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified. - controls: - - - id: ps-4.2 - class: SP800-53-enhancement - title: Automated Notification - parameters: - - - id: ps-4.2_prm_1 - label: organization-defined personnel or roles - - - id: ps-4.2_prm_2 - label: organization-defined automated mechanisms - properties: - - - name: label - value: PS-4(2) - - - name: sort-id - value: PS-04(02) - parts: - - - id: ps-4.2_smt - name: statement - prose: Notify {{ ps-4.2_prm_1 }} of individual termination actions using {{ ps-4.2_prm_2 }}. - - - id: ps-4.2_gdn - name: guidance - prose: In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications—or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including telephonically, via electronic mail, via text message, or via websites. - - - id: ps-5 - class: SP800-53 - title: Personnel Transfer - parameters: - - - id: ps-5_prm_1 - label: organization-defined transfer or reassignment actions - - - id: ps-5_prm_2 - label: organization-defined time-period following the formal transfer action - - - id: ps-5_prm_3 - label: organization-defined personnel or roles - - - id: ps-5_prm_4 - label: organization-defined time-period - properties: - - - name: label - value: PS-5 - - - name: sort-id - value: PS-05 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-7 - rel: related - text: PS-7 - parts: - - - id: ps-5_smt - name: statement - parts: - - - id: ps-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; - - - id: ps-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Initiate {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }}; - - - id: ps-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and - - - id: ps-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Notify {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}. - - - id: ps-5_gdn - name: guidance - prose: Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts. - - - id: ps-6 - class: SP800-53 - title: Access Agreements - parameters: - - - id: ps-6_prm_1 - label: organization-defined frequency - - - id: ps-6_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: PS-6 - - - name: sort-id - value: PS-06 - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-21 - rel: related - text: SA-21 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ps-6_smt - name: statement - parts: - - - id: ps-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and document access agreements for organizational systems; - - - id: ps-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the access agreements {{ ps-6_prm_1 }}; and - - - id: ps-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Verify that individuals requiring access to organizational information and systems: - parts: - - - id: ps-6_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Sign appropriate access agreements prior to being granted access; and - - - id: ps-6_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ ps-6_prm_2 }}. - - - id: ps-6_gdn - name: guidance - prose: Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. - - - id: ps-7 - class: SP800-53 - title: External Personnel Security - parameters: - - - id: ps-7_prm_1 - label: organization-defined personnel or roles - - - id: ps-7_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: PS-7 - - - name: sort-id - value: PS-07 - links: - - - href: #ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - rel: reference - text: [SP 800-35] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-21 - rel: related - text: SA-21 - parts: - - - id: ps-7_smt - name: statement - parts: - - - id: ps-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish personnel security requirements, including security roles and responsibilities for external providers; - - - id: ps-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Require external providers to comply with personnel security policies and procedures established by the organization; - - - id: ps-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document personnel security requirements; - - - id: ps-7_smt.d - name: item - properties: - - - name: label - value: d. - prose: Require external providers to notify {{ ps-7_prm_1 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ ps-7_prm_2 }}; and - - - id: ps-7_smt.e - name: item - properties: - - - name: label - value: e. - prose: Monitor provider compliance with personnel security requirements. - - - id: ps-7_gdn - name: guidance - prose: External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated. - - - id: ps-8 - class: SP800-53 - title: Personnel Sanctions - parameters: - - - id: ps-8_prm_1 - label: organization-defined personnel or roles - - - id: ps-8_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: PS-8 - - - name: sort-id - value: PS-08 - links: - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #at-1 - rel: related - text: AT-1 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #ca-1 - rel: related - text: CA-1 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cp-1 - rel: related - text: CP-1 - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ma-1 - rel: related - text: MA-1 - - - href: #mp-1 - rel: related - text: MP-1 - - - href: #pe-1 - rel: related - text: PE-1 - - - href: #pl-1 - rel: related - text: PL-1 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #ps-1 - rel: related - text: PS-1 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #sa-1 - rel: related - text: SA-1 - - - href: #sc-1 - rel: related - text: SC-1 - - - href: #si-1 - rel: related - text: SI-1 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #pt-1 - rel: related - text: PT-1 - parts: - - - id: ps-8_smt - name: statement - parts: - - - id: ps-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and - - - id: ps-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Notify {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. - - - id: ps-8_gdn - name: guidance - prose: Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. - - - id: ra - class: family - title: Risk Assessment - controls: - - - id: ra-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ra-1_prm_1 - label: organization-defined personnel or roles - - - id: ra-1_prm_2 - - - id: ra-1_prm_3 - label: organization-defined official - - - id: ra-1_prm_4 - label: organization-defined frequency - - - id: ra-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: RA-1 - - - name: sort-id - value: RA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ra-1_smt - name: statement - parts: - - - id: ra-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ra-1_prm_1 }}: - parts: - - - id: ra-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ra-1_prm_2 }} risk assessment policy that: - """ - parts: - - - id: ra-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ra-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ra-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; - - - id: ra-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and - - - id: ra-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current risk assessment: - parts: - - - id: ra-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ra-1_prm_4 }}; and - - - id: ra-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ra-1_prm_5 }}. - - - id: ra-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ra-2 - class: SP800-53 - title: Security Categorization - properties: - - - name: label - value: RA-2 - - - name: sort-id - value: RA-02 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ra-2_smt - name: statement - parts: - - - id: ra-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Categorize the system and information it processes, stores, and transmits; - - - id: ra-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document the security categorization results, including supporting rationale, in the security plan for the system; and - - - id: ra-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. - - - id: ra-2_gdn - name: guidance - prose: - """ - Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. - Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts. - Security categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant. - """ - - - id: ra-3 - class: SP800-53 - title: Risk Assessment - parameters: - - - id: ra-3_prm_1 - - - id: ra-3_prm_2 - depends-on: ra-3_prm_1 - label: organization-defined document - - - id: ra-3_prm_3 - label: organization-defined frequency - - - id: ra-3_prm_4 - label: organization-defined personnel or roles - - - id: ra-3_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: RA-3 - - - name: sort-id - value: RA-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-18 - rel: related - text: PE-18 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ra-3_smt - name: statement - parts: - - - id: ra-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Conduct a risk assessment, including: - parts: - - - id: ra-3_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and - - - id: ra-3_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; - - - id: ra-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; - - - id: ra-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document risk assessment results in {{ ra-3_prm_1 }}; - - - id: ra-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review risk assessment results {{ ra-3_prm_3 }}; - - - id: ra-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Disseminate risk assessment results to {{ ra-3_prm_4 }}; and - - - id: ra-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. - - - id: ra-3_gdn - name: guidance - prose: - """ - Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities. - Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. - In addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination. - """ - controls: - - - id: ra-3.1 - class: SP800-53-enhancement - title: Supply Chain Risk Assessment - parameters: - - - id: ra-3.1_prm_1 - label: organization-defined systems, system components, and system services - - - id: ra-3.1_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: RA-3(1) - - - name: sort-id - value: RA-03(01) - links: - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #pm-17 - rel: related - text: PM-17 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: ra-3.1_smt - name: statement - parts: - - - id: ra-3.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Assess supply chain risks associated with {{ ra-3.1_prm_1 }}; and - - - id: ra-3.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Update the supply chain risk assessment {{ ra-3.1_prm_2 }}, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. - - - id: ra-3.1_gdn - name: guidance - prose: Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required. - - - id: ra-5 - class: SP800-53 - title: Vulnerability Monitoring and Scanning - parameters: - - - id: ra-5_prm_1 - label: organization-defined frequency and/or randomly in accordance with organization-defined process - - - id: ra-5_prm_2 - label: organization-defined response times - - - id: ra-5_prm_3 - label: organization-defined personnel or roles - properties: - - - name: label - value: RA-5 - - - name: sort-id - value: RA-05 - links: - - - href: #1126ec09-2b27-4a21-80b2-fef70b31c49d - rel: reference - text: [SP 800-40] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f - rel: reference - text: [SP 800-126] - - - href: #bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c - rel: reference - text: [IR 7788] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: ra-5_smt - name: statement - parts: - - - id: ra-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor and scan for vulnerabilities in the system and hosted applications {{ ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported; - - - id: ra-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: - parts: - - - id: ra-5_smt.b.1 - name: item - properties: - - - name: label - value: 1. - prose: Enumerating platforms, software flaws, and improper configurations; - - - id: ra-5_smt.b.2 - name: item - properties: - - - name: label - value: 2. - prose: Formatting checklists and test procedures; and - - - id: ra-5_smt.b.3 - name: item - properties: - - - name: label - value: 3. - prose: Measuring vulnerability impact; - - - id: ra-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Analyze vulnerability scan reports and results from vulnerability monitoring; - - - id: ra-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Remediate legitimate vulnerabilities {{ ra-5_prm_2 }} in accordance with an organizational assessment of risk; - - - id: ra-5_smt.e - name: item - properties: - - - name: label - value: e. - prose: Share information obtained from the vulnerability monitoring process and control assessments with {{ ra-5_prm_3 }} to help eliminate similar vulnerabilities in other systems; and - - - id: ra-5_smt.f - name: item - properties: - - - name: label - value: f. - prose: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. - - - id: ra-5_gdn - name: guidance - prose: - """ - Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers. - Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). - Vulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation. - Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points. - """ - controls: - - - id: ra-5.2 - class: SP800-53-enhancement - title: Update System Vulnerabilities - parameters: - - - id: ra-5.2_prm_1 - - - id: ra-5.2_prm_2 - depends-on: ra-5.2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: RA-5(2) - - - name: sort-id - value: RA-05(02) - links: - - - href: #si-5 - rel: related - text: SI-5 - parts: - - - id: ra-5.2_smt - name: statement - prose: Update the system vulnerabilities to be scanned {{ ra-5.2_prm_1 }}. - - - id: ra-5.2_gdn - name: guidance - prose: Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner. - - - id: ra-5.4 - class: SP800-53-enhancement - title: Discoverable Information - parameters: - - - id: ra-5.4_prm_1 - label: organization-defined corrective actions - properties: - - - name: label - value: RA-5(4) - - - name: sort-id - value: RA-05(04) - links: - - - href: #au-13 - rel: related - text: AU-13 - - - href: #sc-26 - rel: related - text: SC-26 - parts: - - - id: ra-5.4_smt - name: statement - prose: Determine information about the system that is discoverable and take {{ ra-5.4_prm_1 }}. - - - id: ra-5.4_gdn - name: guidance - prose: Discoverable information includes information that adversaries could obtain without compromising or breaching the system, for example, by collecting information the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization. - - - id: ra-5.5 - class: SP800-53-enhancement - title: Privileged Access - parameters: - - - id: ra-5.5_prm_1 - label: organization-defined system components - - - id: ra-5.5_prm_2 - label: organization-defined vulnerability scanning activities - properties: - - - name: label - value: RA-5(5) - - - name: sort-id - value: RA-05(05) - parts: - - - id: ra-5.5_smt - name: statement - prose: Implement privileged access authorization to {{ ra-5.5_prm_1 }} for {{ ra-5.5_prm_2 }}. - - - id: ra-5.5_gdn - name: guidance - prose: In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning. - - - id: ra-7 - class: SP800-53 - title: Risk Response - properties: - - - name: label - value: RA-7 - - - name: sort-id - value: RA-07 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: ra-7_smt - name: statement - prose: Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. - - - id: ra-7_gdn - name: guidance - prose: Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated. - - - id: ra-9 - class: SP800-53 - title: Criticality Analysis - parameters: - - - id: ra-9_prm_1 - label: organization-defined systems, system components, or system services - - - id: ra-9_prm_2 - label: organization-defined decision points in the system development life cycle - properties: - - - name: label - value: RA-9 - - - name: sort-id - value: RA-09 - links: - - - href: #7a93e915-fd58-4147-be12-e48044c367e6 - rel: reference - text: [IR 8179] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-20 - rel: related - text: SA-20 - parts: - - - id: ra-9_smt - name: statement - prose: Identify critical system components and functions by performing a criticality analysis for {{ ra-9_prm_1 }} at {{ ra-9_prm_2 }}. - - - id: ra-9_gdn - name: guidance - prose: - """ - Not all system components, functions, or services necessarily require significant protections. Criticality analysis is a key tenet of, for example, supply chain risk management, and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders regulations, directives, policies, and standards; system functionality requirements; system and component interfaces; and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system; decomposition into the specific functions to perform those missions; and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system. - The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system containing the components and functions. Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, for example, by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2. - """ - - - id: sa - class: family - title: System and Services Acquisition - controls: - - - id: sa-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: sa-1_prm_1 - label: organization-defined personnel or roles - - - id: sa-1_prm_2 - - - id: sa-1_prm_3 - label: organization-defined official - - - id: sa-1_prm_4 - label: organization-defined frequency - - - id: sa-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SA-1 - - - name: sort-id - value: SA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: sa-1_smt - name: statement - parts: - - - id: sa-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ sa-1_prm_1 }}: - parts: - - - id: sa-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ sa-1_prm_2 }} system and services acquisition policy that: - """ - parts: - - - id: sa-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: sa-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: sa-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; - - - id: sa-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and - - - id: sa-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current system and services acquisition: - parts: - - - id: sa-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ sa-1_prm_4 }}; and - - - id: sa-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ sa-1_prm_5 }}. - - - id: sa-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: sa-2 - class: SP800-53 - title: Allocation of Resources - properties: - - - name: label - value: SA-2 - - - name: sort-id - value: SA-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #pl-7 - rel: related - text: PL-7 - - - href: #pm-3 - rel: related - text: PM-3 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-2_smt - name: statement - parts: - - - id: sa-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; - - - id: sa-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and - - - id: sa-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. - - - id: sa-2_gdn - name: guidance - prose: Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle. - - - id: sa-3 - class: SP800-53 - title: System Development Life Cycle - parameters: - - - id: sa-3_prm_1 - label: organization-defined system development life cycle - properties: - - - name: label - value: SA-3 - - - name: sort-id - value: SA-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - rel: reference - text: [SP 800-171] - - - href: #aad55f03-8ece-4b21-b09c-9ef65b5a9f55 - rel: reference - text: [SP 800-171B] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-22 - rel: related - text: SA-22 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-9 - rel: related - text: SR-9 - parts: - - - id: sa-3_smt - name: statement - parts: - - - id: sa-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Acquire, develop, and manage the system using {{ sa-3_prm_1 }} that incorporates information security and privacy considerations; - - - id: sa-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Define and document information security and privacy roles and responsibilities throughout the system development life cycle; - - - id: sa-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Identify individuals having information security and privacy roles and responsibilities; and - - - id: sa-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Integrate the organizational information security and privacy risk management process into system development life cycle activities. - - - id: sa-3_gdn - name: guidance - prose: - """ - A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities. - The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle. - """ - - - id: sa-4 - class: SP800-53 - title: Acquisition Process - parameters: - - - id: sa-4_prm_1 - - - id: sa-4_prm_2 - depends-on: sa-4_prm_1 - label: organization-defined contract language - properties: - - - name: label - value: SA-4 - - - name: sort-id - value: SA-04 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #6ddb507b-6ddb-4e15-a8d4-0854e704446e - rel: reference - text: [ISO 15408-1] - - - href: #18abb755-c10f-407d-b0ef-4f99e5ec4a49 - rel: reference - text: [ISO 15408-2] - - - href: #2ce3a8bf-7f8b-4249-bd16-808231415b14 - rel: reference - text: [ISO 15408-3] - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - rel: reference - text: [SP 800-35] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #d4779b49-8acc-45ef-b4f0-30f945e81d1b - rel: reference - text: [IR 7539] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #daf69edb-a0ef-4447-9880-8c4bf553181f - rel: reference - text: [IR 7676] - - - href: #197f7ba7-9af8-4a67-b3a4-5523d850e53b - rel: reference - text: [IR 7870] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #5dac2312-1d0d-416f-aebb-400fa9775b74 - rel: reference - text: [NIAP CCEVS] - - - href: #634dec27-df88-4c30-b1a4-b57cdfd24f20 - rel: reference - text: [NSA CSFC] - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-16 - rel: related - text: SA-16 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-21 - rel: related - text: SA-21 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-4_smt - name: statement - prose: Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service: - parts: - - - id: sa-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Security and privacy functional requirements; - - - id: sa-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Strength of mechanism requirements; - - - id: sa-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Security and privacy assurance requirements; - - - id: sa-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Controls needed to satisfy the security and privacy requirements. - - - id: sa-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Security and privacy documentation requirements; - - - id: sa-4_smt.f - name: item - properties: - - - name: label - value: f. - prose: Requirements for protecting security and privacy documentation; - - - id: sa-4_smt.g - name: item - properties: - - - name: label - value: g. - prose: Description of the system development environment and environment in which the system is intended to operate; - - - id: sa-4_smt.h - name: item - properties: - - - name: label - value: h. - prose: Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and - - - id: sa-4_smt.i - name: item - properties: - - - name: label - value: i. - prose: Acceptance criteria. - - - id: sa-4_gdn - name: guidance - prose: - """ - Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle. - Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle. - Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement. - """ - controls: - - - id: sa-4.1 - class: SP800-53-enhancement - title: Functional Properties of Controls - properties: - - - name: label - value: SA-4(1) - - - name: sort-id - value: SA-04(01) - parts: - - - id: sa-4.1_smt - name: statement - prose: Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. - - - id: sa-4.1_gdn - name: guidance - prose: Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls. - - - id: sa-4.2 - class: SP800-53-enhancement - title: Design and Implementation Information for Controls - parameters: - - - id: sa-4.2_prm_1 - - - id: sa-4.2_prm_2 - depends-on: sa-4.2_prm_1 - label: organization-defined design and implementation information - - - id: sa-4.2_prm_3 - label: organization-defined level of detail - properties: - - - name: label - value: SA-4(2) - - - name: sort-id - value: SA-04(02) - parts: - - - id: sa-4.2_smt - name: statement - prose: Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}. - - - id: sa-4.2_gdn - name: guidance - prose: Organizations may require different levels of detail in the documentation for the design and implementation for controls in organizational systems, system components, or system services based on mission and business requirements; requirements for resiliency and trustworthiness; and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system. - - - id: sa-4.5 - class: SP800-53-enhancement - title: System, Component, and Service Configurations - parameters: - - - id: sa-4.5_prm_1 - label: organization-defined security configurations - properties: - - - name: label - value: SA-4(5) - - - name: sort-id - value: SA-04(05) - parts: - - - id: sa-4.5_smt - name: statement - prose: Require the developer of the system, system component, or system service to: - parts: - - - id: sa-4.5_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Deliver the system, component, or service with {{ sa-4.5_prm_1 }} implemented; and - - - id: sa-4.5_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade. - - - id: sa-4.5_gdn - name: guidance - prose: Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed. - - - id: sa-4.9 - class: SP800-53-enhancement - title: Functions, Ports, Protocols, and Services in Use - properties: - - - name: label - value: SA-4(9) - - - name: sort-id - value: SA-04(09) - links: - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #sa-9 - rel: related - text: SA-9 - parts: - - - id: sa-4.9_smt - name: statement - prose: Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use. - - - id: sa-4.9_gdn - name: guidance - prose: The identification of functions, ports, protocols, and services early in the system development life cycle, for example, during the initial requirements definition and design stages, allows organizations to influence the design of the system, system component, or system service. This early involvement in the system life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or when requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources. - - - id: sa-4.10 - class: SP800-53-enhancement - title: Use of Approved PIV Products - properties: - - - name: label - value: SA-4(10) - - - name: sort-id - value: SA-04(10) - links: - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #pm-9 - rel: related - text: PM-9 - parts: - - - id: sa-4.10_smt - name: statement - prose: Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. - - - id: sa-4.10_gdn - name: guidance - prose: Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations. - - - id: sa-5 - class: SP800-53 - title: System Documentation - parameters: - - - id: sa-5_prm_1 - label: organization-defined actions - - - id: sa-5_prm_2 - label: organization-defined personnel or roles - properties: - - - name: label - value: SA-5 - - - name: sort-id - value: SA-05 - links: - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-16 - rel: related - text: SA-16 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-3 - rel: related - text: SR-3 - parts: - - - id: sa-5_smt - name: statement - parts: - - - id: sa-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Obtain administrator documentation for the system, system component, or system service that describes: - parts: - - - id: sa-5_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Secure configuration, installation, and operation of the system, component, or service; - - - id: sa-5_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Effective use and maintenance of security and privacy functions and mechanisms; and - - - id: sa-5_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Known vulnerabilities regarding configuration and use of administrative or privileged functions; - - - id: sa-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Obtain user documentation for the system, system component, or system service that describes: - parts: - - - id: sa-5_smt.b.1 - name: item - properties: - - - name: label - value: 1. - prose: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; - - - id: sa-5_smt.b.2 - name: item - properties: - - - name: label - value: 2. - prose: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and - - - id: sa-5_smt.b.3 - name: item - properties: - - - name: label - value: 3. - prose: User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; - - - id: sa-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes {{ sa-5_prm_1 }} in response; - - - id: sa-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect documentation as required, in accordance with the organizational risk management strategy; and - - - id: sa-5_smt.e - name: item - properties: - - - name: label - value: e. - prose: Distribute documentation to {{ sa-5_prm_2 }}. - - - id: sa-5_gdn - name: guidance - prose: System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation. - - - id: sa-8 - class: SP800-53 - title: Security and Privacy Engineering Principles - parameters: - - - id: sa-8_prm_1 - label: organization-defined systems security and privacy engineering principles - properties: - - - name: label - value: SA-8 - - - name: sort-id - value: SA-08 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-20 - rel: related - text: SA-20 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-32 - rel: related - text: SC-32 - - - href: #sc-39 - rel: related - text: SC-39 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-8_smt - name: statement - prose: Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ sa-8_prm_1 }}. - - - id: sa-8_gdn - name: guidance - prose: - """ - Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. - The application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. - Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design. - """ - - - id: sa-9 - class: SP800-53 - title: External System Services - parameters: - - - id: sa-9_prm_1 - label: organization-defined controls - - - id: sa-9_prm_2 - label: organization-defined processes, methods, and techniques - properties: - - - name: label - value: SA-9 - - - name: sort-id - value: SA-09 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - rel: reference - text: [SP 800-35] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-2 - rel: related - text: SA-2 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-9_smt - name: statement - parts: - - - id: sa-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }}; - - - id: sa-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Define and document organizational oversight and user roles and responsibilities with regard to external system services; and - - - id: sa-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}. - - - id: sa-9_gdn - name: guidance - prose: External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. - controls: - - - id: sa-9.2 - class: SP800-53-enhancement - title: Identification of Functions, Ports, Protocols, and Services - parameters: - - - id: sa-9.2_prm_1 - label: organization-defined external system services - properties: - - - name: label - value: SA-9(2) - - - name: sort-id - value: SA-09(02) - links: - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-7 - rel: related - text: CM-7 - parts: - - - id: sa-9.2_smt - name: statement - prose: Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ sa-9.2_prm_1 }}. - - - id: sa-9.2_gdn - name: guidance - prose: Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols. - - - id: sa-10 - class: SP800-53 - title: Developer Configuration Management - parameters: - - - id: sa-10_prm_1 - - - id: sa-10_prm_2 - label: organization-defined configuration items under configuration management - - - id: sa-10_prm_3 - label: organization-defined personnel - properties: - - - name: label - value: SA-10 - - - name: sort-id - value: SA-10 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - parts: - - - id: sa-10_smt - name: statement - prose: Require the developer of the system, system component, or system service to: - parts: - - - id: sa-10_smt.a - name: item - properties: - - - name: label - value: a. - prose: Perform configuration management during system, component, or service {{ sa-10_prm_1 }}; - - - id: sa-10_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }}; - - - id: sa-10_smt.c - name: item - properties: - - - name: label - value: c. - prose: Implement only organization-approved changes to the system, component, or service; - - - id: sa-10_smt.d - name: item - properties: - - - name: label - value: d. - prose: Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and - - - id: sa-10_smt.e - name: item - properties: - - - name: label - value: e. - prose: Track security flaws and flaw resolution within the system, component, or service and report findings to {{ sa-10_prm_3 }}. - - - id: sa-10_gdn - name: guidance - prose: - """ - Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting from unauthorized modification or destruction, the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes. - The configuration items that are placed under configuration management include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle. - """ - - - id: sa-11 - class: SP800-53 - title: Developer Testing and Evaluation - parameters: - - - id: sa-11_prm_1 - - - id: sa-11_prm_2 - label: organization-defined frequency - - - id: sa-11_prm_3 - label: organization-defined depth and coverage - properties: - - - name: label - value: SA-11 - - - name: sort-id - value: SA-11 - links: - - - href: #2ce3a8bf-7f8b-4249-bd16-808231415b14 - rel: reference - text: [ISO 15408-3] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #fd0f14f5-8910-45c4-b60a-0c8936e00daa - rel: reference - text: [SP 800-154] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-7 - rel: related - text: SR-7 - parts: - - - id: sa-11_smt - name: statement - prose: Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: - parts: - - - id: sa-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and implement a plan for ongoing security and privacy assessments; - - - id: sa-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Perform {{ sa-11_prm_1 }} testing/evaluation {{ sa-11_prm_2 }} at {{ sa-11_prm_3 }}; - - - id: sa-11_smt.c - name: item - properties: - - - name: label - value: c. - prose: Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; - - - id: sa-11_smt.d - name: item - properties: - - - name: label - value: d. - prose: Implement a verifiable flaw remediation process; and - - - id: sa-11_smt.e - name: item - properties: - - - name: label - value: e. - prose: Correct flaws identified during testing and evaluation. - - - id: sa-11_gdn - name: guidance - prose: - """ - Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches. - Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation. - """ - - - id: sa-15 - class: SP800-53 - title: Development Process, Standards, and Tools - parameters: - - - id: sa-15_prm_1 - label: organization-defined frequency - - - id: sa-15_prm_2 - label: organization-defined security and privacy requirements - properties: - - - name: label - value: SA-15 - - - name: sort-id - value: SA-15 - links: - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #7a93e915-fd58-4147-be12-e48044c367e6 - rel: reference - text: [IR 8179] - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-9 - rel: related - text: SR-9 - parts: - - - id: sa-15_smt - name: statement - parts: - - - id: sa-15_smt.a - name: item - properties: - - - name: label - value: a. - prose: Require the developer of the system, system component, or system service to follow a documented development process that: - parts: - - - id: sa-15_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Explicitly addresses security and privacy requirements; - - - id: sa-15_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Identifies the standards and tools used in the development process; - - - id: sa-15_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Documents the specific tool options and tool configurations used in the development process; and - - - id: sa-15_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and - - - id: sa-15_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review the development process, standards, tools, tool options, and tool configurations {{ sa-15_prm_1 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ sa-15_prm_2 }}. - - - id: sa-15_gdn - name: guidance - prose: Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes. - controls: - - - id: sa-15.3 - class: SP800-53-enhancement - title: Criticality Analysis - parameters: - - - id: sa-15.3_prm_1 - label: organization-defined decision points in the system development life cycle - - - id: sa-15.3_prm_2 - label: organization-defined breadth and depth of criticality analysis - properties: - - - name: label - value: SA-15(3) - - - name: sort-id - value: SA-15(03) - links: - - - href: #ra-9 - rel: related - text: RA-9 - parts: - - - id: sa-15.3_smt - name: statement - prose: Require the developer of the system, system component, or system service to perform a criticality analysis: - parts: - - - id: sa-15.3_smt.a - name: item - properties: - - - name: label - value: (a) - prose: At the following decision points in the system development life cycle: {{ sa-15.3_prm_1 }}; and - - - id: sa-15.3_smt.b - name: item - properties: - - - name: label - value: (b) - prose: At the following level of rigor: {{ sa-15.3_prm_2 }}. - - - id: sa-15.3_gdn - name: guidance - prose: Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, and source code and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses. - - - id: sa-16 - class: SP800-53 - title: Developer-provided Training - parameters: - - - id: sa-16_prm_1 - label: organization-defined training - properties: - - - name: label - value: SA-16 - - - name: sort-id - value: SA-16 - links: - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - parts: - - - id: sa-16_smt - name: statement - prose: Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: {{ sa-16_prm_1 }}. - - - id: sa-16_gdn - name: guidance - prose: Developer-provided training applies to external and internal (in-house) developers. Training of personnel is an essential element to help ensure the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training; classroom-style training; and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms. - - - id: sa-17 - class: SP800-53 - title: Developer Security Architecture and Design - properties: - - - name: label - value: SA-17 - - - name: sort-id - value: SA-17 - links: - - - href: #18abb755-c10f-407d-b0ef-4f99e5ec4a49 - rel: reference - text: [ISO 15408-2] - - - href: #2ce3a8bf-7f8b-4249-bd16-808231415b14 - rel: reference - text: [ISO 15408-3] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: sa-17_smt - name: statement - prose: Require the developer of the system, system component, or system service to produce a design specification and security architecture that: - parts: - - - id: sa-17_smt.a - name: item - properties: - - - name: label - value: a. - prose: Is consistent with the organization’s security architecture that is an integral part the organization’s enterprise architecture; - - - id: sa-17_smt.b - name: item - properties: - - - name: label - value: b. - prose: Accurately and completely describes the required security functionality, and the allocation of controls among physical and logical components; and - - - id: sa-17_smt.c - name: item - properties: - - - name: label - value: c. - prose: Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection. - - - id: sa-17_gdn - name: guidance - prose: Developer security architecture and design is directed at external developers, although it could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security architecture and that the architecture is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services, and when there is a requirement to demonstrate consistency with the enterprise architecture and security architecture of the organization. [ISO 15408-2], [ISO 15408-3], and [SP 800-160 v1] provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing. - - - id: sa-21 - class: SP800-53 - title: Developer Screening - parameters: - - - id: sa-21_prm_1 - label: organization-defined system, system component, or system service - - - id: sa-21_prm_2 - label: organization-defined official government duties - - - id: sa-21_prm_3 - label: organization-defined additional personnel screening criteria - properties: - - - name: label - value: SA-21 - - - name: sort-id - value: SA-21 - links: - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-4 - rel: related - text: SA-4 - parts: - - - id: sa-21_smt - name: statement - prose: Require that the developer of {{ sa-21_prm_1 }}: - parts: - - - id: sa-21_smt.a - name: item - properties: - - - name: label - value: a. - prose: Has appropriate access authorizations as determined by assigned {{ sa-21_prm_2 }}; - - - id: sa-21_smt.b - name: item - properties: - - - name: label - value: b. - prose: Satisfies the following additional personnel screening criteria: {{ sa-21_prm_3 }}; and - - - id: sa-21_smt.c - name: item - properties: - - - name: label - value: c. - prose: Provides information that the access authorizations and screening criteria are satisfied. - - - id: sa-21_gdn - name: guidance - prose: Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals accessing the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships the company has with entities potentially affecting the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements. - - - id: sa-22 - class: SP800-53 - title: Unsupported System Components - parameters: - - - id: sa-22_prm_1 - - - id: sa-22_prm_2 - depends-on: sa-22_prm_1 - label: organization-defined support from external providers - properties: - - - name: label - value: SA-22 - - - name: sort-id - value: SA-22 - links: - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sa-3 - rel: related - text: SA-3 - parts: - - - id: sa-22_smt - name: statement - parts: - - - id: sa-22_smt.a - name: item - properties: - - - name: label - value: a. - prose: Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or - - - id: sa-22_smt.b - name: item - properties: - - - name: label - value: b. - prose: Provide the following options for alternative sources for continued support for unsupported components {{ sa-22_prm_1 }}. - - - id: sa-22_gdn - name: guidance - prose: - """ - Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. - Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors. - """ - - - id: sc - class: family - title: System and Communications Protection - controls: - - - id: sc-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: sc-1_prm_1 - label: organization-defined personnel or roles - - - id: sc-1_prm_2 - - - id: sc-1_prm_3 - label: organization-defined official - - - id: sc-1_prm_4 - label: organization-defined frequency - - - id: sc-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SC-1 - - - name: sort-id - value: SC-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: sc-1_smt - name: statement - parts: - - - id: sc-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ sc-1_prm_1 }}: - parts: - - - id: sc-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ sc-1_prm_2 }} system and communications protection policy that: - """ - parts: - - - id: sc-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: sc-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: sc-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls; - - - id: sc-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ sc-1_prm_3 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and - - - id: sc-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current system and communications protection: - parts: - - - id: sc-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ sc-1_prm_4 }}; and - - - id: sc-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ sc-1_prm_5 }}. - - - id: sc-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: sc-2 - class: SP800-53 - title: Separation of System and User Functionality - properties: - - - name: label - value: SC-2 - - - name: sort-id - value: SC-02 - links: - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-22 - rel: related - text: SC-22 - - - href: #sc-32 - rel: related - text: SC-32 - - - href: #sc-39 - rel: related - text: SC-39 - parts: - - - id: sc-2_smt - name: statement - prose: Separate user functionality, including user interface services, from system management functionality. - - - id: sc-2_gdn - name: guidance - prose: System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations implement separation of system management functions from user functions, for example, by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18). - - - id: sc-3 - class: SP800-53 - title: Security Function Isolation - properties: - - - name: label - value: SC-3 - - - name: sort-id - value: SC-03 - links: - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-25 - rel: related - text: AC-25 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-32 - rel: related - text: SC-32 - - - href: #sc-39 - rel: related - text: SC-39 - - - href: #si-16 - rel: related - text: SI-16 - parts: - - - id: sc-3_smt - name: statement - prose: Isolate security functions from nonsecurity functions. - - - id: sc-3_gdn - name: guidance - prose: Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Systems implement code separation in many ways, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18). - - - id: sc-4 - class: SP800-53 - title: Information in Shared System Resources - properties: - - - name: label - value: SC-4 - - - name: sort-id - value: SC-04 - links: - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: sc-4_smt - name: statement - prose: Prevent unauthorized and unintended information transfer via shared system resources. - - - id: sc-4_gdn - name: guidance - prose: Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This control also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. This control does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles. - - - id: sc-5 - class: SP800-53 - title: Denial of Service Protection - parameters: - - - id: sc-5_prm_1 - - - id: sc-5_prm_2 - label: organization-defined types of denial of service events - - - id: sc-5_prm_3 - label: organization-defined controls by type of denial of service event - properties: - - - name: label - value: SC-5 - - - name: sort-id - value: SC-05 - links: - - - href: #3862cd94-ff25-4631-9a9a-b92c21a0a923 - rel: reference - text: [SP 800-189] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #sc-6 - rel: related - text: SC-6 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-40 - rel: related - text: SC-40 - parts: - - - id: sc-5_smt - name: statement - parts: - - - id: sc-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: - """ - - {{ sc-5_prm_1 }} the effects of the following types of denial of service events: {{ sc-5_prm_2 }}; and - """ - - - id: sc-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ the following controls to achieve the denial of service objective: {{ sc-5_prm_3 }}. - - - id: sc-5_gdn - name: guidance - prose: Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events. - - - id: sc-7 - class: SP800-53 - title: Boundary Protection - parameters: - - - id: sc-7_prm_1 - properties: - - - name: label - value: SC-7 - - - name: sort-id - value: SC-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #db7877cf-1013-4fb1-b943-ca9361d16370 - rel: reference - text: [SP 800-41] - - - href: #8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - rel: reference - text: [SP 800-77] - - - href: #3862cd94-ff25-4631-9a9a-b92c21a0a923 - rel: reference - text: [SP 800-189] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-32 - rel: related - text: SC-32 - - - href: #sc-43 - rel: related - text: SC-43 - parts: - - - id: sc-7_smt - name: statement - parts: - - - id: sc-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system; - - - id: sc-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks; and - - - id: sc-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. - - - id: sc-7_gdn - name: guidance - prose: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. - controls: - - - id: sc-7.3 - class: SP800-53-enhancement - title: Access Points - properties: - - - name: label - value: SC-7(3) - - - name: sort-id - value: SC-07(03) - parts: - - - id: sc-7.3_smt - name: statement - prose: Limit the number of external network connections to the system. - - - id: sc-7.3_gdn - name: guidance - prose: Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline requiring limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system. - - - id: sc-7.4 - class: SP800-53-enhancement - title: External Telecommunications Services - parameters: - - - id: sc-7.4_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: SC-7(4) - - - name: sort-id - value: SC-07(04) - links: - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #sc-8 - rel: related - text: SC-8 - parts: - - - id: sc-7.4_smt - name: statement - parts: - - - id: sc-7.4_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Implement a managed interface for each external telecommunication service; - - - id: sc-7.4_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Establish a traffic flow policy for each managed interface; - - - id: sc-7.4_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Protect the confidentiality and integrity of the information being transmitted across each interface; - - - id: sc-7.4_smt.d - name: item - properties: - - - name: label - value: (d) - prose: Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; - - - id: sc-7.4_smt.e - name: item - properties: - - - name: label - value: (e) - prose: Review exceptions to the traffic flow policy {{ sc-7.4_prm_1 }} and remove exceptions that are no longer supported by an explicit mission or business need; - - - id: sc-7.4_smt.f - name: item - properties: - - - name: label - value: (f) - prose: Prevent unauthorized exchange of control plane traffic with external networks; - - - id: sc-7.4_smt.g - name: item - properties: - - - name: label - value: (g) - prose: Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and - - - id: sc-7.4_smt.h - name: item - properties: - - - name: label - value: (h) - prose: Filter unauthorized control plane traffic from external networks. - - - id: sc-7.4_gdn - name: guidance - prose: External commercial telecommunications services may provide data or voice communications services. Examples of control plane traffic include routing, domain name system (DNS), and management. Unauthorized control plane traffic can occur for example, through a technique known as “spoofing.” - - - id: sc-7.5 - class: SP800-53-enhancement - title: Deny by Default — Allow by Exception - parameters: - - - id: sc-7.5_prm_1 - - - id: sc-7.5_prm_2 - depends-on: sc-7.5_prm_1 - label: organization-defined systems - properties: - - - name: label - value: SC-7(5) - - - name: sort-id - value: SC-07(05) - parts: - - - id: sc-7.5_smt - name: statement - prose: Deny network communications traffic by default and allow network communications traffic by exception {{ sc-7.5_prm_1 }}. - - - id: sc-7.5_gdn - name: guidance - prose: Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system. - - - id: sc-7.7 - class: SP800-53-enhancement - title: Prevent Split Tunneling for Remote Devices - properties: - - - name: label - value: SC-7(7) - - - name: sort-id - value: SC-07(07) - parts: - - - id: sc-7.7_smt - name: statement - prose: Prevent a remote device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. - - - id: sc-7.7_gdn - name: guidance - prose: Prevention of split tunneling is implemented in remote devices through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being configurable by users. Prevention of split tunneling is implemented within the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. - - - id: sc-7.8 - class: SP800-53-enhancement - title: Route Traffic to Authenticated Proxy Servers - parameters: - - - id: sc-7.8_prm_1 - label: organization-defined internal communications traffic - - - id: sc-7.8_prm_2 - label: organization-defined external networks - properties: - - - name: label - value: SC-7(8) - - - name: sort-id - value: SC-07(08) - links: - - - href: #ac-3 - rel: related - text: AC-3 - parts: - - - id: sc-7.8_smt - name: statement - prose: Route {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed interfaces. - - - id: sc-7.8_gdn - name: guidance - prose: External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers can support logging of Transmission Control Protocol sessions and blocking specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for “man-in-the-middle” attacks (depending on the implementation). - - - id: sc-7.18 - class: SP800-53-enhancement - title: Fail Secure - properties: - - - name: label - value: SC-7(18) - - - name: sort-id - value: SC-07(18) - links: - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-12 - rel: related - text: CP-12 - - - href: #sc-24 - rel: related - text: SC-24 - parts: - - - id: sc-7.18_smt - name: statement - prose: Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device. - - - id: sc-7.18_gdn - name: guidance - prose: Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases. - - - id: sc-7.21 - class: SP800-53-enhancement - title: Isolation of System Components - parameters: - - - id: sc-7.21_prm_1 - label: organization-defined system components - - - id: sc-7.21_prm_2 - label: organization-defined missions and/or business functions - properties: - - - name: label - value: SC-7(21) - - - name: sort-id - value: SC-07(21) - links: - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #sc-3 - rel: related - text: SC-3 - parts: - - - id: sc-7.21_smt - name: statement - prose: Employ boundary protection mechanisms to isolate {{ sc-7.21_prm_1 }} supporting {{ sc-7.21_prm_2 }}. - - - id: sc-7.21_gdn - name: guidance - prose: Organizations can isolate system components performing different missions or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls separating system components into physically separate networks or subnetworks; virtualization techniques; cross-domain devices separating subnetworks; and encrypting information flows among system components using distinct encryption keys. - - - id: sc-8 - class: SP800-53 - title: Transmission Confidentiality and Integrity - parameters: - - - id: sc-8_prm_1 - properties: - - - name: label - value: SC-8 - - - name: sort-id - value: SC-08 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #bbc7085f-b383-444e-af74-722a55cccc0f - rel: reference - text: [FIPS 197] - - - href: #286604ec-e383-4c1d-bd8c-d88f88e54a0f - rel: reference - text: [SP 800-52] - - - href: #8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - rel: reference - text: [SP 800-77] - - - href: #93d44344-59f9-4669-845d-6cc2a5852621 - rel: reference - text: [SP 800-81-2] - - - href: #36132a58-56fd-4980-9f6c-c010d3faf52b - rel: reference - text: [SP 800-113] - - - href: #64e044e4-b2a9-490f-a079-1106407c812f - rel: reference - text: [SP 800-177] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ia-9 - rel: related - text: IA-9 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-16 - rel: related - text: SC-16 - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-23 - rel: related - text: SC-23 - - - href: #sc-28 - rel: related - text: SC-28 - parts: - - - id: sc-8_smt - name: statement - prose: Protect the {{ sc-8_prm_1 }} of transmitted information. - - - id: sc-8_gdn - name: guidance - prose: - """ - Protecting the confidentiality and integrity of transmitted information applies to internal and external networks, and any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical means or by logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a term for wireline or fiber-optics telecommunication system that includes terminals and adequate acoustical, electrical, electromagnetic, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques. - Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services, may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunication service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls. - """ - controls: - - - id: sc-8.1 - class: SP800-53-enhancement - title: Cryptographic Protection - parameters: - - - id: sc-8.1_prm_1 - properties: - - - name: label - value: SC-8(1) - - - name: sort-id - value: SC-08(01) - links: - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: sc-8.1_smt - name: statement - prose: Implement cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission. - - - id: sc-8.1_gdn - name: guidance - prose: Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have application in digital signatures, checksums, and message authentication codes. SC-13 is used to specify the specific protocols, algorithms, and algorithm parameters to be implemented on each transmission path. - - - id: sc-10 - class: SP800-53 - title: Network Disconnect - parameters: - - - id: sc-10_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: SC-10 - - - name: sort-id - value: SC-10 - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #sc-23 - rel: related - text: SC-23 - parts: - - - id: sc-10_smt - name: statement - prose: Terminate the network connection associated with a communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity. - - - id: sc-10_gdn - name: guidance - prose: Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time-periods by type of network access or for specific network accesses. - - - id: sc-12 - class: SP800-53 - title: Cryptographic Key Establishment and Management - parameters: - - - id: sc-12_prm_1 - label: organization-defined requirements for key generation, distribution, storage, access, and destruction - properties: - - - name: label - value: SC-12 - - - name: sort-id - value: SC-12 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #77dc1838-3664-4faa-bc6e-4e2a16e52f35 - rel: reference - text: [SP 800-56A] - - - href: #f417e4ec-cadb-47a8-a363-6006b32c28ad - rel: reference - text: [SP 800-56B] - - - href: #7c3ba335-62bd-4f03-888f-960790409b11 - rel: reference - text: [SP 800-56C] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #f437b52f-7f26-42aa-8e8f-999e7d67b2fe - rel: reference - text: [IR 7956] - - - href: #30213e10-2aca-47b3-8cdb-61303e0959f5 - rel: reference - text: [IR 7966] - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-11 - rel: related - text: SC-11 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-17 - rel: related - text: SC-17 - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #sc-40 - rel: related - text: SC-40 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: sc-12_smt - name: statement - prose: Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ sc-12_prm_1 }}. - - - id: sc-12_gdn - name: guidance - prose: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment. - controls: - - - id: sc-12.1 - class: SP800-53-enhancement - title: Availability - properties: - - - name: label - value: SC-12(1) - - - name: sort-id - value: SC-12(01) - parts: - - - id: sc-12.1_smt - name: statement - prose: Maintain availability of information in the event of the loss of cryptographic keys by users. - - - id: sc-12.1_gdn - name: guidance - prose: Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys. A forgotten passphrase is an example of losing a cryptographic key. - - - id: sc-13 - class: SP800-53 - title: Cryptographic Protection - parameters: - - - id: sc-13_prm_1 - label: organization-defined cryptographic uses - - - id: sc-13_prm_2 - label: organization-defined types of cryptography for each specified cryptographic use - properties: - - - name: label - value: SC-13 - - - name: sort-id - value: SC-13 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-23 - rel: related - text: SC-23 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-40 - rel: related - text: SC-40 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: sc-13_smt - name: statement - parts: - - - id: sc-13_smt.a - name: item - properties: - - - name: label - value: a. - prose: Determine the {{ sc-13_prm_1 }}; and - - - id: sc-13_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the following types of cryptography required for each specified cryptographic use: {{ sc-13_prm_2 }}. - - - id: sc-13_gdn - name: guidance - prose: Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - - - id: sc-15 - class: SP800-53 - title: Collaborative Computing Devices and Applications - parameters: - - - id: sc-15_prm_1 - label: organization-defined exceptions where remote activation is to be allowed - properties: - - - name: label - value: SC-15 - - - name: sort-id - value: SC-15 - links: - - - href: #ac-21 - rel: related - text: AC-21 - - - href: #sc-42 - rel: related - text: SC-42 - parts: - - - id: sc-15_smt - name: statement - parts: - - - id: sc-15_smt.a - name: item - properties: - - - name: label - value: a. - prose: Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ sc-15_prm_1 }}; and - - - id: sc-15_smt.b - name: item - properties: - - - name: label - value: b. - prose: Provide an explicit indication of use to users physically present at the devices. - - - id: sc-15_gdn - name: guidance - prose: Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated. - - - id: sc-17 - class: SP800-53 - title: Public Key Infrastructure Certificates - parameters: - - - id: sc-17_prm_1 - label: organization-defined certificate policy - properties: - - - name: label - value: SC-17 - - - name: sort-id - value: SC-17 - links: - - - href: #b7140427-d4c4-467a-97a1-5ca9f7c6584a - rel: reference - text: [SP 800-32] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #au-10 - rel: related - text: AU-10 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #sc-12 - rel: related - text: SC-12 - parts: - - - id: sc-17_smt - name: statement - parts: - - - id: sc-17_smt.a - name: item - properties: - - - name: label - value: a. - prose: Issue public key certificates under an {{ sc-17_prm_1 }} or obtain public key certificates from an approved service provider; and - - - id: sc-17_smt.b - name: item - properties: - - - name: label - value: b. - prose: Include only approved trust anchors in trust stores or certificate stores managed by the organization. - - - id: sc-17_gdn - name: guidance - prose: This control addresses certificates with visibility external to organizational systems and certificates related to internal operations of systems, for example, application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates. - - - id: sc-18 - class: SP800-53 - title: Mobile Code - properties: - - - name: label - value: SC-18 - - - name: sort-id - value: SC-18 - links: - - - href: #8e334d74-fc06-47a9-bbb1-804fdfae0e44 - rel: reference - text: [SP 800-28] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #si-3 - rel: related - text: SI-3 - parts: - - - id: sc-18_smt - name: statement - parts: - - - id: sc-18_smt.a - name: item - properties: - - - name: label - value: a. - prose: Define acceptable and unacceptable mobile code and mobile code technologies; and - - - id: sc-18_smt.b - name: item - properties: - - - name: label - value: b. - prose: Authorize, monitor, and control the use of mobile code within the system. - - - id: sc-18_gdn - name: guidance - prose: Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java, JavaScript, Flash animations, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. - - - id: sc-20 - class: SP800-53 - title: Secure Name/address Resolution Service (authoritative Source) - properties: - - - name: label - value: SC-20 - - - name: sort-id - value: SC-20 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #93d44344-59f9-4669-845d-6cc2a5852621 - rel: reference - text: [SP 800-81-2] - - - href: #au-10 - rel: related - text: AU-10 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-21 - rel: related - text: SC-21 - - - href: #sc-22 - rel: related - text: SC-22 - parts: - - - id: sc-20_smt - name: statement - parts: - - - id: sc-20_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and - - - id: sc-20_smt.b - name: item - properties: - - - name: label - value: b. - prose: Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. - - - id: sc-20_gdn - name: guidance - prose: This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data. - - - id: sc-21 - class: SP800-53 - title: Secure Name/address Resolution Service (recursive or Caching Resolver) - properties: - - - name: label - value: SC-21 - - - name: sort-id - value: SC-21 - links: - - - href: #93d44344-59f9-4669-845d-6cc2a5852621 - rel: reference - text: [SP 800-81-2] - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-22 - rel: related - text: SC-22 - parts: - - - id: sc-21_smt - name: statement - prose: Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. - - - id: sc-21_gdn - name: guidance - prose: Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data. - - - id: sc-22 - class: SP800-53 - title: Architecture and Provisioning for Name/address Resolution Service - properties: - - - name: label - value: SC-22 - - - name: sort-id - value: SC-22 - links: - - - href: #93d44344-59f9-4669-845d-6cc2a5852621 - rel: reference - text: [SP 800-81-2] - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-21 - rel: related - text: SC-21 - - - href: #sc-24 - rel: related - text: SC-24 - parts: - - - id: sc-22_smt - name: statement - prose: Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. - - - id: sc-22_gdn - name: guidance - prose: Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists. - - - id: sc-23 - class: SP800-53 - title: Session Authenticity - properties: - - - name: label - value: SC-23 - - - name: sort-id - value: SC-23 - links: - - - href: #286604ec-e383-4c1d-bd8c-d88f88e54a0f - rel: reference - text: [SP 800-52] - - - href: #8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - rel: reference - text: [SP 800-77] - - - href: #1d91d984-0cb6-4f96-a01d-c39a3eee7d43 - rel: reference - text: [SP 800-95] - - - href: #36132a58-56fd-4980-9f6c-c010d3faf52b - rel: reference - text: [SP 800-113] - - - href: #au-10 - rel: related - text: AU-10 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-10 - rel: related - text: SC-10 - - - href: #sc-11 - rel: related - text: SC-11 - parts: - - - id: sc-23_smt - name: statement - prose: Protect the authenticity of communications sessions. - - - id: sc-23_gdn - name: guidance - prose: Protecting session authenticity addresses communications protection at the session, level; not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of information transmitted. Authenticity protection includes protecting against man-in-the-middle attacks and session hijacking, and the insertion of false information into sessions. - - - id: sc-24 - class: SP800-53 - title: Fail in Known State - parameters: - - - id: sc-24_prm_1 - label: organization-defined known system state - - - id: sc-24_prm_2 - label: organization-defined system state information - - - id: sc-24_prm_3 - label: list of organization-defined types of system failures on organization-defined system components - properties: - - - name: label - value: SC-24 - - - name: sort-id - value: SC-24 - links: - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #cp-12 - rel: related - text: CP-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-22 - rel: related - text: SC-22 - - - href: #si-13 - rel: related - text: SI-13 - parts: - - - id: sc-24_smt - name: statement - prose: Fail to a {{ sc-24_prm_1 }} for the following failures on the indicated components while preserving {{ sc-24_prm_2 }} in failure: {{ sc-24_prm_3 }}. - - - id: sc-24_gdn - name: guidance - prose: Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes. - - - id: sc-28 - class: SP800-53 - title: Protection of Information at Rest - parameters: - - - id: sc-28_prm_1 - - - id: sc-28_prm_2 - label: organization-defined information at rest - properties: - - - name: label - value: SC-28 - - - name: sort-id - value: SC-28 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #77dc1838-3664-4faa-bc6e-4e2a16e52f35 - rel: reference - text: [SP 800-56A] - - - href: #f417e4ec-cadb-47a8-a363-6006b32c28ad - rel: reference - text: [SP 800-56B] - - - href: #7c3ba335-62bd-4f03-888f-960790409b11 - rel: reference - text: [SP 800-56C] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #1b14b50f-7154-4226-958c-7dfff8276755 - rel: reference - text: [SP 800-111] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-16 - rel: related - text: SI-16 - parts: - - - id: sc-28_smt - name: statement - prose: Protect the {{ sc-28_prm_1 }} of the following information at rest: {{ sc-28_prm_2 }}. - - - id: sc-28_gdn - name: guidance - prose: Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information requiring protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure off-line storage in lieu of online storage. - controls: - - - id: sc-28.1 - class: SP800-53-enhancement - title: Cryptographic Protection - parameters: - - - id: sc-28.1_prm_1 - label: organization-defined system components or media - - - id: sc-28.1_prm_2 - label: organization-defined information - properties: - - - name: label - value: SC-28(1) - - - name: sort-id - value: SC-28(01) - links: - - - href: #ac-19 - rel: related - text: AC-19 - parts: - - - id: sc-28.1_smt - name: statement - prose: Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ sc-28.1_prm_1 }}: {{ sc-28.1_prm_2 }}. - - - id: sc-28.1_gdn - name: guidance - prose: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. Organizations using cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13). - - - id: sc-39 - class: SP800-53 - title: Process Isolation - properties: - - - name: label - value: SC-39 - - - name: sort-id - value: SC-39 - links: - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-25 - rel: related - text: AC-25 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #si-16 - rel: related - text: SI-16 - parts: - - - id: sc-39_smt - name: statement - prose: Maintain a separate execution domain for each executing system process. - - - id: sc-39_gdn - name: guidance - prose: Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies. - - - id: si - class: family - title: System and Information Integrity - controls: - - - id: si-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: si-1_prm_1 - label: organization-defined personnel or roles - - - id: si-1_prm_2 - - - id: si-1_prm_3 - label: organization-defined official - - - id: si-1_prm_4 - label: organization-defined frequency - - - id: si-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SI-1 - - - name: sort-id - value: SI-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: si-1_smt - name: statement - parts: - - - id: si-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ si-1_prm_1 }}: - parts: - - - id: si-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ si-1_prm_2 }} system and information integrity policy that: - """ - parts: - - - id: si-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: si-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: si-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; - - - id: si-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and - - - id: si-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current system and information integrity: - parts: - - - id: si-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ si-1_prm_4 }}; and - - - id: si-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ si-1_prm_5 }}. - - - id: si-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: si-2 - class: SP800-53 - title: Flaw Remediation - parameters: - - - id: si-2_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: SI-2 - - - name: sort-id - value: SI-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #1126ec09-2b27-4a21-80b2-fef70b31c49d - rel: reference - text: [SP 800-40] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c - rel: reference - text: [IR 7788] - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-5 - rel: related - text: SI-5 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-11 - rel: related - text: SI-11 - parts: - - - id: si-2_smt - name: statement - parts: - - - id: si-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify, report, and correct system flaws; - - - id: si-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; - - - id: si-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Install security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and - - - id: si-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Incorporate flaw remediation into the organizational configuration management process. - - - id: si-2_gdn - name: guidance - prose: - """ - The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. - Organization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. - """ - controls: - - - id: si-2.1 - class: SP800-53-enhancement - title: Central Management - properties: - - - name: label - value: SI-2(1) - - - name: sort-id - value: SI-02(01) - links: - - - href: #pl-9 - rel: related - text: PL-9 - parts: - - - id: si-2.1_smt - name: statement - prose: Centrally manage the flaw remediation process. - - - id: si-2.1_gdn - name: guidance - prose: Central management is the organization-wide management and implementation of flaw remediation processes. It includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation controls. - - - id: si-2.2 - class: SP800-53-enhancement - title: Automated Flaw Remediation Status - parameters: - - - id: si-2.2_prm_1 - label: organization-defined automated mechanisms - - - id: si-2.2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: SI-2(2) - - - name: sort-id - value: SI-02(02) - links: - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: si-2.2_smt - name: statement - prose: - """ - Determine if system components have applicable security-relevant software and firmware updates installed using {{ si-2.2_prm_1 }} - {{ si-2.2_prm_2 }}. - """ - - - id: si-2.2_gdn - name: guidance - prose: Automated mechanisms can track and determine the status of known flaws for system components. - - - id: si-3 - class: SP800-53 - title: Malicious Code Protection - parameters: - - - id: si-3_prm_1 - - - id: si-3_prm_2 - label: organization-defined frequency - - - id: si-3_prm_3 - - - id: si-3_prm_4 - - - id: si-3_prm_5 - depends-on: si-3_prm_4 - label: organization-defined action - - - id: si-3_prm_6 - label: organization-defined personnel or roles - properties: - - - name: label - value: SI-3 - - - name: sort-id - value: SI-03 - links: - - - href: #8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - rel: reference - text: [SP 800-83] - - - href: #c972a85c-fa75-4596-be25-a338dc7e4e46 - rel: reference - text: [SP 800-125B] - - - href: #64e044e4-b2a9-490f-a079-1106407c812f - rel: reference - text: [SP 800-177] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-23 - rel: related - text: SC-23 - - - href: #sc-26 - rel: related - text: SC-26 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-44 - rel: related - text: SC-44 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-8 - rel: related - text: SI-8 - - - href: #si-15 - rel: related - text: SI-15 - parts: - - - id: si-3_smt - name: statement - parts: - - - id: si-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement {{ si-3_prm_1 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; - - - id: si-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; - - - id: si-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Configure malicious code protection mechanisms to: - parts: - - - id: si-3_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Perform periodic scans of the system {{ si-3_prm_2 }} and real-time scans of files from external sources at {{ si-3_prm_3 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and - - - id: si-3_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: - """ - - {{ si-3_prm_4 }}; and send alert to {{ si-3_prm_6 }} in response to malicious code detection. - """ - - - id: si-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. - - - id: si-3_gdn - name: guidance - prose: - """ - System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. - Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions. - In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files. - """ - controls: - - - id: si-3.1 - class: SP800-53-enhancement - title: Central Management - properties: - - - name: label - value: SI-3(1) - - - name: sort-id - value: SI-03(01) - links: - - - href: #pl-9 - rel: related - text: PL-9 - parts: - - - id: si-3.1_smt - name: statement - prose: Centrally manage malicious code protection mechanisms. - - - id: si-3.1_gdn - name: guidance - prose: Central management addresses the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw and malicious code protection controls. - - - id: si-4 - class: SP800-53 - title: System Monitoring - parameters: - - - id: si-4_prm_1 - label: organization-defined monitoring objectives - - - id: si-4_prm_2 - label: organization-defined techniques and methods - - - id: si-4_prm_3 - label: organization-defined system monitoring information - - - id: si-4_prm_4 - label: organization-defined personnel or roles - - - id: si-4_prm_5 - - - id: si-4_prm_6 - depends-on: si-4_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SI-4 - - - name: sort-id - value: SI-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - rel: reference - text: [SP 800-83] - - - href: #02d8ec60-6197-43f8-9f47-18732127963e - rel: reference - text: [SP 800-92] - - - href: #41e2e2c6-2260-4258-85c8-09db17c43103 - rel: reference - text: [SP 800-94] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-10 - rel: related - text: IA-10 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-26 - rel: related - text: SC-26 - - - href: #sc-31 - rel: related - text: SC-31 - - - href: #sc-35 - rel: related - text: SC-35 - - - href: #sc-36 - rel: related - text: SC-36 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-6 - rel: related - text: SI-6 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-10 - rel: related - text: SR-10 - parts: - - - id: si-4_smt - name: statement - parts: - - - id: si-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor the system to detect: - parts: - - - id: si-4_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ si-4_prm_1 }}; and - - - id: si-4_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Unauthorized local, network, and remote connections; - - - id: si-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Identify unauthorized use of the system through the following techniques and methods: {{ si-4_prm_2 }}; - - - id: si-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Invoke internal monitoring capabilities or deploy monitoring devices: - parts: - - - id: si-4_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Strategically within the system to collect organization-determined essential information; and - - - id: si-4_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: At ad hoc locations within the system to track specific types of transactions of interest to the organization; - - - id: si-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; - - - id: si-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; - - - id: si-4_smt.f - name: item - properties: - - - name: label - value: f. - prose: Obtain legal opinion regarding system monitoring activities; and - - - id: si-4_smt.g - name: item - properties: - - - name: label - value: g. - prose: - """ - Provide {{ si-4_prm_3 }} to {{ si-4_prm_4 }} - {{ si-4_prm_5 }}. - """ - - - id: si-4_gdn - name: guidance - prose: - """ - System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. - Depending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - """ - controls: - - - id: si-4.2 - class: SP800-53-enhancement - title: Automated Tools and Mechanisms for Real-time Analysis - properties: - - - name: label - value: SI-4(2) - - - name: sort-id - value: SI-04(02) - links: - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-25 - rel: related - text: PM-25 - parts: - - - id: si-4.2_smt - name: statement - prose: Employ automated tools and mechanisms to support near real-time analysis of events. - - - id: si-4.2_gdn - name: guidance - prose: Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or Security Information and Event Management technologies that provide real time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan. - - - id: si-4.4 - class: SP800-53-enhancement - title: Inbound and Outbound Communications Traffic - parameters: - - - id: si-4.4_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: SI-4(4) - - - name: sort-id - value: SI-04(04) - parts: - - - id: si-4.4_smt - name: statement - prose: Monitor inbound and outbound communications traffic {{ si-4.4_prm_1 }} for unusual or unauthorized activities or conditions. - - - id: si-4.4_gdn - name: guidance - prose: Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code within organizational systems or propagating among system components; the unauthorized exporting of information; or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. - - - id: si-4.5 - class: SP800-53-enhancement - title: System-generated Alerts - parameters: - - - id: si-4.5_prm_1 - label: organization-defined personnel or roles - - - id: si-4.5_prm_2 - label: organization-defined compromise indicators - properties: - - - name: label - value: SI-4(5) - - - name: sort-id - value: SI-04(05) - links: - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #pe-6 - rel: related - text: PE-6 - parts: - - - id: si-4.5_smt - name: statement - prose: Alert {{ si-4.5_prm_1 }} when the following system-generated indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}. - - - id: si-4.5_gdn - name: guidance - prose: Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. This control enhancement addresses the security alerts generated by the system. Alternatively, alerts generated by organizations in SI-4(12) focus on information sources external to the system such as suspicious activity reports and reports on potential insider threats. - - - id: si-4.10 - class: SP800-53-enhancement - title: Visibility of Encrypted Communications - parameters: - - - id: si-4.10_prm_1 - label: organization-defined encrypted communications traffic - - - id: si-4.10_prm_2 - label: organization-defined system monitoring tools and mechanisms - properties: - - - name: label - value: SI-4(10) - - - name: sort-id - value: SI-04(10) - parts: - - - id: si-4.10_smt - name: statement - prose: Make provisions so that {{ si-4.10_prm_1 }} is visible to {{ si-4.10_prm_2 }}. - - - id: si-4.10_gdn - name: guidance - prose: Organizations balance the need for encrypting communications traffic to protect data confidentiality with the need for having visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types. - - - id: si-4.12 - class: SP800-53-enhancement - title: Automated Organization-generated Alerts - parameters: - - - id: si-4.12_prm_1 - label: organization-defined personnel or roles - - - id: si-4.12_prm_2 - label: organization-defined automated mechanisms - - - id: si-4.12_prm_3 - label: organization-defined activities that trigger alerts - properties: - - - name: label - value: SI-4(12) - - - name: sort-id - value: SI-04(12) - parts: - - - id: si-4.12_smt - name: statement - prose: Alert {{ si-4.12_prm_1 }} using {{ si-4.12_prm_2 }} when the following indications of inappropriate or unusual activities with security or privacy implications occur: {{ si-4.12_prm_3 }}. - - - id: si-4.12_gdn - name: guidance - prose: Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by systems in SI-4(5) that focus on information sources that are internal to the systems such as audit records, the sources of information for this enhancement focus on other entities such as suspicious activity reports and reports on potential insider threats. - - - id: si-4.14 - class: SP800-53-enhancement - title: Wireless Intrusion Detection - properties: - - - name: label - value: SI-4(14) - - - name: sort-id - value: SI-04(14) - links: - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ia-3 - rel: related - text: IA-3 - parts: - - - id: si-4.14_smt - name: statement - prose: Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system. - - - id: si-4.14_gdn - name: guidance - prose: Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems, but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems. - - - id: si-4.20 - class: SP800-53-enhancement - title: Privileged Users - parameters: - - - id: si-4.20_prm_1 - label: organization-defined additional monitoring - properties: - - - name: label - value: SI-4(20) - - - name: sort-id - value: SI-04(20) - links: - - - href: #ac-18 - rel: related - text: AC-18 - parts: - - - id: si-4.20_smt - name: statement - prose: Implement the following additional monitoring of privileged users: {{ si-4.20_prm_1 }}. - - - id: si-4.20_gdn - name: guidance - prose: Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions. - - - id: si-4.22 - class: SP800-53-enhancement - title: Unauthorized Network Services - parameters: - - - id: si-4.22_prm_1 - label: organization-defined authorization or approval processes - - - id: si-4.22_prm_2 - - - id: si-4.22_prm_3 - depends-on: si-4.22_prm_2 - label: organization-defined personnel or roles - properties: - - - name: label - value: SI-4(22) - - - name: sort-id - value: SI-04(22) - links: - - - href: #cm-7 - rel: related - text: CM-7 - parts: - - - id: si-4.22_smt - name: statement - parts: - - - id: si-4.22_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Detect network services that have not been authorized or approved by {{ si-4.22_prm_1 }}; and - - - id: si-4.22_smt.b - name: item - properties: - - - name: label - value: (b) - prose: - """ - - {{ si-4.22_prm_2 }} when detected. - """ - - - id: si-4.22_gdn - name: guidance - prose: Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services. - - - id: si-5 - class: SP800-53 - title: Security Alerts, Advisories, and Directives - parameters: - - - id: si-5_prm_1 - label: organization-defined external organizations - - - id: si-5_prm_2 - - - id: si-5_prm_3 - depends-on: si-5_prm_2 - label: organization-defined personnel or roles - - - id: si-5_prm_4 - depends-on: si-5_prm_2 - label: organization-defined elements within the organization - - - id: si-5_prm_5 - depends-on: si-5_prm_2 - label: organization-defined external organizations - properties: - - - name: label - value: SI-5 - - - name: sort-id - value: SI-05 - links: - - - href: #1126ec09-2b27-4a21-80b2-fef70b31c49d - rel: reference - text: [SP 800-40] - - - href: #pm-15 - rel: related - text: PM-15 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #si-2 - rel: related - text: SI-2 - parts: - - - id: si-5_smt - name: statement - parts: - - - id: si-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Receive system security alerts, advisories, and directives from {{ si-5_prm_1 }} on an ongoing basis; - - - id: si-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Generate internal security alerts, advisories, and directives as deemed necessary; - - - id: si-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Disseminate security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and - - - id: si-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. - - - id: si-5_gdn - name: guidance - prose: The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations. - controls: - - - id: si-5.1 - class: SP800-53-enhancement - title: Automated Alerts and Advisories - parameters: - - - id: si-5.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: SI-5(1) - - - name: sort-id - value: SI-05(01) - parts: - - - id: si-5.1_smt - name: statement - prose: Broadcast security alert and advisory information throughout the organization using {{ si-5.1_prm_1 }}. - - - id: si-5.1_gdn - name: guidance - prose: The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of information security and privacy risk, including the governance level, mission and business process level, and the information system level. - - - id: si-6 - class: SP800-53 - title: Security and Privacy Function Verification - parameters: - - - id: si-6_prm_1 - label: organization-defined security and privacy functions - - - id: si-6_prm_2 - - - id: si-6_prm_3 - depends-on: si-6_prm_2 - label: organization-defined system transitional states - - - id: si-6_prm_4 - depends-on: si-6_prm_2 - label: organization-defined frequency - - - id: si-6_prm_5 - label: organization-defined personnel or roles - - - id: si-6_prm_6 - - - id: si-6_prm_7 - depends-on: si-6_prm_6 - label: organization-defined alternative action(s) - properties: - - - name: label - value: SI-6 - - - name: sort-id - value: SI-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: si-6_smt - name: statement - parts: - - - id: si-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Verify the correct operation of {{ si-6_prm_1 }}; - - - id: si-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Perform the verification of the functions specified in SI-6a {{ si-6_prm_2 }}; - - - id: si-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Notify {{ si-6_prm_5 }} of failed security and privacy verification tests; and - - - id: si-6_smt.d - name: item - properties: - - - name: label - value: d. - prose: - """ - - {{ si-6_prm_6 }} when anomalies are discovered. - """ - - - id: si-6_gdn - name: guidance - prose: Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy, or that privacy attributes are applied or used as expected. - - - id: si-7 - class: SP800-53 - title: Software, Firmware, and Information Integrity - parameters: - - - id: si-7_prm_1 - label: organization-defined software, firmware, and information - - - id: si-7_prm_2 - label: organization-defined actions - properties: - - - name: label - value: SI-7 - - - name: sort-id - value: SI-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #e9224c9b-4fa5-40b7-bfbb-02bff7712d92 - rel: reference - text: [SP 800-147] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-10 - rel: related - text: SR-10 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: si-7_smt - name: statement - parts: - - - id: si-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ si-7_prm_1 }}; and - - - id: si-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ si-7_prm_2 }}. - - - id: si-7_gdn - name: guidance - prose: Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes the Basic Input Output System (BIOS). Information includes personally identifiable information and metadata containing security and privacy attributes associated with information. Integrity-checking mechanisms, including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools can automatically monitor the integrity of systems and hosted applications. - controls: - - - id: si-7.1 - class: SP800-53-enhancement - title: Integrity Checks - parameters: - - - id: si-7.1_prm_1 - label: organization-defined software, firmware, and information - - - id: si-7.1_prm_2 - - - id: si-7.1_prm_3 - depends-on: si-7.1_prm_2 - label: organization-defined transitional states or security-relevant events - - - id: si-7.1_prm_4 - depends-on: si-7.1_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: SI-7(1) - - - name: sort-id - value: SI-07(01) - parts: - - - id: si-7.1_smt - name: statement - prose: - """ - Perform an integrity check of {{ si-7.1_prm_1 }} - {{ si-7.1_prm_2 }}. - """ - - - id: si-7.1_gdn - name: guidance - prose: Security-relevant events include the identification of a new threat to which organizational systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort. - - - id: si-7.2 - class: SP800-53-enhancement - title: Automated Notifications of Integrity Violations - parameters: - - - id: si-7.2_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: SI-7(2) - - - name: sort-id - value: SI-07(02) - parts: - - - id: si-7.2_smt - name: statement - prose: Employ automated tools that provide notification to {{ si-7.2_prm_1 }} upon discovering discrepancies during integrity verification. - - - id: si-7.2_gdn - name: guidance - prose: The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel having an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, systems administrators, software developers, systems integrators, and information security officers, and privacy officers. - - - id: si-7.5 - class: SP800-53-enhancement - title: Automated Response to Integrity Violations - parameters: - - - id: si-7.5_prm_1 - - - id: si-7.5_prm_2 - depends-on: si-7.5_prm_1 - label: organization-defined controls - properties: - - - name: label - value: SI-7(5) - - - name: sort-id - value: SI-07(05) - parts: - - - id: si-7.5_smt - name: statement - prose: Automatically {{ si-7.5_prm_1 }} when integrity violations are discovered. - - - id: si-7.5_gdn - name: guidance - prose: Organizations may define different integrity checking responses by type of information, by specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur. - - - id: si-7.7 - class: SP800-53-enhancement - title: Integration of Detection and Response - parameters: - - - id: si-7.7_prm_1 - label: organization-defined security-relevant changes to the system - properties: - - - name: label - value: SI-7(7) - - - name: sort-id - value: SI-07(07) - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: si-7.7_smt - name: statement - prose: Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ si-7.7_prm_1 }}. - - - id: si-7.7_gdn - name: guidance - prose: This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended time-period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or unauthorized elevation of system privileges. - - - id: si-7.15 - class: SP800-53-enhancement - title: Code Authentication - parameters: - - - id: si-7.15_prm_1 - label: organization-defined software or firmware components - properties: - - - name: label - value: SI-7(15) - - - name: sort-id - value: SI-07(15) - links: - - - href: #cm-5 - rel: related - text: CM-5 - parts: - - - id: si-7.15_smt - name: statement - prose: Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: {{ si-7.15_prm_1 }}. - - - id: si-7.15_gdn - name: guidance - prose: Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations employing cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13). - - - id: si-8 - class: SP800-53 - title: Spam Protection - properties: - - - name: label - value: SI-8 - - - name: sort-id - value: SI-08 - links: - - - href: #23b0a203-c020-47dd-b86c-9f8c35ecaa4e - rel: reference - text: [SP 800-45] - - - href: #64e044e4-b2a9-490f-a079-1106407c812f - rel: reference - text: [SP 800-177] - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: si-8_smt - name: statement - parts: - - - id: si-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and - - - id: si-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. - - - id: si-8_gdn - name: guidance - prose: System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions. - controls: - - - id: si-8.1 - class: SP800-53-enhancement - title: Central Management - properties: - - - name: label - value: SI-8(1) - - - name: sort-id - value: SI-08(01) - links: - - - href: #au-3 - rel: related - text: AU-3 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: si-8.1_smt - name: statement - prose: Centrally manage spam protection mechanisms. - - - id: si-8.1_gdn - name: guidance - prose: Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection controls. - - - id: si-8.2 - class: SP800-53-enhancement - title: Automatic Updates - parameters: - - - id: si-8.2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: SI-8(2) - - - name: sort-id - value: SI-08(02) - parts: - - - id: si-8.2_smt - name: statement - prose: Automatically update spam protection mechanisms {{ si-8.2_prm_1 }}. - - - id: si-8.2_gdn - name: guidance - prose: Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capability. - - - id: si-10 - class: SP800-53 - title: Information Input Validation - parameters: - - - id: si-10_prm_1 - label: organization-defined information inputs to the system - properties: - - - name: label - value: SI-10 - - - name: sort-id - value: SI-10 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - parts: - - - id: si-10_smt - name: statement - prose: Check the validity of the following information inputs: {{ si-10_prm_1 }}. - - - id: si-10_gdn - name: guidance - prose: Checking the valid syntax and semantics of system inputs, including character set, length, numerical range, and acceptable values, verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks. - - - id: si-11 - class: SP800-53 - title: Error Handling - parameters: - - - id: si-11_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: SI-11 - - - name: sort-id - value: SI-11 - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #sc-31 - rel: related - text: SC-31 - - - href: #si-2 - rel: related - text: SI-2 - parts: - - - id: si-11_smt - name: statement - parts: - - - id: si-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and - - - id: si-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Reveal error messages only to {{ si-11_prm_1 }}. - - - id: si-11_gdn - name: guidance - prose: Organizations consider the structure and the content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information. - - - id: si-12 - class: SP800-53 - title: Information Management and Retention - properties: - - - name: label - value: SI-12 - - - name: sort-id - value: SI-12 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #at-1 - rel: related - text: AT-1 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #ca-1 - rel: related - text: CA-1 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cp-1 - rel: related - text: CP-1 - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ma-1 - rel: related - text: MA-1 - - - href: #mp-1 - rel: related - text: MP-1 - - - href: #pe-1 - rel: related - text: PE-1 - - - href: #pl-1 - rel: related - text: PL-1 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #ps-1 - rel: related - text: PS-1 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #sa-1 - rel: related - text: SA-1 - - - href: #sc-1 - rel: related - text: SC-1 - - - href: #si-1 - rel: related - text: SI-1 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-3 - rel: related - text: MP-3 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sr-1 - rel: related - text: SR-1 - parts: - - - id: si-12_smt - name: statement - prose: Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. - - - id: si-12_gdn - name: guidance - prose: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel. - - - id: si-16 - class: SP800-53 - title: Memory Protection - parameters: - - - id: si-16_prm_1 - label: organization-defined controls - properties: - - - name: label - value: SI-16 - - - name: sort-id - value: SI-16 - links: - - - href: #ac-25 - rel: related - text: AC-25 - - - href: #sc-3 - rel: related - text: SC-3 - parts: - - - id: si-16_smt - name: statement - prose: Implement the following controls to protect the system memory from unauthorized code execution: {{ si-16_prm_1 }}. - - - id: si-16_gdn - name: guidance - prose: Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism. - - - id: sr - class: family - title: Supply Chain Risk Management - controls: - - - id: sr-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: sr-1_prm_1 - label: organization-defined personnel or roles - - - id: sr-1_prm_2 - - - id: sr-1_prm_3 - label: organization-defined official - - - id: sr-1_prm_4 - label: organization-defined frequency - - - id: sr-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SR-1 - - - name: sort-id - value: SR-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: sr-1_smt - name: statement - parts: - - - id: sr-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ sr-1_prm_1 }}: - parts: - - - id: sr-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ sr-1_prm_2 }} supply chain risk management policy that: - """ - parts: - - - id: sr-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: sr-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: sr-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; - - - id: sr-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ sr-1_prm_3 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and - - - id: sr-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current supply chain risk management: - parts: - - - id: sr-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ sr-1_prm_4 }}; and - - - id: sr-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ sr-1_prm_5 }}. - - - id: sr-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: sr-2 - class: SP800-53 - title: Supply Chain Risk Management Plan - parameters: - - - id: sr-2_prm_1 - label: organization-defined systems, system components, or system services - - - id: sr-2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: SR-2 - - - name: sort-id - value: SR-02 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: sr-2_smt - name: statement - parts: - - - id: sr-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: {{ sr-2_prm_1 }}; - - - id: sr-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the supply chain risk management plan consistently across the organization; and - - - id: sr-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the supply chain risk management plan {{ sr-2_prm_2 }} or as required, to address threat, organizational or environmental changes. - - - id: sr-2_gdn - name: guidance - prose: - """ - The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans. - Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8). - """ - controls: - - - id: sr-2.1 - class: SP800-53-enhancement - title: Establish Scrm Team - parameters: - - - id: sr-2.1_prm_1 - label: organization-defined personnel, roles, and responsibilities - - - id: sr-2.1_prm_2 - label: organization-defined supply chain risk management activities - properties: - - - name: label - value: SR-2(1) - - - name: sort-id - value: SR-02(01) - parts: - - - id: sr-2.1_smt - name: statement - prose: Establish a supply chain risk management team consisting of {{ sr-2.1_prm_1 }} to lead and support the following SCRM activities: {{ sr-2.1_prm_2 }}. - - - id: sr-2.1_gdn - name: guidance - prose: To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team. - - - id: sr-3 - class: SP800-53 - title: Supply Chain Controls and Processes - parameters: - - - id: sr-3_prm_1 - label: organization-defined system or system component - - - id: sr-3_prm_2 - label: organization-defined supply chain personnel - - - id: sr-3_prm_3 - label: organization-defined supply chain controls - - - id: sr-3_prm_4 - - - id: sr-3_prm_5 - depends-on: sr-3_prm_4 - label: organization-defined document - properties: - - - name: label - value: SR-3 - - - name: sort-id - value: SR-03 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #sa-2 - rel: related - text: SA-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-29 - rel: related - text: SC-29 - - - href: #sc-30 - rel: related - text: SC-30 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: sr-3_smt - name: statement - parts: - - - id: sr-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ sr-3_prm_1 }} in coordination with {{ sr-3_prm_2 }}; - - - id: sr-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ sr-3_prm_3 }}; and - - - id: sr-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document the selected and implemented supply chain processes and controls in {{ sr-3_prm_4 }}. - - - id: sr-3_gdn - name: guidance - prose: Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain. - - - id: sr-5 - class: SP800-53 - title: Acquisition Strategies, Tools, and Methods - parameters: - - - id: sr-5_prm_1 - label: organization-defined acquisition strategies, contract tools, and procurement methods - properties: - - - name: label - value: SR-5 - - - name: sort-id - value: SR-05 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #sa-2 - rel: related - text: SA-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-10 - rel: related - text: SR-10 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: sr-5_smt - name: statement - prose: Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ sr-5_prm_1 }}. - - - id: sr-5_gdn - name: guidance - prose: The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements. - - - id: sr-6 - class: SP800-53 - title: Supplier Reviews - parameters: - - - id: sr-6_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: SR-6 - - - name: sort-id - value: SR-06 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sr-6_smt - name: statement - prose: Review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ sr-6_prm_1 }}. - - - id: sr-6_gdn - name: guidance - prose: A review of supplier risk includes security processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess any subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate to share review results with other organizations in accordance with any applicable inter-organizational agreements or contracts. - - - id: sr-8 - class: SP800-53 - title: Notification Agreements - parameters: - - - id: sr-8_prm_1 - - - id: sr-8_prm_2 - depends-on: sr-8_prm_1 - label: organization-defined information - properties: - - - name: label - value: SR-8 - - - name: sort-id - value: SR-08 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - parts: - - - id: sr-8_smt - name: statement - prose: Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ sr-8_prm_1 }}. - - - id: sr-8_gdn - name: guidance - prose: The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes. - - - id: sr-9 - class: SP800-53 - title: Tamper Resistance and Detection - properties: - - - name: label - value: SR-9 - - - name: sort-id - value: SR-09 - links: - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-10 - rel: related - text: SR-10 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: sr-9_smt - name: statement - prose: Implement a tamper protection program for the system, system component, or system service. - - - id: sr-9_gdn - name: guidance - prose: Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use. - controls: - - - id: sr-9.1 - class: SP800-53-enhancement - title: Multiple Stages of System Development Life Cycle - properties: - - - name: label - value: SR-9(1) - - - name: sort-id - value: SR-09(01) - links: - - - href: #sa-3 - rel: related - text: SA-3 - parts: - - - id: sr-9.1_smt - name: statement - prose: Employ anti-tamper technologies, tools, and techniques during multiple stages in the system development life cycle, including design, development, integration, operations, and maintenance. - - - id: sr-9.1_gdn - name: guidance - prose: Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations employ obfuscation and self-checking, for example, to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage. - - - id: sr-10 - class: SP800-53 - title: Inspection of Systems or Components - parameters: - - - id: sr-10_prm_1 - - - id: sr-10_prm_2 - depends-on: sr-10_prm_1 - label: organization-defined frequency - - - id: sr-10_prm_3 - depends-on: sr-10_prm_1 - label: organization-defined indications of need for inspection - - - id: sr-10_prm_4 - label: organization-defined systems or system components - properties: - - - name: label - value: SR-10 - - - name: sort-id - value: SR-10 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: sr-10_smt - name: statement - prose: Inspect the following systems or system components {{ sr-10_prm_1 }} to detect tampering: {{ sr-10_prm_4 }}. - - - id: sr-10_gdn - name: guidance - prose: Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations. - - - id: sr-11 - class: SP800-53 - title: Component Authenticity - parameters: - - - id: sr-11_prm_1 - - - id: sr-11_prm_2 - depends-on: sr-11_prm_1 - label: organization-defined external reporting organizations - - - id: sr-11_prm_3 - depends-on: sr-11_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: SR-11 - - - name: sort-id - value: SR-11 - links: - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-10 - rel: related - text: SR-10 - parts: - - - id: sr-11_smt - name: statement - parts: - - - id: sr-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and - - - id: sr-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Report counterfeit system components to {{ sr-11_prm_1 }}. - - - id: sr-11_gdn - name: guidance - prose: Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA. - controls: - - - id: sr-11.1 - class: SP800-53-enhancement - title: Anti-counterfeit Training - parameters: - - - id: sr-11.1_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: SR-11(1) - - - name: sort-id - value: SR-11(01) - links: - - - href: #at-3 - rel: related - text: AT-3 - parts: - - - id: sr-11.1_smt - name: statement - prose: Train {{ sr-11.1_prm_1 }} to detect counterfeit system components (including hardware, software, and firmware). - - - id: sr-11.1_gdn - name: guidance - prose: None. - - - id: sr-11.2 - class: SP800-53-enhancement - title: Configuration Control for Component Service and Repair - parameters: - - - id: sr-11.2_prm_1 - label: organization-defined system components - properties: - - - name: label - value: SR-11(2) - - - name: sort-id - value: SR-11(02) - links: - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #sa-10 - rel: related - text: SA-10 - parts: - - - id: sr-11.2_smt - name: statement - prose: Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ sr-11.2_prm_1 }}. - - - id: sr-11.2_gdn - name: guidance - prose: None. - - - id: sr-11.3 - class: SP800-53-enhancement - title: Component Disposal - parameters: - - - id: sr-11.3_prm_1 - label: organization-defined techniques and methods - properties: - - - name: label - value: SR-11(3) - - - name: sort-id - value: SR-11(03) - links: - - - href: #mp-6 - rel: related - text: MP-6 - parts: - - - id: sr-11.3_smt - name: statement - prose: Dispose of system components using the following techniques and methods: {{ sr-11.3_prm_1 }}. - - - id: sr-11.3_gdn - name: guidance - prose: Proper disposal of system components helps to prevent such components from entering the gray market. - back-matter: - resources: - - - uuid: a7dfa526-b81f-41d7-9875-c8b0faafe74b - title: [PRIVACT] - citation: - text: Privacy Act (P.L. 93-579), December 1974. - rlinks: - - - href: https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf - - - uuid: 43facb7b-0afb-480f-8191-34790d5b444b - title: [EVIDACT] - citation: - text: Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019. - rlinks: - - - href: https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf - - - uuid: 52a8b0c6-0c6b-424b-928d-41c50ba87838 - title: [EO 13526] - citation: - text: Executive Order 13526, *Classified National Security Information*, December 2009. - rlinks: - - - href: https://www.archives.gov/isoo/policy-documents/cnsi-eo.html - - - uuid: 14958422-54f6-471f-a345-802dca594dd8 - title: [FISMA] - citation: - text: Federal Information Security Modernization Act (P.L. 113-283), December 2014. - rlinks: - - - href: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf - - - uuid: 2b5e12fb-633f-49e6-8aff-81d75bf53545 - title: [EO 13587] - citation: - text: Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information*, October 2011. - rlinks: - - - href: https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net - - - uuid: cde25174-38e0-4a00-8919-8ee3674b8088 - title: [HSPD 7] - citation: - text: Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003. - rlinks: - - - href: https://www.dhs.gov/homeland-security-presidential-directive-7 - - - uuid: 2383ccfd-d8a0-4e3a-bf40-21288ae1e07a - title: [5 CFR 731] - citation: - text: Code of Federal Regulations, Title 5, *Administrative Personnel*, Section 731.106, *Designation of Public Trust Positions and Investigative Requirements*(5 C.F.R. 731.106). - rlinks: - - - href: https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf - - - uuid: 742b7c0e-218e-4fca-9c3d-5f264bbaf2bc - title: [32 CFR 2002] - citation: - text: Code of Federal Regulations, Title 32, *Controlled Unclassified Information*(32 C.F.R 2002). - rlinks: - - - href: https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information - - - uuid: 286d42a1-efbe-49a2-9ce1-4c9bf68feb3b - title: [ODNI NITP] - citation: - text: - """ - Office of the Director National Intelligence, *National Insider Threat Policy* - - """ - rlinks: - - - href: https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf - - - uuid: 395f6bb9-bcc2-41fc-977f-04372f4a6a82 - title: [OMB A-108] - citation: - text: - """ - Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf - - - uuid: a646d45d-775f-4887-86d3-5a00ffbc4090 - title: [OMB A-130] - citation: - text: Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016. - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf - - - uuid: f7d3617a-9a4f-4f1a-a688-845081b70390 - title: [OMB M-17-06] - citation: - text: - """ - Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf - - - uuid: 389fe193-866e-46b1-bf1d-38904b56aa7b - title: [OMB M-17-12] - citation: - text: - """ - Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. ** - - """ - rlinks: - - - href: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf - - - uuid: ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3 - title: [OMB M-17-25] - citation: - text: - """ - Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure*, May 2017. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf - - - uuid: d843e915-eeb6-4bbe-8cab-ccc802088703 - title: [OMB M-19-23] - citation: - text: - """ - Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance*, July 2019. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf - - - uuid: ee96f130-3f91-46ed-a4d8-57e5f220a623 - title: [CNSSI 1253] - citation: - text: Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems*, March 2014. - rlinks: - - - href: https://www.cnss.gov/CNSS/issuances/Instructions.cfm - - - uuid: 24b7b1ec-6430-41de-9353-29fdb1b488fc - title: [DHS NIPP] - citation: - text: Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009. - rlinks: - - - href: https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf - - - uuid: 6ddb507b-6ddb-4e15-a8d4-0854e704446e - title: [ISO 15408-1] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf - - - uuid: 18abb755-c10f-407d-b0ef-4f99e5ec4a49 - title: [ISO 15408-2] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf - - - uuid: 2ce3a8bf-7f8b-4249-bd16-808231415b14 - title: [ISO 15408-3] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf - - - uuid: aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - title: [FIPS 140-3] - citation: - text: National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.140-3 - - - uuid: d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - title: [FIPS 180-4] - citation: - text: National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.180-4 - - - uuid: 0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - title: [FIPS 186-4] - citation: - text: National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.186-4 - - - uuid: bbc7085f-b383-444e-af74-722a55cccc0f - title: [FIPS 197] - citation: - text: National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.197 - - - uuid: b3e26423-0687-47c7-ba9a-a96870d58a27 - title: [FIPS 199] - citation: - text: National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.199 - - - uuid: f2163084-3287-45e2-9ee7-95f020415495 - title: [FIPS 200] - citation: - text: National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.200 - - - uuid: ab414c48-b7a2-4ffe-b74d-4d8b8120adce - title: [FIPS 201-2] - citation: - text: National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.201-2 - - - uuid: 11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - title: [FIPS 202] - citation: - text: National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.202 - - - uuid: 12702585-0c72-43c9-9185-a76a59f74233 - title: [SP 800-12] - citation: - text: - """ - Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-12r1 - - - uuid: ae962073-f9bb-4210-b1ad-53ef6f6afad6 - title: [SP 800-18] - citation: - text: - """ - Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-18r1 - - - uuid: 8e334d74-fc06-47a9-bbb1-804fdfae0e44 - title: [SP 800-28] - citation: - text: - """ - Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-28ver2 - - - uuid: 1d9f757b-00d5-4db1-b15b-0ad641c6df7c - title: [SP 800-30] - citation: - text: Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-30r1 - - - uuid: b7140427-d4c4-467a-97a1-5ca9f7c6584a - title: [SP 800-32] - citation: - text: Kuhn R, Hu VC, Polk T, Chang S-jH (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-32 - - - uuid: 65774382-fcc6-4bbc-89fc-9d35aab19952 - title: [SP 800-34] - citation: - text: Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-34r1 - - - uuid: ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - title: [SP 800-35] - citation: - text: Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-35 - - - uuid: e07d73ea-96b9-4330-aff2-e0215f455343 - title: [SP 800-37] - citation: - text: Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-37r2 - - - uuid: 451e9636-402e-4c27-b3f5-e0e50f957f27 - title: [SP 800-39] - citation: - text: Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-39 - - - uuid: 1126ec09-2b27-4a21-80b2-fef70b31c49d - title: [SP 800-40] - citation: - text: Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-40r3 - - - uuid: db7877cf-1013-4fb1-b943-ca9361d16370 - title: [SP 800-41] - citation: - text: Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-41r1 - - - uuid: 23b0a203-c020-47dd-b86c-9f8c35ecaa4e - title: [SP 800-45] - citation: - text: Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-45ver2 - - - uuid: 7768c184-088d-4ee8-a316-f9286b52df7f - title: [SP 800-46] - citation: - text: Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-46r2 - - - uuid: 2e66c31a-190e-49ad-8e00-f306f8a0df17 - title: [SP 800-47] - citation: - text: Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-47 - - - uuid: 2e29c363-d5be-47ba-92f5-f8a58a69b65e - title: [SP 800-50] - citation: - text: Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-50 - - - uuid: 286604ec-e383-4c1d-bd8c-d88f88e54a0f - title: [SP 800-52] - citation: - text: McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-52r2 - - - uuid: 5db6dfe4-788e-4183-93b9-f6fb29d75e41 - title: [SP 800-53A] - citation: - text: Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-53Ar4 - - - uuid: 31f3c9de-c57c-4281-929b-f9951f9640f1 - title: [SP 800-53B] - citation: - text: National Institute of Standards and Technology Special Publication 800-53B, *Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations*. Projected for publication in 2020. - - - uuid: 8ba0d54e-fa16-4f5d-baa1-763ec3e33e26 - title: [SP 800-55] - citation: - text: Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-55r1 - - - uuid: 77dc1838-3664-4faa-bc6e-4e2a16e52f35 - title: [SP 800-56A] - citation: - text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-56Ar3 - - - uuid: f417e4ec-cadb-47a8-a363-6006b32c28ad - title: [SP 800-56B] - citation: - text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-56Br2 - - - uuid: 7c3ba335-62bd-4f03-888f-960790409b11 - title: [SP 800-56C] - citation: - text: Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-56Cr1 - - - uuid: 770f9bdc-4023-48ef-8206-c65397f061ea - title: [SP 800-57-1] - citation: - text: Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-57pt1r4 - - - uuid: 69644a9e-438a-47c3-bac9-cf28b5baf848 - title: [SP 800-57-2] - citation: - text: Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-57pt2r1 - - - uuid: 9933c883-e8f3-4a83-9a9a-d1e058038080 - title: [SP 800-57-3] - citation: - text: Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-57pt3r1 - - - uuid: 68949f14-9cf5-4116-91d8-e820b9df3ffd - title: [SP 800-60 v1] - citation: - text: Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-60v1r1 - - - uuid: e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - title: [SP 800-60 v2] - citation: - text: Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-60v2r1 - - - uuid: 7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - title: [SP 800-61] - citation: - text: Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-61r2 - - - uuid: 549993c0-9bdd-4d49-875c-f56950cc5f30 - title: [SP 800-63-3] - citation: - text: Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-63-3 - - - uuid: 3c50fa31-7f4d-4d30-91d7-27ee87cd5f75 - title: [SP 800-63A] - citation: - text: Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-63a - - - uuid: 14a7d982-9747-48e0-a877-3e8fbf6ae381 - title: [SP 800-70] - citation: - text: Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-70r4 - - - uuid: 3d6b3a16-94e7-4a43-8648-8bdeaadb271b - title: [SP 800-73-4] - citation: - text: Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-73-4 - - - uuid: d5ef0056-c807-44c3-a7b5-6eb491538f8e - title: [SP 800-76-2] - citation: - text: - """ - Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-76-2 - - - uuid: 8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - title: [SP 800-77] - citation: - text: Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-77 - - - uuid: 013e098f-0680-4856-a130-b768c69dab9c - title: [SP 800-78-4] - citation: - text: - """ - Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-78-4 - - - uuid: bb55e71a-e059-4263-8dd8-bc96fd3f063d - title: [SP 800-79-2] - citation: - text: - """ - Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-79-2 - - - uuid: 93d44344-59f9-4669-845d-6cc2a5852621 - title: [SP 800-81-2] - citation: - text: - """ - Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-81-2 - - - uuid: 8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - title: [SP 800-83] - citation: - text: Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-83r1 - - - uuid: 20bf433b-074c-47a0-8fca-cd591772ccd6 - title: [SP 800-84] - citation: - text: Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-84 - - - uuid: 35dfd59f-eef2-4f71-bdb5-6d878267456a - title: [SP 800-86] - citation: - text: Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-86 - - - uuid: fed6a3b5-2b74-499f-9172-46671f7c24c8 - title: [SP 800-88] - citation: - text: Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-88r1 - - - uuid: 02d8ec60-6197-43f8-9f47-18732127963e - title: [SP 800-92] - citation: - text: Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-92 - - - uuid: 41e2e2c6-2260-4258-85c8-09db17c43103 - title: [SP 800-94] - citation: - text: Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-94 - - - uuid: 1d91d984-0cb6-4f96-a01d-c39a3eee7d43 - title: [SP 800-95] - citation: - text: Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-95 - - - uuid: 6bed1550-cd5d-4e80-8d83-4e597c1514fe - title: [SP 800-97] - citation: - text: Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-97 - - - uuid: 9183bd83-170e-4701-b32c-97e08ef8bedb - title: [SP 800-100] - citation: - text: Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-100 - - - uuid: 1e2c475a-84ae-4c60-b420-8fb2ea552b71 - title: [SP 800-101] - citation: - text: - """ - Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-101r1 - - - uuid: 1b14b50f-7154-4226-958c-7dfff8276755 - title: [SP 800-111] - citation: - text: - """ - Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-111 - - - uuid: 36132a58-56fd-4980-9f6c-c010d3faf52b - title: [SP 800-113] - citation: - text: Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-113 - - - uuid: 49fa1ee1-aaf7-4270-bb5a-a86497f717dc - title: [SP 800-114] - citation: - text: Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-114r1 - - - uuid: a6b97214-55d4-4b86-a3a4-53d5911d96f7 - title: [SP 800-115] - citation: - text: Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-115 - - - uuid: ad7d575f-b5fe-489b-8d48-36a93d964a5f - title: [SP 800-116] - citation: - text: Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-116r1 - - - uuid: 60b24979-65b8-4ca5-a442-11b74339fab5 - title: [SP 800-121] - citation: - text: Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-121r2 - - - uuid: 18c6942b-95f8-414c-b548-c8e6b8d8a172 - title: [SP 800-124] - citation: - text: Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-124r1 - - - uuid: c972a85c-fa75-4596-be25-a338dc7e4e46 - title: [SP 800-125B] - citation: - text: Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-125B - - - uuid: 0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f - title: [SP 800-126] - citation: - text: Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-126r3 - - - uuid: a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - title: [SP 800-128] - citation: - text: Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-128 - - - uuid: ae412317-c2b4-47bb-b47b-c329ce0d7a0b - title: [SP 800-130] - citation: - text: Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-130 - - - uuid: c3b34083-77b2-4dab-a980-73068f8933bd - title: [SP 800-137] - citation: - text: Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-137 - - - uuid: e9224c9b-4fa5-40b7-bfbb-02bff7712d92 - title: [SP 800-147] - citation: - text: Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-147 - - - uuid: ad3e8f21-07c6-4968-b002-00b64dfa70ae - title: [SP 800-150] - citation: - text: Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-150 - - - uuid: 38dbdf55-9a14-446f-b563-c48e4e3d37fb - title: [SP 800-152] - citation: - text: Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-152 - - - uuid: fd0f14f5-8910-45c4-b60a-0c8936e00daa - title: [SP 800-154] - citation: - text: Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154. - rlinks: - - - href: https://csrc.nist.gov/publications/detail/sp/800-154/draft - - - uuid: f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa - title: [SP 800-156] - citation: - text: Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-156 - - - uuid: 8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - title: [SP 800-160 v1] - citation: - text: Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-160v1 - - - uuid: 8411e6e8-09bd-431d-bbcb-3423d36ad880 - title: [SP 800-160 v2] - citation: - text: Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-160v2 - - - uuid: 66476e76-46b4-47fb-be19-d13e6f3840df - title: [SP 800-161] - citation: - text: Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-161 - - - uuid: 359f960c-2598-454c-ba3b-a30c553e498f - title: [SP 800-162] - citation: - text: Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-162 - - - uuid: a8f55663-86c5-415b-aabe-d2a126981d65 - title: [SP 800-166] - citation: - text: Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-166 - - - uuid: 893d1736-324c-41d6-a5f4-d526b5ca981a - title: [SP 800-167] - citation: - text: Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-167 - - - uuid: 0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - title: [SP 800-171] - citation: - text: Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-171r2 - - - uuid: aad55f03-8ece-4b21-b09c-9ef65b5a9f55 - title: [SP 800-171B] - citation: - text: Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B. - rlinks: - - - href: https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf - - - uuid: 64e044e4-b2a9-490f-a079-1106407c812f - title: [SP 800-177] - citation: - text: Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-177r1 - - - uuid: 223b23a9-baea-4a50-8058-63cf7967b61f - title: [SP 800-178] - citation: - text: Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-178 - - - uuid: f4c3f657-de83-47ae-9aec-e144de8268d1 - title: [SP 800-181] - citation: - text: Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-181 - - - uuid: 08f518f7-f9b9-4bee-8986-860214f46b16 - title: [SP 800-184] - citation: - text: Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-184 - - - uuid: eadef75e-7e4d-4554-b818-44946c1dde0e - title: [SP 800-188] - citation: - text: Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188. - rlinks: - - - href: https://csrc.nist.gov/publications/detail/sp/800-188/draft - - - uuid: 3862cd94-ff25-4631-9a9a-b92c21a0a923 - title: [SP 800-189] - citation: - text: Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-189 - - - uuid: 06d3c11a-4a00-42d9-ad75-e6a777ffae5e - title: [SP 800-192] - citation: - text: Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-192 - - - uuid: d4779b49-8acc-45ef-b4f0-30f945e81d1b - title: [IR 7539] - citation: - text: Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7539 - - - uuid: 09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - title: [IR 7559] - citation: - text: Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7559 - - - uuid: 7b03adec-4405-4aac-94a0-6a9eb3f42e31 - title: [IR 7622] - citation: - text: Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7622 - - - uuid: daf69edb-a0ef-4447-9880-8c4bf553181f - title: [IR 7676] - citation: - text: Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7676 - - - uuid: bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c - title: [IR 7788] - citation: - text: Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7788 - - - uuid: a49f67fc-827c-40e6-9a37-2b1cbe8142fd - title: [IR 7817] - citation: - text: Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7817 - - - uuid: 972c10bd-aedf-485f-b0db-f46a402127e2 - title: [IR 7849] - citation: - text: Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7849 - - - uuid: 197f7ba7-9af8-4a67-b3a4-5523d850e53b - title: [IR 7870] - citation: - text: Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7870 - - - uuid: bb22d510-54a9-4588-b725-00d37576562b - title: [IR 7874] - citation: - text: Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7874 - - - uuid: f437b52f-7f26-42aa-8e8f-999e7d67b2fe - title: [IR 7956] - citation: - text: Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7956 - - - uuid: 30213e10-2aca-47b3-8cdb-61303e0959f5 - title: [IR 7966] - citation: - text: Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7966 - - - uuid: 851b5ba4-6aa0-4583-857c-4c360cbdf2a0 - title: [IR 8011 v1] - citation: - text: Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8011-1 - - - uuid: 7e7538d7-9c3a-4e5f-bbb4-638cec975415 - title: [IR 8023] - citation: - text: Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8023 - - - uuid: 24738ee6-b3f3-4e37-825b-58775846bdbc - title: [IR 8040] - citation: - text: Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8040 - - - uuid: 817b4227-5857-494d-9032-915980b32f15 - title: [IR 8062] - citation: - text: Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8062 - - - uuid: 7a93e915-fd58-4147-be12-e48044c367e6 - title: [IR 8179] - citation: - text: Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8179 - - - uuid: 294eed19-7471-4517-9480-2ec73e7c6a78 - title: [DOD STIG] - citation: - text: Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*. - rlinks: - - - href: https://iase.disa.mil/stigs/Pages/index.aspx - - - uuid: 17ca9481-ea11-4ef2-81c1-885fd37d4be5 - title: [IETF 5905] - citation: - text: - - - uuid: dd87fdf0-840d-4392-9de4-220b2327e340 - title: [NARA CUI] - citation: - text: National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. - rlinks: - - - href: https://www.archives.gov/cui - - - uuid: 5dac2312-1d0d-416f-aebb-400fa9775b74 - title: [NIAP CCEVS] - citation: - text: National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*. - rlinks: - - - href: https://www.niap-ccevs.org/ - - - uuid: 5cc04a1c-5489-4751-a493-746a9639067b - title: [NCPR] - citation: - text: National Institute of Standards and Technology (2020) *National Checklist Program Repository*. Available at - rlinks: - - - href: https://nvd.nist.gov/ncp/repository - - - uuid: 634dec27-df88-4c30-b1a4-b57cdfd24f20 - title: [NSA CSFC] - citation: - text: National Security Agency, *Commercial Solutions for Classified Program (CSfC)*. - rlinks: - - - href: https://www.nsa.gov/resources/everyone/csfc - - - uuid: a52271dc-11b5-423a-8b6f-14867bd94259 - title: [NSA MEDIA] - citation: - text: National Security Agency, *Media Destruction Guidance*. - rlinks: - - - href: https://www.nsa.gov/resources/everyone/media-destruction - - - uuid: 06842bea-64c9-4e20-807a-b8fc003fa737 - title: [USGCB] - citation: - text: National Institute of Standards and Technology (2020) *United States Government Configuration Baseline*. Available at - rlinks: - - - href: https://csrc.nist.gov/projects/united-states-government-configuration-baseline diff --git a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.yaml b/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.yaml deleted file mode 100644 index b5f6abf7f4..0000000000 --- a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.yaml +++ /dev/null @@ -1,856 +0,0 @@ -profile: - uuid: 3ae6cabe-4976-43e4-b921-11c34b432b51 - metadata: - title: SP800-53 HIGH IMPACT BASELINE - last-modified: 2020-08-26T16:28:38.111-04:00 - version: FPD - oscal-version: 1.0.0-milestone3 - roles: - - - id: creator - title: Document Creator - - - id: contact - title: Contact - parties: - - - uuid: a90f4235-ab3c-4bf1-ba0a-865bbc833346 - type: organization - party-name: Joint Task Force, Transformation Initiative - addresses: - - - postal-address: National Institute of Standards and Technology,Attn: Computer Security Division,Information Technology Laboratory,100 Bureau Drive (Mail Stop 8930) - city: Gaithersburg - state: MD - postal-code: 20899-8930 - email-addresses: sec-cert@nist.gov - responsible-parties: - creator: - party-uuids: a90f4235-ab3c-4bf1-ba0a-865bbc833346 - contact: - party-uuids: a90f4235-ab3c-4bf1-ba0a-865bbc833346 - imports: - - - href: NIST_SP-800-53_rev5-FPD_catalog.xml - include: - id-selectors: - - - control-id: ac-1 - - - control-id: ac-2 - - - control-id: ac-2.1 - - - control-id: ac-2.2 - - - control-id: ac-2.3 - - - control-id: ac-2.4 - - - control-id: ac-2.5 - - - control-id: ac-2.11 - - - control-id: ac-2.12 - - - control-id: ac-2.13 - - - control-id: ac-3 - - - control-id: ac-4 - - - control-id: ac-4.4 - - - control-id: ac-5 - - - control-id: ac-6 - - - control-id: ac-6.1 - - - control-id: ac-6.2 - - - control-id: ac-6.3 - - - control-id: ac-6.5 - - - control-id: ac-6.7 - - - control-id: ac-6.9 - - - control-id: ac-6.10 - - - control-id: ac-7 - - - control-id: ac-8 - - - control-id: ac-10 - - - control-id: ac-11 - - - control-id: ac-11.1 - - - control-id: ac-12 - - - control-id: ac-14 - - - control-id: ac-17 - - - control-id: ac-17.1 - - - control-id: ac-17.2 - - - control-id: ac-17.3 - - - control-id: ac-17.4 - - - control-id: ac-18 - - - control-id: ac-18.1 - - - control-id: ac-18.3 - - - control-id: ac-18.4 - - - control-id: ac-18.5 - - - control-id: ac-19 - - - control-id: ac-19.5 - - - control-id: ac-20 - - - control-id: ac-20.1 - - - control-id: ac-20.2 - - - control-id: ac-21 - - - control-id: ac-22 - - - control-id: at-1 - - - control-id: at-2 - - - control-id: at-2.2 - - - control-id: at-2.3 - - - control-id: at-3 - - - control-id: at-4 - - - control-id: au-1 - - - control-id: au-2 - - - control-id: au-3 - - - control-id: au-3.1 - - - control-id: au-3.2 - - - control-id: au-4 - - - control-id: au-5 - - - control-id: au-5.1 - - - control-id: au-5.2 - - - control-id: au-6 - - - control-id: au-6.1 - - - control-id: au-6.3 - - - control-id: au-6.5 - - - control-id: au-6.6 - - - control-id: au-7 - - - control-id: au-7.1 - - - control-id: au-8 - - - control-id: au-8.1 - - - control-id: au-9 - - - control-id: au-9.2 - - - control-id: au-9.3 - - - control-id: au-9.4 - - - control-id: au-10 - - - control-id: au-11 - - - control-id: au-12 - - - control-id: au-12.1 - - - control-id: au-12.3 - - - control-id: ca-1 - - - control-id: ca-2 - - - control-id: ca-2.1 - - - control-id: ca-2.2 - - - control-id: ca-3 - - - control-id: ca-3.6 - - - control-id: ca-5 - - - control-id: ca-6 - - - control-id: ca-7 - - - control-id: ca-7.1 - - - control-id: ca-7.4 - - - control-id: ca-8 - - - control-id: ca-8.1 - - - control-id: ca-9 - - - control-id: cm-1 - - - control-id: cm-2 - - - control-id: cm-2.2 - - - control-id: cm-2.3 - - - control-id: cm-2.7 - - - control-id: cm-3 - - - control-id: cm-3.1 - - - control-id: cm-3.2 - - - control-id: cm-3.4 - - - control-id: cm-3.6 - - - control-id: cm-4 - - - control-id: cm-4.1 - - - control-id: cm-4.2 - - - control-id: cm-5 - - - control-id: cm-5.1 - - - control-id: cm-5.3 - - - control-id: cm-6 - - - control-id: cm-6.1 - - - control-id: cm-6.2 - - - control-id: cm-7 - - - control-id: cm-7.1 - - - control-id: cm-7.2 - - - control-id: cm-7.5 - - - control-id: cm-8 - - - control-id: cm-8.1 - - - control-id: cm-8.2 - - - control-id: cm-8.3 - - - control-id: cm-8.4 - - - control-id: cm-9 - - - control-id: cm-10 - - - control-id: cm-11 - - - control-id: cm-12 - - - control-id: cm-12.1 - - - control-id: cp-1 - - - control-id: cp-2 - - - control-id: cp-2.1 - - - control-id: cp-2.2 - - - control-id: cp-2.3 - - - control-id: cp-2.5 - - - control-id: cp-2.8 - - - control-id: cp-3 - - - control-id: cp-3.1 - - - control-id: cp-4 - - - control-id: cp-4.1 - - - control-id: cp-4.2 - - - control-id: cp-6 - - - control-id: cp-6.1 - - - control-id: cp-6.2 - - - control-id: cp-6.3 - - - control-id: cp-7 - - - control-id: cp-7.1 - - - control-id: cp-7.2 - - - control-id: cp-7.3 - - - control-id: cp-7.4 - - - control-id: cp-8 - - - control-id: cp-8.1 - - - control-id: cp-8.2 - - - control-id: cp-8.3 - - - control-id: cp-8.4 - - - control-id: cp-9 - - - control-id: cp-9.1 - - - control-id: cp-9.2 - - - control-id: cp-9.3 - - - control-id: cp-9.5 - - - control-id: cp-9.8 - - - control-id: cp-10 - - - control-id: cp-10.2 - - - control-id: cp-10.4 - - - control-id: ia-1 - - - control-id: ia-2 - - - control-id: ia-2.1 - - - control-id: ia-2.2 - - - control-id: ia-2.5 - - - control-id: ia-2.8 - - - control-id: ia-2.12 - - - control-id: ia-3 - - - control-id: ia-4 - - - control-id: ia-4.4 - - - control-id: ia-5 - - - control-id: ia-5.1 - - - control-id: ia-5.2 - - - control-id: ia-5.6 - - - control-id: ia-6 - - - control-id: ia-7 - - - control-id: ia-8 - - - control-id: ia-8.1 - - - control-id: ia-8.2 - - - control-id: ia-8.4 - - - control-id: ia-11 - - - control-id: ia-12 - - - control-id: ia-12.2 - - - control-id: ia-12.3 - - - control-id: ia-12.4 - - - control-id: ia-12.5 - - - control-id: ir-1 - - - control-id: ir-2 - - - control-id: ir-2.1 - - - control-id: ir-2.2 - - - control-id: ir-3 - - - control-id: ir-3.2 - - - control-id: ir-4 - - - control-id: ir-4.1 - - - control-id: ir-4.4 - - - control-id: ir-5 - - - control-id: ir-5.1 - - - control-id: ir-6 - - - control-id: ir-6.1 - - - control-id: ir-6.3 - - - control-id: ir-7 - - - control-id: ir-7.1 - - - control-id: ir-8 - - - control-id: ir-10 - - - control-id: ma-1 - - - control-id: ma-2 - - - control-id: ma-2.2 - - - control-id: ma-3 - - - control-id: ma-3.1 - - - control-id: ma-3.2 - - - control-id: ma-3.3 - - - control-id: ma-4 - - - control-id: ma-4.3 - - - control-id: ma-5 - - - control-id: ma-5.1 - - - control-id: ma-6 - - - control-id: mp-1 - - - control-id: mp-2 - - - control-id: mp-3 - - - control-id: mp-4 - - - control-id: mp-5 - - - control-id: mp-6 - - - control-id: mp-6.1 - - - control-id: mp-6.2 - - - control-id: mp-6.3 - - - control-id: mp-7 - - - control-id: pe-1 - - - control-id: pe-2 - - - control-id: pe-3 - - - control-id: pe-3.1 - - - control-id: pe-4 - - - control-id: pe-5 - - - control-id: pe-6 - - - control-id: pe-6.1 - - - control-id: pe-6.4 - - - control-id: pe-8 - - - control-id: pe-8.1 - - - control-id: pe-9 - - - control-id: pe-10 - - - control-id: pe-11 - - - control-id: pe-11.1 - - - control-id: pe-12 - - - control-id: pe-13 - - - control-id: pe-13.1 - - - control-id: pe-13.2 - - - control-id: pe-14 - - - control-id: pe-15 - - - control-id: pe-15.1 - - - control-id: pe-16 - - - control-id: pe-17 - - - control-id: pe-18 - - - control-id: pl-1 - - - control-id: pl-2 - - - control-id: pl-4 - - - control-id: pl-4.1 - - - control-id: pl-8 - - - control-id: pl-10 - - - control-id: pl-11 - - - control-id: pm-1 - - - control-id: pm-2 - - - control-id: pm-3 - - - control-id: pm-4 - - - control-id: pm-5 - - - control-id: pm-5.1 - - - control-id: pm-6 - - - control-id: pm-7 - - - control-id: pm-7.1 - - - control-id: pm-8 - - - control-id: pm-9 - - - control-id: pm-10 - - - control-id: pm-11 - - - control-id: pm-12 - - - control-id: pm-13 - - - control-id: pm-14 - - - control-id: pm-15 - - - control-id: pm-16 - - - control-id: pm-16.1 - - - control-id: pm-17 - - - control-id: pm-18 - - - control-id: pm-19 - - - control-id: pm-20 - - - control-id: pm-21 - - - control-id: pm-22 - - - control-id: pm-23 - - - control-id: pm-24 - - - control-id: pm-25 - - - control-id: pm-26 - - - control-id: pm-27 - - - control-id: pm-28 - - - control-id: pm-29 - - - control-id: pm-30 - - - control-id: pm-31 - - - control-id: pm-32 - - - control-id: ps-1 - - - control-id: ps-2 - - - control-id: ps-3 - - - control-id: ps-4 - - - control-id: ps-4.2 - - - control-id: ps-5 - - - control-id: ps-6 - - - control-id: ps-7 - - - control-id: ps-8 - - - control-id: ra-1 - - - control-id: ra-2 - - - control-id: ra-3 - - - control-id: ra-3.1 - - - control-id: ra-5 - - - control-id: ra-5.2 - - - control-id: ra-5.4 - - - control-id: ra-5.5 - - - control-id: ra-7 - - - control-id: ra-9 - - - control-id: sa-1 - - - control-id: sa-2 - - - control-id: sa-3 - - - control-id: sa-4 - - - control-id: sa-4.1 - - - control-id: sa-4.2 - - - control-id: sa-4.5 - - - control-id: sa-4.9 - - - control-id: sa-4.10 - - - control-id: sa-5 - - - control-id: sa-8 - - - control-id: sa-9 - - - control-id: sa-9.2 - - - control-id: sa-10 - - - control-id: sa-11 - - - control-id: sa-15 - - - control-id: sa-15.3 - - - control-id: sa-16 - - - control-id: sa-17 - - - control-id: sa-21 - - - control-id: sa-22 - - - control-id: sc-1 - - - control-id: sc-2 - - - control-id: sc-3 - - - control-id: sc-4 - - - control-id: sc-5 - - - control-id: sc-7 - - - control-id: sc-7.3 - - - control-id: sc-7.4 - - - control-id: sc-7.5 - - - control-id: sc-7.7 - - - control-id: sc-7.8 - - - control-id: sc-7.18 - - - control-id: sc-7.21 - - - control-id: sc-8 - - - control-id: sc-8.1 - - - control-id: sc-10 - - - control-id: sc-12 - - - control-id: sc-12.1 - - - control-id: sc-13 - - - control-id: sc-15 - - - control-id: sc-17 - - - control-id: sc-18 - - - control-id: sc-20 - - - control-id: sc-21 - - - control-id: sc-22 - - - control-id: sc-23 - - - control-id: sc-24 - - - control-id: sc-28 - - - control-id: sc-28.1 - - - control-id: sc-39 - - - control-id: si-1 - - - control-id: si-2 - - - control-id: si-2.1 - - - control-id: si-2.2 - - - control-id: si-3 - - - control-id: si-3.1 - - - control-id: si-4 - - - control-id: si-4.2 - - - control-id: si-4.4 - - - control-id: si-4.5 - - - control-id: si-4.10 - - - control-id: si-4.12 - - - control-id: si-4.14 - - - control-id: si-4.20 - - - control-id: si-4.22 - - - control-id: si-5 - - - control-id: si-5.1 - - - control-id: si-6 - - - control-id: si-7 - - - control-id: si-7.1 - - - control-id: si-7.2 - - - control-id: si-7.5 - - - control-id: si-7.7 - - - control-id: si-7.15 - - - control-id: si-8 - - - control-id: si-8.1 - - - control-id: si-8.2 - - - control-id: si-10 - - - control-id: si-11 - - - control-id: si-12 - - - control-id: si-16 - - - control-id: sr-1 - - - control-id: sr-2 - - - control-id: sr-2.1 - - - control-id: sr-3 - - - control-id: sr-5 - - - control-id: sr-6 - - - control-id: sr-8 - - - control-id: sr-9 - - - control-id: sr-9.1 - - - control-id: sr-10 - - - control-id: sr-11 - - - control-id: sr-11.1 - - - control-id: sr-11.2 - - - control-id: sr-11.3 - merge: - as-is: true diff --git a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.yaml b/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.yaml deleted file mode 100644 index 1579f029be..0000000000 --- a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_LOW-baseline-resolved-profile_catalog.yaml +++ /dev/null @@ -1,20756 +0,0 @@ -catalog: - uuid: ab1003f2-c716-4c18-873c-2ae4ae46d829 - metadata: - title: SP800-53 LOW IMPACT BASELINE - last-modified: 2020-08-26T16:28:37.432-04:00 - version: FPD - oscal-version: 1.0.0-milestone3 - properties: - - - name: resolution-timestamp - value: 2020-08-31T17:39:43.230651Z - links: - - - href: NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml - rel: resolution-source - text: SP800-53 LOW IMPACT BASELINE - roles: - - - id: creator - title: Document Creator - - - id: contact - title: Contact - parties: - - - uuid: fcba95f8-df3b-47cd-ae6f-57089a2b7174 - type: organization - party-name: Joint Task Force, Transformation Initiative - addresses: - - - postal-address: National Institute of Standards and Technology,Attn: Computer Security Division,Information Technology Laboratory,100 Bureau Drive (Mail Stop 8930) - city: Gaithersburg - state: MD - postal-code: 20899-8930 - email-addresses: sec-cert@nist.gov - responsible-parties: - creator: - party-uuids: fcba95f8-df3b-47cd-ae6f-57089a2b7174 - contact: - party-uuids: fcba95f8-df3b-47cd-ae6f-57089a2b7174 - groups: - - - id: ac - class: family - title: Access Control - controls: - - - id: ac-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ac-1_prm_1 - label: organization-defined personnel or roles - - - id: ac-1_prm_2 - - - id: ac-1_prm_3 - label: organization-defined official - - - id: ac-1_prm_4 - label: organization-defined frequency - - - id: ac-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AC-1 - - - name: sort-id - value: AC-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ac-1_smt - name: statement - parts: - - - id: ac-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ac-1_prm_1 }}: - parts: - - - id: ac-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ac-1_prm_2 }} access control policy that: - """ - parts: - - - id: ac-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ac-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ac-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the access control policy and the associated access controls; - - - id: ac-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and - - - id: ac-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current access control: - parts: - - - id: ac-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ac-1_prm_4 }}; and - - - id: ac-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ac-1_prm_5 }}. - - - id: ac-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ac-2 - class: SP800-53 - title: Account Management - parameters: - - - id: ac-2_prm_1 - label: organization-defined attributes (as required) - - - id: ac-2_prm_2 - label: organization-defined personnel or roles - - - id: ac-2_prm_3 - label: organization-defined policy, procedures, and conditions - - - id: ac-2_prm_4 - label: organization-defined personnel or roles - - - id: ac-2_prm_5 - label: organization-defined time-period - - - id: ac-2_prm_6 - label: organization-defined time-period - - - id: ac-2_prm_7 - label: organization-defined time-period - - - id: ac-2_prm_8 - label: organization-defined attributes (as required) - - - id: ac-2_prm_9 - label: organization-defined frequency - properties: - - - name: label - value: AC-2 - - - name: sort-id - value: AC-02 - links: - - - href: #359f960c-2598-454c-ba3b-a30c553e498f - rel: reference - text: [SP 800-162] - - - href: #223b23a9-baea-4a50-8058-63cf7967b61f - rel: reference - text: [SP 800-178] - - - href: #06d3c11a-4a00-42d9-ad75-e6a777ffae5e - rel: reference - text: [SP 800-192] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ac-24 - rel: related - text: AC-24 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-37 - rel: related - text: SC-37 - parts: - - - id: ac-2_smt - name: statement - parts: - - - id: ac-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Define and document the types of accounts allowed for use within the system; - - - id: ac-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Assign account managers; - - - id: ac-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Establish conditions for group and role membership; - - - id: ac-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Specify: - parts: - - - id: ac-2_smt.d.1 - name: item - properties: - - - name: label - value: 1. - prose: Authorized users of the system; - - - id: ac-2_smt.d.2 - name: item - properties: - - - name: label - value: 2. - prose: Group and role membership; and - - - id: ac-2_smt.d.3 - name: item - properties: - - - name: label - value: 3. - prose: Access authorizations (i.e., privileges) and {{ ac-2_prm_1 }} for each account; - - - id: ac-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Require approvals by {{ ac-2_prm_2 }} for requests to create accounts; - - - id: ac-2_smt.f - name: item - properties: - - - name: label - value: f. - prose: Create, enable, modify, disable, and remove accounts in accordance with {{ ac-2_prm_3 }}; - - - id: ac-2_smt.g - name: item - properties: - - - name: label - value: g. - prose: Monitor the use of accounts; - - - id: ac-2_smt.h - name: item - properties: - - - name: label - value: h. - prose: Notify account managers and {{ ac-2_prm_4 }} within: - parts: - - - id: ac-2_smt.h.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ac-2_prm_5 }} when accounts are no longer required; - """ - - - id: ac-2_smt.h.2 - name: item - properties: - - - name: label - value: 2. - prose: - """ - - {{ ac-2_prm_6 }} when users are terminated or transferred; and - """ - - - id: ac-2_smt.h.3 - name: item - properties: - - - name: label - value: 3. - prose: - """ - - {{ ac-2_prm_7 }} when system usage or need-to-know changes for an individual; - """ - - - id: ac-2_smt.i - name: item - properties: - - - name: label - value: i. - prose: Authorize access to the system based on: - parts: - - - id: ac-2_smt.i.1 - name: item - properties: - - - name: label - value: 1. - prose: A valid access authorization; - - - id: ac-2_smt.i.2 - name: item - properties: - - - name: label - value: 2. - prose: Intended system usage; and - - - id: ac-2_smt.i.3 - name: item - properties: - - - name: label - value: 3. - prose: - """ - - {{ ac-2_prm_8 }}; - """ - - - id: ac-2_smt.j - name: item - properties: - - - name: label - value: j. - prose: Review accounts for compliance with account management requirements {{ ac-2_prm_9 }}; - - - id: ac-2_smt.k - name: item - properties: - - - name: label - value: k. - prose: Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and - - - id: ac-2_smt.l - name: item - properties: - - - name: label - value: l. - prose: Align account management processes with personnel termination and transfer processes. - - - id: ac-2_gdn - name: guidance - prose: - """ - Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy. - Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability. - Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training. - """ - - - id: ac-3 - class: SP800-53 - title: Access Enforcement - properties: - - - name: label - value: AC-3 - - - name: sort-id - value: AC-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #359f960c-2598-454c-ba3b-a30c553e498f - rel: reference - text: [SP 800-162] - - - href: #223b23a9-baea-4a50-8058-63cf7967b61f - rel: reference - text: [SP 800-178] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ac-21 - rel: related - text: AC-21 - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #ac-24 - rel: related - text: AC-24 - - - href: #ac-25 - rel: related - text: AC-25 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-6 - rel: related - text: IA-6 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #ia-11 - rel: related - text: IA-11 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pm-2 - rel: related - text: PM-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-4 - rel: related - text: SC-4 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-31 - rel: related - text: SC-31 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-3_smt - name: statement - prose: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - - - id: ac-3_gdn - name: guidance - prose: Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family. - - - id: ac-7 - class: SP800-53 - title: Unsuccessful Logon Attempts - parameters: - - - id: ac-7_prm_1 - label: organization-defined number - - - id: ac-7_prm_2 - label: organization-defined time-period - - - id: ac-7_prm_3 - - - id: ac-7_prm_4 - depends-on: ac-7_prm_3 - label: organization-defined time-period - - - id: ac-7_prm_5 - depends-on: ac-7_prm_3 - label: organization-defined delay algorithm - - - id: ac-7_prm_6 - depends-on: ac-7_prm_3 - label: organization-defined action - properties: - - - name: label - value: AC-7 - - - name: sort-id - value: AC-07 - links: - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-9 - rel: related - text: AC-9 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ia-5 - rel: related - text: IA-5 - parts: - - - id: ac-7_smt - name: statement - parts: - - - id: ac-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Enforce a limit of {{ ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ ac-7_prm_2 }}; and - - - id: ac-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Automatically {{ ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded. - - - id: ac-7_gdn - name: guidance - prose: - """ - This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address. - Techniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need. - """ - - - id: ac-8 - class: SP800-53 - title: System Use Notification - parameters: - - - id: ac-8_prm_1 - label: organization-defined system use notification message or banner - - - id: ac-8_prm_2 - label: organization-defined conditions - properties: - - - name: label - value: AC-8 - - - name: sort-id - value: AC-08 - links: - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-8_smt - name: statement - parts: - - - id: ac-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Display {{ ac-8_prm_1 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: - parts: - - - id: ac-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Users are accessing a U.S. Government system; - - - id: ac-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: System usage may be monitored, recorded, and subject to audit; - - - id: ac-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and - - - id: ac-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Use of the system indicates consent to monitoring and recording; - - - id: ac-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and - - - id: ac-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: For publicly accessible systems: - parts: - - - id: ac-8_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Display system use information {{ ac-8_prm_2 }}, before granting further access to the publicly accessible system; - - - id: ac-8_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and - - - id: ac-8_smt.c.3 - name: item - properties: - - - name: label - value: 3. - prose: Include a description of the authorized uses of the system. - - - id: ac-8_gdn - name: guidance - prose: System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. - - - id: ac-14 - class: SP800-53 - title: Permitted Actions Without Identification or Authentication - parameters: - - - id: ac-14_prm_1 - label: organization-defined user actions - properties: - - - name: label - value: AC-14 - - - name: sort-id - value: AC-14 - links: - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #pl-2 - rel: related - text: PL-2 - parts: - - - id: ac-14_smt - name: statement - parts: - - - id: ac-14_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify {{ ac-14_prm_1 }} that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and - - - id: ac-14_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. - - - id: ac-14_gdn - name: guidance - prose: Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none. - - - id: ac-17 - class: SP800-53 - title: Remote Access - properties: - - - name: label - value: AC-17 - - - name: sort-id - value: AC-17 - links: - - - href: #7768c184-088d-4ee8-a316-f9286b52df7f - rel: reference - text: [SP 800-46] - - - href: #8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - rel: reference - text: [SP 800-77] - - - href: #36132a58-56fd-4980-9f6c-c010d3faf52b - rel: reference - text: [SP 800-113] - - - href: #49fa1ee1-aaf7-4270-bb5a-a86497f717dc - rel: reference - text: [SP 800-114] - - - href: #60b24979-65b8-4ca5-a442-11b74339fab5 - rel: reference - text: [SP 800-121] - - - href: #30213e10-2aca-47b3-8cdb-61303e0959f5 - rel: reference - text: [IR 7966] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-17 - rel: related - text: PE-17 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sc-10 - rel: related - text: SC-10 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-17_smt - name: statement - parts: - - - id: ac-17_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and - - - id: ac-17_smt.b - name: item - properties: - - - name: label - value: b. - prose: Authorize each type of remote access to the system prior to allowing such connections. - - - id: ac-17_gdn - name: guidance - prose: Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3. - - - id: ac-18 - class: SP800-53 - title: Wireless Access - properties: - - - name: label - value: AC-18 - - - name: sort-id - value: AC-18 - links: - - - href: #41e2e2c6-2260-4258-85c8-09db17c43103 - rel: reference - text: [SP 800-94] - - - href: #6bed1550-cd5d-4e80-8d83-4e597c1514fe - rel: reference - text: [SP 800-97] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sc-40 - rel: related - text: SC-40 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-18_smt - name: statement - parts: - - - id: ac-18_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and - - - id: ac-18_smt.b - name: item - properties: - - - name: label - value: b. - prose: Authorize each type of wireless access to the system prior to allowing such connections. - - - id: ac-18_gdn - name: guidance - prose: Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication. - - - id: ac-19 - class: SP800-53 - title: Access Control for Mobile Devices - properties: - - - name: label - value: AC-19 - - - name: sort-id - value: AC-19 - links: - - - href: #49fa1ee1-aaf7-4270-bb5a-a86497f717dc - rel: reference - text: [SP 800-114] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-11 - rel: related - text: AC-11 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-19_smt - name: statement - parts: - - - id: ac-19_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and - - - id: ac-19_smt.b - name: item - properties: - - - name: label - value: b. - prose: Authorize the connection of mobile devices to organizational systems. - - - id: ac-19_gdn - name: guidance - prose: - """ - A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. - Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. - Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. - """ - - - id: ac-20 - class: SP800-53 - title: Use of External Systems - parameters: - - - id: ac-20_prm_1 - - - id: ac-20_prm_2 - depends-on: ac-20_prm_1 - label: organization-defined terms and conditions - - - id: ac-20_prm_3 - depends-on: ac-20_prm_1 - label: organization-defined controls asserted to be implemented on external systems - properties: - - - name: label - value: AC-20 - - - name: sort-id - value: AC-20 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - rel: reference - text: [SP 800-171] - - - href: #aad55f03-8ece-4b21-b09c-9ef65b5a9f55 - rel: reference - text: [SP 800-171B] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-7 - rel: related - text: SC-7 - parts: - - - id: ac-20_smt - name: statement - prose: Establish {{ ac-20_prm_1 }}, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: - parts: - - - id: ac-20_smt.a - name: item - properties: - - - name: label - value: a. - prose: Access the system from external systems; and - - - id: ac-20_smt.b - name: item - properties: - - - name: label - value: b. - prose: Process, store, or transmit organization-controlled information using external systems. - - - id: ac-20_gdn - name: guidance - prose: - """ - External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries. - For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. - This control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. - """ - - - id: ac-22 - class: SP800-53 - title: Publicly Accessible Content - parameters: - - - id: ac-22_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: AC-22 - - - name: sort-id - value: AC-22 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-13 - rel: related - text: AU-13 - parts: - - - id: ac-22_smt - name: statement - parts: - - - id: ac-22_smt.a - name: item - properties: - - - name: label - value: a. - prose: Designate individuals authorized to make information publicly accessible; - - - id: ac-22_smt.b - name: item - properties: - - - name: label - value: b. - prose: Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; - - - id: ac-22_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and - - - id: ac-22_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review the content on the publicly accessible system for nonpublic information {{ ac-22_prm_1 }} and remove such information, if discovered. - - - id: ac-22_gdn - name: guidance - prose: In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible. - - - id: at - class: family - title: Awareness and Training - controls: - - - id: at-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: at-1_prm_1 - label: organization-defined personnel or roles - - - id: at-1_prm_2 - - - id: at-1_prm_3 - label: organization-defined official - - - id: at-1_prm_4 - label: organization-defined frequency - - - id: at-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AT-1 - - - name: sort-id - value: AT-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: at-1_smt - name: statement - parts: - - - id: at-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ at-1_prm_1 }}: - parts: - - - id: at-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ at-1_prm_2 }} awareness and training policy that: - """ - parts: - - - id: at-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: at-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: at-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; - - - id: at-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and - - - id: at-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current awareness and training: - parts: - - - id: at-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ at-1_prm_4 }}; and - - - id: at-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ at-1_prm_5 }}. - - - id: at-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: at-2 - class: SP800-53 - title: Awareness Training - parameters: - - - id: at-2_prm_1 - label: organization-defined frequency - - - id: at-2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: AT-2 - - - name: sort-id - value: AT-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-13 - rel: related - text: PM-13 - - - href: #pm-21 - rel: related - text: PM-21 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-16 - rel: related - text: SA-16 - parts: - - - id: at-2_smt - name: statement - parts: - - - id: at-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide security and privacy awareness training to system users (including managers, senior executives, and contractors): - parts: - - - id: at-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and - - - id: at-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: When required by system changes; and - - - id: at-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update awareness training {{ at-2_prm_2 }}. - - - id: at-2_gdn - name: guidance - prose: - """ - Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information. - Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective. - """ - controls: - - - id: at-2.2 - class: SP800-53-enhancement - title: Insider Threat - properties: - - - name: label - value: AT-2(2) - - - name: sort-id - value: AT-02(02) - links: - - - href: #pm-12 - rel: related - text: PM-12 - parts: - - - id: at-2.2_smt - name: statement - prose: Provide awareness training on recognizing and reporting potential indicators of insider threat. - - - id: at-2.2_gdn - name: guidance - prose: Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations. - - - id: at-3 - class: SP800-53 - title: Role-based Training - parameters: - - - id: at-3_prm_1 - label: organization-defined roles and responsibilities - - - id: at-3_prm_2 - label: organization-defined frequency - - - id: at-3_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: AT-3 - - - name: sort-id - value: AT-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #ir-10 - rel: related - text: IR-10 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-13 - rel: related - text: PM-13 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-16 - rel: related - text: SA-16 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: at-3_smt - name: statement - parts: - - - id: at-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}: - parts: - - - id: at-3_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and - - - id: at-3_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: When required by system changes; and - - - id: at-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update role-based training {{ at-3_prm_3 }}. - - - id: at-3_gdn - name: guidance - prose: - """ - Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information. - Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective. - """ - - - id: at-4 - class: SP800-53 - title: Training Records - parameters: - - - id: at-4_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: AT-4 - - - name: sort-id - value: AT-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: at-4_smt - name: statement - parts: - - - id: at-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and - - - id: at-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain individual training records for {{ at-4_prm_1 }}. - - - id: at-4_gdn - name: guidance - prose: Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies. - - - id: au - class: family - title: Audit and Accountability - controls: - - - id: au-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: au-1_prm_1 - label: organization-defined personnel or roles - - - id: au-1_prm_2 - - - id: au-1_prm_3 - label: organization-defined official - - - id: au-1_prm_4 - label: organization-defined frequency - - - id: au-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AU-1 - - - name: sort-id - value: AU-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: au-1_smt - name: statement - parts: - - - id: au-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ au-1_prm_1 }}: - parts: - - - id: au-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ au-1_prm_2 }} audit and accountability policy that: - """ - parts: - - - id: au-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: au-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: au-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; - - - id: au-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and - - - id: au-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current audit and accountability: - parts: - - - id: au-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ au-1_prm_4 }}; and - - - id: au-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ au-1_prm_5 }}. - - - id: au-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: au-2 - class: SP800-53 - title: Event Logging - parameters: - - - id: au-2_prm_1 - label: organization-defined event types that the system is capable of logging - - - id: au-2_prm_2 - label: organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type - - - id: au-2_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: AU-2 - - - name: sort-id - value: AU-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #02d8ec60-6197-43f8-9f47-18732127963e - rel: reference - text: [SP 800-92] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pm-21 - rel: related - text: PM-21 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-10 - rel: related - text: SI-10 - - - href: #si-11 - rel: related - text: SI-11 - parts: - - - id: au-2_smt - name: statement - parts: - - - id: au-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }}; - - - id: au-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; - - - id: au-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Specify the following event types for logging within the system: {{ au-2_prm_2 }}; - - - id: au-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and - - - id: au-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Review and update the event types selected for logging {{ au-2_prm_3 }}. - - - id: au-2_gdn - name: guidance - prose: - """ - An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. - To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage. - Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures. - """ - - - id: au-3 - class: SP800-53 - title: Content of Audit Records - properties: - - - name: label - value: AU-3 - - - name: sort-id - value: AU-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-8 - rel: related - text: AU-8 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-11 - rel: related - text: SI-11 - parts: - - - id: au-3_smt - name: statement - prose: Ensure that audit records contain information that establishes the following: - parts: - - - id: au-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: What type of event occurred; - - - id: au-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: When the event occurred; - - - id: au-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Where the event occurred; - - - id: au-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Source of the event; - - - id: au-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Outcome of the event; and - - - id: au-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Identity of any individuals, subjects, or objects/entities associated with the event. - - - id: au-3_gdn - name: guidance - prose: Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage. - - - id: au-4 - class: SP800-53 - title: Audit Log Storage Capacity - parameters: - - - id: au-4_prm_1 - label: organization-defined audit log retention requirements - properties: - - - name: label - value: AU-4 - - - name: sort-id - value: AU-04 - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: au-4_smt - name: statement - prose: Allocate audit log storage capacity to accommodate {{ au-4_prm_1 }}. - - - id: au-4_gdn - name: guidance - prose: Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability. - - - id: au-5 - class: SP800-53 - title: Response to Audit Logging Process Failures - parameters: - - - id: au-5_prm_1 - label: organization-defined personnel or roles - - - id: au-5_prm_2 - label: organization-defined time-period - - - id: au-5_prm_3 - label: organization-defined additional actions - properties: - - - name: label - value: AU-5 - - - name: sort-id - value: AU-05 - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: au-5_smt - name: statement - parts: - - - id: au-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Alert {{ au-5_prm_1 }} within {{ au-5_prm_2 }} in the event of an audit logging process failure; and - - - id: au-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Take the following additional actions: {{ au-5_prm_3 }}. - - - id: au-5_gdn - name: guidance - prose: Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel. - - - id: au-6 - class: SP800-53 - title: Audit Record Review, Analysis, and Reporting - parameters: - - - id: au-6_prm_1 - label: organization-defined frequency - - - id: au-6_prm_2 - label: organization-defined inappropriate or unusual activity - - - id: au-6_prm_3 - label: organization-defined personnel or roles - properties: - - - name: label - value: AU-6 - - - name: sort-id - value: AU-06 - links: - - - href: #35dfd59f-eef2-4f71-bdb5-6d878267456a - rel: reference - text: [SP 800-86] - - - href: #1e2c475a-84ae-4c60-b420-8fb2ea552b71 - rel: reference - text: [SP 800-101] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-16 - rel: related - text: AU-16 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: au-6_smt - name: statement - parts: - - - id: au-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Review and analyze system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }}; - - - id: au-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Report findings to {{ au-6_prm_3 }}; and - - - id: au-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. - - - id: au-6_gdn - name: guidance - prose: Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. - - - id: au-8 - class: SP800-53 - title: Time Stamps - parameters: - - - id: au-8_prm_1 - label: organization-defined granularity of time measurement - properties: - - - name: label - value: AU-8 - - - name: sort-id - value: AU-08 - links: - - - href: #17ca9481-ea11-4ef2-81c1-885fd37d4be5 - rel: reference - text: [IETF 5905] - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #sc-45 - rel: related - text: SC-45 - parts: - - - id: au-8_smt - name: statement - parts: - - - id: au-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Use internal system clocks to generate time stamps for audit records; and - - - id: au-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Record time stamps for audit records that meet {{ au-8_prm_1 }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. - - - id: au-8_gdn - name: guidance - prose: Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. - - - id: au-9 - class: SP800-53 - title: Protection of Audit Information - properties: - - - name: label - value: AU-9 - - - name: sort-id - value: AU-09 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #au-15 - rel: related - text: AU-15 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: au-9_smt - name: statement - prose: Protect audit information and audit logging tools from unauthorized access, modification, and deletion. - - - id: au-9_gdn - name: guidance - prose: Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls. - - - id: au-11 - class: SP800-53 - title: Audit Record Retention - parameters: - - - id: au-11_prm_1 - label: organization-defined time-period consistent with records retention policy - properties: - - - name: label - value: AU-11 - - - name: sort-id - value: AU-11 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: au-11_smt - name: statement - prose: Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. - - - id: au-11_gdn - name: guidance - prose: Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. - - - id: au-12 - class: SP800-53 - title: Audit Record Generation - parameters: - - - id: au-12_prm_1 - label: organization-defined system components - - - id: au-12_prm_2 - label: organization-defined personnel or roles - properties: - - - name: label - value: AU-12 - - - name: sort-id - value: AU-12 - links: - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-10 - rel: related - text: SI-10 - parts: - - - id: au-12_smt - name: statement - parts: - - - id: au-12_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on {{ au-12_prm_1 }}; - - - id: au-12_smt.b - name: item - properties: - - - name: label - value: b. - prose: Allow {{ au-12_prm_2 }} to select the event types that are to be logged by specific components of the system; and - - - id: au-12_smt.c - name: item - properties: - - - name: label - value: c. - prose: Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. - - - id: au-12_gdn - name: guidance - prose: Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records. - - - id: ca - class: family - title: Assessment, Authorization, and Monitoring - controls: - - - id: ca-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ca-1_prm_1 - label: organization-defined personnel or roles - - - id: ca-1_prm_2 - - - id: ca-1_prm_3 - label: organization-defined official - - - id: ca-1_prm_4 - label: organization-defined frequency - - - id: ca-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CA-1 - - - name: sort-id - value: CA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-1_smt - name: statement - parts: - - - id: ca-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ca-1_prm_1 }}: - parts: - - - id: ca-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that: - """ - parts: - - - id: ca-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ca-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ca-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; - - - id: ca-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and - - - id: ca-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current assessment, authorization, and monitoring: - parts: - - - id: ca-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ca-1_prm_4 }}; and - - - id: ca-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ca-1_prm_5 }}. - - - id: ca-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ca-2 - class: SP800-53 - title: Control Assessments - parameters: - - - id: ca-2_prm_1 - label: organization-defined frequency - - - id: ca-2_prm_2 - label: organization-defined individuals or roles - properties: - - - name: label - value: CA-2 - - - name: sort-id - value: CA-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - parts: - - - id: ca-2_smt - name: statement - parts: - - - id: ca-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a control assessment plan that describes the scope of the assessment including: - parts: - - - id: ca-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Controls and control enhancements under assessment; - - - id: ca-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Assessment procedures to be used to determine control effectiveness; and - - - id: ca-2_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Assessment environment, assessment team, and assessment roles and responsibilities; - - - id: ca-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; - - - id: ca-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; - - - id: ca-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Produce a control assessment report that document the results of the assessment; and - - - id: ca-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Provide the results of the control assessment to {{ ca-2_prm_2 }}. - - - id: ca-2_gdn - name: guidance - prose: - """ - Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes. - Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs. - Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives. - To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control. - """ - - - id: ca-3 - class: SP800-53 - title: Information Exchange - parameters: - - - id: ca-3_prm_1 - - - id: ca-3_prm_2 - depends-on: ca-3_prm_1 - label: organization-defined type of agreement - - - id: ca-3_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: CA-3 - - - name: sort-id - value: CA-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #2e66c31a-190e-49ad-8e00-f306f8a0df17 - rel: reference - text: [SP 800-47] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #au-16 - rel: related - text: AU-16 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-3_smt - name: statement - parts: - - - id: ca-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Approve and manage the exchange of information between the system and other systems using {{ ca-3_prm_1 }}; - - - id: ca-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and - - - id: ca-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the agreements {{ ca-3_prm_3 }}. - - - id: ca-3_gdn - name: guidance - prose: - """ - System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk. - Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks. - """ - - - id: ca-5 - class: SP800-53 - title: Plan of Action and Milestones - parameters: - - - id: ca-5_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: CA-5 - - - name: sort-id - value: CA-05 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-5_smt - name: statement - parts: - - - id: ca-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and - - - id: ca-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities. - - - id: ca-5_gdn - name: guidance - prose: Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB. - - - id: ca-6 - class: SP800-53 - title: Authorization - parameters: - - - id: ca-6_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: CA-6 - - - name: sort-id - value: CA-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-6_smt - name: statement - parts: - - - id: ca-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Assign a senior official as the authorizing official for the system; - - - id: ca-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; - - - id: ca-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ensure that the authorizing official for the system, before commencing operations: - parts: - - - id: ca-6_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Accepts the use of common controls inherited by the system; and - - - id: ca-6_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Authorizes the system to operate; - - - id: ca-6_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; - - - id: ca-6_smt.e - name: item - properties: - - - name: label - value: e. - prose: Update the authorizations {{ ca-6_prm_1 }}. - - - id: ca-6_gdn - name: guidance - prose: - """ - Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. - Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. - """ - - - id: ca-7 - class: SP800-53 - title: Continuous Monitoring - parameters: - - - id: ca-7_prm_1 - label: organization-defined system-level metrics - - - id: ca-7_prm_2 - label: organization-defined frequencies - - - id: ca-7_prm_3 - label: organization-defined frequencies - - - id: ca-7_prm_4 - label: organization-defined personnel or roles - - - id: ca-7_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CA-7 - - - name: sort-id - value: CA-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #851b5ba4-6aa0-4583-857c-4c360cbdf2a0 - rel: reference - text: [IR 8011 v1] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pe-14 - rel: related - text: PE-14 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-6 - rel: related - text: PM-6 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #pm-31 - rel: related - text: PM-31 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-6 - rel: related - text: SR-6 - parts: - - - id: ca-7_smt - name: statement - prose: Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: - parts: - - - id: ca-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }}; - - - id: ca-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness; - - - id: ca-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ongoing control assessments in accordance with the continuous monitoring strategy; - - - id: ca-7_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; - - - id: ca-7_smt.e - name: item - properties: - - - name: label - value: e. - prose: Correlation and analysis of information generated by control assessments and monitoring; - - - id: ca-7_smt.f - name: item - properties: - - - name: label - value: f. - prose: Response actions to address results of the analysis of control assessment and monitoring information; and - - - id: ca-7_smt.g - name: item - properties: - - - name: label - value: g. - prose: - """ - Reporting the security and privacy status of the system to {{ ca-7_prm_4 }} - {{ ca-7_prm_5 }}. - """ - - - id: ca-7_gdn - name: guidance - prose: - """ - Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. - Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4. - """ - controls: - - - id: ca-7.4 - class: SP800-53-enhancement - title: Risk Monitoring - properties: - - - name: label - value: CA-7(4) - - - name: sort-id - value: CA-07(04) - parts: - - - id: ca-7.4_smt - name: statement - prose: Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: - parts: - - - id: ca-7.4_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Effectiveness monitoring; - - - id: ca-7.4_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Compliance monitoring; and - - - id: ca-7.4_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Change monitoring. - - - id: ca-7.4_gdn - name: guidance - prose: Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk. - - - id: ca-9 - class: SP800-53 - title: Internal System Connections - parameters: - - - id: ca-9_prm_1 - label: organization-defined system components or classes of components - - - id: ca-9_prm_2 - label: organization-defined conditions - - - id: ca-9_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: CA-9 - - - name: sort-id - value: CA-09 - links: - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-9_smt - name: statement - parts: - - - id: ca-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Authorize internal connections of {{ ca-9_prm_1 }} to the system; - - - id: ca-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; - - - id: ca-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Terminate internal system connections after {{ ca-9_prm_2 }}; and - - - id: ca-9_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review {{ ca-9_prm_3 }} the continued need for each internal connection. - - - id: ca-9_gdn - name: guidance - prose: Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions. - - - id: cm - class: family - title: Configuration Management - controls: - - - id: cm-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: cm-1_prm_1 - label: organization-defined personnel or roles - - - id: cm-1_prm_2 - - - id: cm-1_prm_3 - label: organization-defined official - - - id: cm-1_prm_4 - label: organization-defined frequency - - - id: cm-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CM-1 - - - name: sort-id - value: CM-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cm-1_smt - name: statement - parts: - - - id: cm-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ cm-1_prm_1 }}: - parts: - - - id: cm-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ cm-1_prm_2 }} configuration management policy that: - """ - parts: - - - id: cm-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: cm-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: cm-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; - - - id: cm-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and - - - id: cm-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current configuration management: - parts: - - - id: cm-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ cm-1_prm_4 }}; and - - - id: cm-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ cm-1_prm_5 }}. - - - id: cm-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: cm-2 - class: SP800-53 - title: Baseline Configuration - parameters: - - - id: cm-2_prm_1 - label: organization-defined frequency - - - id: cm-2_prm_2 - label: Assignment organization-defined circumstances - properties: - - - name: label - value: CM-2 - - - name: sort-id - value: CM-02 - links: - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #cp-12 - rel: related - text: CP-12 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-18 - rel: related - text: SC-18 - parts: - - - id: cm-2_smt - name: statement - parts: - - - id: cm-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and maintain under configuration control, a current baseline configuration of the system; and - - - id: cm-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the baseline configuration of the system: - parts: - - - id: cm-2_smt.b.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ cm-2_prm_1 }}; - """ - - - id: cm-2_smt.b.2 - name: item - properties: - - - name: label - value: 2. - prose: When required due to {{ cm-2_prm_2 }}; and - - - id: cm-2_smt.b.3 - name: item - properties: - - - name: label - value: 3. - prose: When system components are installed or upgraded. - - - id: cm-2_gdn - name: guidance - prose: Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture. - - - id: cm-4 - class: SP800-53 - title: Impact Analyses - properties: - - - name: label - value: CM-4 - - - name: sort-id - value: CM-04 - links: - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #si-2 - rel: related - text: SI-2 - parts: - - - id: cm-4_smt - name: statement - prose: Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. - - - id: cm-4_gdn - name: guidance - prose: Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required. - - - id: cm-5 - class: SP800-53 - title: Access Restrictions for Change - properties: - - - name: label - value: CM-5 - - - name: sort-id - value: CM-05 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-10 - rel: related - text: SI-10 - parts: - - - id: cm-5_smt - name: statement - prose: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. - - - id: cm-5_gdn - name: guidance - prose: Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times). - - - id: cm-6 - class: SP800-53 - title: Configuration Settings - parameters: - - - id: cm-6_prm_1 - label: organization-defined common secure configurations - - - id: cm-6_prm_2 - label: organization-defined system components - - - id: cm-6_prm_3 - label: organization-defined operational requirements - properties: - - - name: label - value: CM-6 - - - name: sort-id - value: CM-06 - links: - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f - rel: reference - text: [SP 800-126] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #06842bea-64c9-4e20-807a-b8fc003fa737 - rel: reference - text: [USGCB] - - - href: #5cc04a1c-5489-4751-a493-746a9639067b - rel: reference - text: [NCPR] - - - href: #294eed19-7471-4517-9480-2ec73e7c6a78 - rel: reference - text: [DOD STIG] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-6 - rel: related - text: SI-6 - parts: - - - id: cm-6_smt - name: statement - parts: - - - id: cm-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish and document configuration settings for components employed within the system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements; - - - id: cm-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the configuration settings; - - - id: cm-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Identify, document, and approve any deviations from established configuration settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and - - - id: cm-6_smt.d - name: item - properties: - - - name: label - value: d. - prose: Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. - - - id: cm-6_gdn - name: guidance - prose: - """ - Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. - Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. - Implementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings. - """ - - - id: cm-7 - class: SP800-53 - title: Least Functionality - parameters: - - - id: cm-7_prm_1 - label: organization-defined mission essential capabilities - - - id: cm-7_prm_2 - label: organization-defined prohibited or restricted functions, ports, protocols, software, and/or services - properties: - - - name: label - value: CM-7 - - - name: sort-id - value: CM-07 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #893d1736-324c-41d6-a5f4-d526b5ca981a - rel: reference - text: [SP 800-167] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: cm-7_smt - name: statement - parts: - - - id: cm-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Configure the system to provide only {{ cm-7_prm_1 }}; and - - - id: cm-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ cm-7_prm_2 }}. - - - id: cm-7_gdn - name: guidance - prose: Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3). - - - id: cm-8 - class: SP800-53 - title: System Component Inventory - parameters: - - - id: cm-8_prm_1 - label: organization-defined information deemed necessary to achieve effective system component accountability - - - id: cm-8_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: CM-8 - - - name: sort-id - value: CM-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: cm-8_smt - name: statement - parts: - - - id: cm-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and document an inventory of system components that: - parts: - - - id: cm-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Accurately reflects the system; - - - id: cm-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Includes all components within the system; - - - id: cm-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Is at the level of granularity deemed necessary for tracking and reporting; and - - - id: cm-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Includes the following information to achieve system component accountability: {{ cm-8_prm_1 }}; and - - - id: cm-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the system component inventory {{ cm-8_prm_2 }}. - - - id: cm-8_gdn - name: guidance - prose: System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location. - - - id: cm-10 - class: SP800-53 - title: Software Usage Restrictions - properties: - - - name: label - value: CM-10 - - - name: sort-id - value: CM-10 - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #sc-7 - rel: related - text: SC-7 - parts: - - - id: cm-10_smt - name: statement - parts: - - - id: cm-10_smt.a - name: item - properties: - - - name: label - value: a. - prose: Use software and associated documentation in accordance with contract agreements and copyright laws; - - - id: cm-10_smt.b - name: item - properties: - - - name: label - value: b. - prose: Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and - - - id: cm-10_smt.c - name: item - properties: - - - name: label - value: c. - prose: Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. - - - id: cm-10_gdn - name: guidance - prose: Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement. - - - id: cm-11 - class: SP800-53 - title: User-installed Software - parameters: - - - id: cm-11_prm_1 - label: organization-defined policies - - - id: cm-11_prm_2 - label: organization-defined methods - - - id: cm-11_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: CM-11 - - - name: sort-id - value: CM-11 - links: - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: cm-11_smt - name: statement - parts: - - - id: cm-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish {{ cm-11_prm_1 }} governing the installation of software by users; - - - id: cm-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Enforce software installation policies through the following methods: {{ cm-11_prm_2 }}; and - - - id: cm-11_smt.c - name: item - properties: - - - name: label - value: c. - prose: Monitor policy compliance {{ cm-11_prm_3 }}. - - - id: cm-11_gdn - name: guidance - prose: If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods. - - - id: cp - class: family - title: Contingency Planning - controls: - - - id: cp-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: cp-1_prm_1 - label: organization-defined personnel or roles - - - id: cp-1_prm_2 - - - id: cp-1_prm_3 - label: organization-defined official - - - id: cp-1_prm_4 - label: organization-defined frequency - - - id: cp-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CP-1 - - - name: sort-id - value: CP-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cp-1_smt - name: statement - parts: - - - id: cp-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ cp-1_prm_1 }}: - parts: - - - id: cp-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ cp-1_prm_2 }} contingency planning policy that: - """ - parts: - - - id: cp-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: cp-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: cp-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; - - - id: cp-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ cp-1_prm_3 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and - - - id: cp-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current contingency planning: - parts: - - - id: cp-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ cp-1_prm_4 }}; and - - - id: cp-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ cp-1_prm_5 }}. - - - id: cp-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: cp-2 - class: SP800-53 - title: Contingency Plan - parameters: - - - id: cp-2_prm_1 - label: organization-defined personnel or roles - - - id: cp-2_prm_2 - label: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - - - id: cp-2_prm_3 - label: organization-defined frequency - - - id: cp-2_prm_4 - label: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - properties: - - - name: label - value: CP-2 - - - name: sort-id - value: CP-02 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #7a93e915-fd58-4147-be12-e48044c367e6 - rel: reference - text: [IR 8179] - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #cp-11 - rel: related - text: CP-11 - - - href: #cp-13 - rel: related - text: CP-13 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-20 - rel: related - text: SA-20 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-23 - rel: related - text: SC-23 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cp-2_smt - name: statement - parts: - - - id: cp-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a contingency plan for the system that: - parts: - - - id: cp-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Identifies essential missions and business functions and associated contingency requirements; - - - id: cp-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Provides recovery objectives, restoration priorities, and metrics; - - - id: cp-2_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Addresses contingency roles, responsibilities, assigned individuals with contact information; - - - id: cp-2_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure; - - - id: cp-2_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and - - - id: cp-2_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Is reviewed and approved by {{ cp-2_prm_1 }}; - - - id: cp-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute copies of the contingency plan to {{ cp-2_prm_2 }}; - - - id: cp-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Coordinate contingency planning activities with incident handling activities; - - - id: cp-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review the contingency plan for the system {{ cp-2_prm_3 }}; - - - id: cp-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; - - - id: cp-2_smt.f - name: item - properties: - - - name: label - value: f. - prose: Communicate contingency plan changes to {{ cp-2_prm_4 }}; and - - - id: cp-2_smt.g - name: item - properties: - - - name: label - value: g. - prose: Protect the contingency plan from unauthorized disclosure and modification. - - - id: cp-2_gdn - name: guidance - prose: - """ - Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - In addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family. - """ - - - id: cp-3 - class: SP800-53 - title: Contingency Training - parameters: - - - id: cp-3_prm_1 - label: organization-defined time-period - - - id: cp-3_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: CP-3 - - - name: sort-id - value: CP-03 - links: - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-9 - rel: related - text: IR-9 - parts: - - - id: cp-3_smt - name: statement - prose: Provide contingency training to system users consistent with assigned roles and responsibilities: - parts: - - - id: cp-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Within {{ cp-3_prm_1 }} of assuming a contingency role or responsibility; - - - id: cp-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: When required by system changes; and - - - id: cp-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: - """ - - {{ cp-3_prm_2 }} thereafter. - """ - - - id: cp-3_gdn - name: guidance - prose: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. - - - id: cp-4 - class: SP800-53 - title: Contingency Plan Testing - parameters: - - - id: cp-4_prm_1 - label: organization-defined frequency - - - id: cp-4_prm_2 - label: organization-defined tests - properties: - - - name: label - value: CP-4 - - - name: sort-id - value: CP-04 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #20bf433b-074c-47a0-8fca-cd591772ccd6 - rel: reference - text: [SP 800-84] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: cp-4_smt - name: statement - parts: - - - id: cp-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Test the contingency plan for the system {{ cp-4_prm_1 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ cp-4_prm_2 }}. - - - id: cp-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review the contingency plan test results; and - - - id: cp-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Initiate corrective actions, if needed. - - - id: cp-4_gdn - name: guidance - prose: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. - - - id: cp-9 - class: SP800-53 - title: System Backup - parameters: - - - id: cp-9_prm_1 - label: organization-defined system components - - - id: cp-9_prm_2 - label: organization-defined frequency consistent with recovery time and recovery point objectives - - - id: cp-9_prm_3 - label: organization-defined frequency consistent with recovery time and recovery point objectives - - - id: cp-9_prm_4 - label: organization-defined frequency consistent with recovery time and recovery point objectives - properties: - - - name: label - value: CP-9 - - - name: sort-id - value: CP-09 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #ae412317-c2b4-47bb-b47b-c329ce0d7a0b - rel: reference - text: [SP 800-130] - - - href: #38dbdf55-9a14-446f-b563-c48e4e3d37fb - rel: reference - text: [SP 800-152] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-13 - rel: related - text: SI-13 - parts: - - - id: cp-9_smt - name: statement - parts: - - - id: cp-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: - """ - Conduct backups of user-level information contained in {{ cp-9_prm_1 }} - {{ cp-9_prm_2 }}; - """ - - - id: cp-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Conduct backups of system-level information contained in the system {{ cp-9_prm_3 }}; - - - id: cp-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Conduct backups of system documentation, including security and privacy-related documentation {{ cp-9_prm_4 }}; and - - - id: cp-9_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect the confidentiality, integrity, and availability of backup information. - - - id: cp-9_gdn - name: guidance - prose: System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements. - - - id: cp-10 - class: SP800-53 - title: System Recovery and Reconstitution - parameters: - - - id: cp-10_prm_1 - label: organization-defined time-period consistent with recovery time and recovery point objectives - properties: - - - name: label - value: CP-10 - - - name: sort-id - value: CP-10 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-24 - rel: related - text: SC-24 - - - href: #si-13 - rel: related - text: SI-13 - parts: - - - id: cp-10_smt - name: statement - prose: Provide for the recovery and reconstitution of the system to a known state within {{ cp-10_prm_1 }} after a disruption, compromise, or failure. - - - id: cp-10_gdn - name: guidance - prose: Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning. - - - id: ia - class: family - title: Identification and Authentication - controls: - - - id: ia-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ia-1_prm_1 - label: organization-defined personnel or roles - - - id: ia-1_prm_2 - - - id: ia-1_prm_3 - label: organization-defined official - - - id: ia-1_prm_4 - label: organization-defined frequency - - - id: ia-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: IA-1 - - - name: sort-id - value: IA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ia-1_smt - name: statement - parts: - - - id: ia-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ia-1_prm_1 }}: - parts: - - - id: ia-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ia-1_prm_2 }} identification and authentication policy that: - """ - parts: - - - id: ia-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ia-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ia-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; - - - id: ia-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ia-1_prm_3 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and - - - id: ia-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current identification and authentication: - parts: - - - id: ia-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ia-1_prm_4 }}; and - - - id: ia-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ia-1_prm_5 }}. - - - id: ia-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ia-2 - class: SP800-53 - title: Identification and Authentication (organizational Users) - properties: - - - name: label - value: IA-2 - - - name: sort-id - value: IA-02 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #bb55e71a-e059-4263-8dd8-bc96fd3f063d - rel: reference - text: [SP 800-79-2] - - - href: #f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa - rel: reference - text: [SP 800-156] - - - href: #a8f55663-86c5-415b-aabe-d2a126981d65 - rel: reference - text: [SP 800-166] - - - href: #d4779b49-8acc-45ef-b4f0-30f945e81d1b - rel: reference - text: [IR 7539] - - - href: #daf69edb-a0ef-4447-9880-8c4bf553181f - rel: reference - text: [IR 7676] - - - href: #a49f67fc-827c-40e6-9a37-2b1cbe8142fd - rel: reference - text: [IR 7817] - - - href: #972c10bd-aedf-485f-b0db-f46a402127e2 - rel: reference - text: [IR 7849] - - - href: #197f7ba7-9af8-4a67-b3a4-5523d850e53b - rel: reference - text: [IR 7870] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #30213e10-2aca-47b3-8cdb-61303e0959f5 - rel: reference - text: [IR 7966] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: ia-2_smt - name: statement - prose: Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. - - - id: ia-2_gdn - name: guidance - prose: - """ - Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. - Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks. - The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8. - """ - controls: - - - id: ia-2.1 - class: SP800-53-enhancement - title: Multifactor Authentication to Privileged Accounts - properties: - - - name: label - value: IA-2(1) - - - name: sort-id - value: IA-02(01) - links: - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - parts: - - - id: ia-2.1_smt - name: statement - prose: Implement multifactor authentication for access to privileged accounts. - - - id: ia-2.1_gdn - name: guidance - prose: Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. - - - id: ia-2.2 - class: SP800-53-enhancement - title: Multifactor Authentication to Non-privileged Accounts - properties: - - - name: label - value: IA-2(2) - - - name: sort-id - value: IA-02(02) - links: - - - href: #ac-5 - rel: related - text: AC-5 - parts: - - - id: ia-2.2_smt - name: statement - prose: Implement multifactor authentication for access to non-privileged accounts. - - - id: ia-2.2_gdn - name: guidance - prose: Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. - - - id: ia-2.8 - class: SP800-53-enhancement - title: Access to Accounts — Replay Resistant - parameters: - - - id: ia-2.8_prm_1 - properties: - - - name: label - value: IA-2(8) - - - name: sort-id - value: IA-02(08) - parts: - - - id: ia-2.8_smt - name: statement - prose: Implement replay-resistant authentication mechanisms for access to {{ ia-2.8_prm_1 }}. - - - id: ia-2.8_gdn - name: guidance - prose: Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. - - - id: ia-2.12 - class: SP800-53-enhancement - title: Acceptance of PIV Credentials - properties: - - - name: label - value: IA-2(12) - - - name: sort-id - value: IA-02(12) - parts: - - - id: ia-2.12_smt - name: statement - prose: Accept and electronically verify Personal Identity Verification-compliant credentials. - - - id: ia-2.12_gdn - name: guidance - prose: Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential. - - - id: ia-4 - class: SP800-53 - title: Identifier Management - parameters: - - - id: ia-4_prm_1 - label: organization-defined personnel or roles - - - id: ia-4_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: IA-4 - - - name: sort-id - value: IA-04 - links: - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ia-9 - rel: related - text: IA-9 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #sc-37 - rel: related - text: SC-37 - parts: - - - id: ia-4_smt - name: statement - prose: Manage system identifiers by: - parts: - - - id: ia-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Receiving authorization from {{ ia-4_prm_1 }} to assign an individual, group, role, service, or device identifier; - - - id: ia-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Selecting an identifier that identifies an individual, group, role, service, or device; - - - id: ia-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Assigning the identifier to the intended individual, group, role, service, or device; and - - - id: ia-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Preventing reuse of identifiers for {{ ia-4_prm_2 }}. - - - id: ia-4_gdn - name: guidance - prose: Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices. - - - id: ia-5 - class: SP800-53 - title: Authenticator Management - parameters: - - - id: ia-5_prm_1 - label: organization-defined time-period by authenticator type - properties: - - - name: label - value: IA-5 - - - name: sort-id - value: IA-05 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #d4779b49-8acc-45ef-b4f0-30f945e81d1b - rel: reference - text: [IR 7539] - - - href: #a49f67fc-827c-40e6-9a37-2b1cbe8142fd - rel: reference - text: [IR 7817] - - - href: #972c10bd-aedf-485f-b0db-f46a402127e2 - rel: reference - text: [IR 7849] - - - href: #197f7ba7-9af8-4a67-b3a4-5523d850e53b - rel: reference - text: [IR 7870] - - - href: #24738ee6-b3f3-4e37-825b-58775846bdbc - rel: reference - text: [IR 8040] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ia-9 - rel: related - text: IA-9 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - parts: - - - id: ia-5_smt - name: statement - prose: Manage system authenticators by: - parts: - - - id: ia-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; - - - id: ia-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishing initial authenticator content for any authenticators issued by the organization; - - - id: ia-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ensuring that authenticators have sufficient strength of mechanism for their intended use; - - - id: ia-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; - - - id: ia-5_smt.e - name: item - properties: - - - name: label - value: e. - prose: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; - - - id: ia-5_smt.f - name: item - properties: - - - name: label - value: f. - prose: Changing default authenticators prior to first use; - - - id: ia-5_smt.g - name: item - properties: - - - name: label - value: g. - prose: Changing or refreshing authenticators {{ ia-5_prm_1 }}; - - - id: ia-5_smt.h - name: item - properties: - - - name: label - value: h. - prose: Protecting authenticator content from unauthorized disclosure and modification; - - - id: ia-5_smt.i - name: item - properties: - - - name: label - value: i. - prose: Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and - - - id: ia-5_smt.j - name: item - properties: - - - name: label - value: j. - prose: Changing authenticators for group or role accounts when membership to those accounts changes. - - - id: ia-5_gdn - name: guidance - prose: - """ - Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. - Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. - """ - controls: - - - id: ia-5.1 - class: SP800-53-enhancement - title: Password-based Authentication - parameters: - - - id: ia-5.1_prm_1 - label: organization-defined frequency - - - id: ia-5.1_prm_2 - label: organization-defined composition and complexity rules - properties: - - - name: label - value: IA-5(1) - - - name: sort-id - value: IA-05(01) - links: - - - href: #ia-6 - rel: related - text: IA-6 - parts: - - - id: ia-5.1_smt - name: statement - prose: For password-based authentication: - parts: - - - id: ia-5.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ ia-5.1_prm_1 }} and when organizational passwords are suspected to have been compromised directly or indirectly; - - - id: ia-5.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords; - - - id: ia-5.1_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Transmit only cryptographically-protected passwords; - - - id: ia-5.1_smt.d - name: item - properties: - - - name: label - value: (d) - prose: Store passwords using an approved hash algorithm and salt, preferably using a keyed hash; - - - id: ia-5.1_smt.e - name: item - properties: - - - name: label - value: (e) - prose: Require immediate selection of a new password upon account recovery; - - - id: ia-5.1_smt.f - name: item - properties: - - - name: label - value: (f) - prose: Allow user selection of long passwords and passphrases, including spaces and all printable characters; - - - id: ia-5.1_smt.g - name: item - properties: - - - name: label - value: (g) - prose: Employ automated tools to assist the user in selecting strong password authenticators; and - - - id: ia-5.1_smt.h - name: item - properties: - - - name: label - value: (h) - prose: Enforce the following composition and complexity rules: {{ ia-5.1_prm_2 }}. - - - id: ia-5.1_gdn - name: guidance - prose: Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof. - - - id: ia-6 - class: SP800-53 - title: Authenticator Feedback - properties: - - - name: label - value: IA-6 - - - name: sort-id - value: IA-06 - links: - - - href: #ac-3 - rel: related - text: AC-3 - parts: - - - id: ia-6_smt - name: statement - prose: Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. - - - id: ia-6_gdn - name: guidance - prose: Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it. - - - id: ia-7 - class: SP800-53 - title: Cryptographic Module Authentication - properties: - - - name: label - value: IA-7 - - - name: sort-id - value: IA-07 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: ia-7_smt - name: statement - prose: Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. - - - id: ia-7_gdn - name: guidance - prose: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. - - - id: ia-8 - class: SP800-53 - title: Identification and Authentication (non-organizational Users) - properties: - - - name: label - value: IA-8 - - - name: sort-id - value: IA-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #bb55e71a-e059-4263-8dd8-bc96fd3f063d - rel: reference - text: [SP 800-79-2] - - - href: #ad7d575f-b5fe-489b-8d48-36a93d964a5f - rel: reference - text: [SP 800-116] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-10 - rel: related - text: IA-10 - - - href: #ia-11 - rel: related - text: IA-11 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sc-8 - rel: related - text: SC-8 - parts: - - - id: ia-8_smt - name: statement - prose: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. - - - id: ia-8_gdn - name: guidance - prose: Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk. - controls: - - - id: ia-8.1 - class: SP800-53-enhancement - title: Acceptance of PIV Credentials from Other Agencies - properties: - - - name: label - value: IA-8(1) - - - name: sort-id - value: IA-08(01) - links: - - - href: #pe-3 - rel: related - text: PE-3 - parts: - - - id: ia-8.1_smt - name: statement - prose: Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. - - - id: ia-8.1_gdn - name: guidance - prose: Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2]. - - - id: ia-8.2 - class: SP800-53-enhancement - title: Acceptance of External Credentials - properties: - - - name: label - value: IA-8(2) - - - name: sort-id - value: IA-08(02) - parts: - - - id: ia-8.2_smt - name: statement - prose: Accept only external credentials that are NIST-compliant. - - - id: ia-8.2_gdn - name: guidance - prose: Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels. - - - id: ia-8.4 - class: SP800-53-enhancement - title: Use of Nist-issued Profiles - properties: - - - name: label - value: IA-8(4) - - - name: sort-id - value: IA-08(04) - parts: - - - id: ia-8.4_smt - name: statement - prose: Conform to NIST-issued profiles for identity management. - - - id: ia-8.4_gdn - name: guidance - prose: Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols. - - - id: ia-11 - class: SP800-53 - title: Re-authentication - parameters: - - - id: ia-11_prm_1 - label: organization-defined circumstances or situations requiring re-authentication - properties: - - - name: label - value: IA-11 - - - name: sort-id - value: IA-11 - links: - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-11 - rel: related - text: AC-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - parts: - - - id: ia-11_smt - name: statement - prose: Require users to re-authenticate when {{ ia-11_prm_1 }}. - - - id: ia-11_gdn - name: guidance - prose: In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically. - - - id: ir - class: family - title: Incident Response - controls: - - - id: ir-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ir-1_prm_1 - label: organization-defined personnel or roles - - - id: ir-1_prm_2 - - - id: ir-1_prm_3 - label: organization-defined official - - - id: ir-1_prm_4 - label: organization-defined frequency - - - id: ir-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: IR-1 - - - name: sort-id - value: IR-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - rel: reference - text: [SP 800-83] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ir-1_smt - name: statement - parts: - - - id: ir-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ir-1_prm_1 }}: - parts: - - - id: ir-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ir-1_prm_2 }} incident response policy that: - """ - parts: - - - id: ir-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ir-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ir-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; - - - id: ir-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and - - - id: ir-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current incident response: - parts: - - - id: ir-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ir-1_prm_4 }}; and - - - id: ir-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ir-1_prm_5 }}. - - - id: ir-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ir-2 - class: SP800-53 - title: Incident Response Training - parameters: - - - id: ir-2_prm_1 - label: organization-defined time-period - - - id: ir-2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: IR-2 - - - name: sort-id - value: IR-02 - links: - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-9 - rel: related - text: IR-9 - parts: - - - id: ir-2_smt - name: statement - prose: Provide incident response training to system users consistent with assigned roles and responsibilities: - parts: - - - id: ir-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Within {{ ir-2_prm_1 }} of assuming an incident response role or responsibility or acquiring system access; - - - id: ir-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: When required by system changes; and - - - id: ir-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: - """ - - {{ ir-2_prm_2 }} thereafter. - """ - - - id: ir-2_gdn - name: guidance - prose: Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3. - - - id: ir-4 - class: SP800-53 - title: Incident Handling - properties: - - - name: label - value: IR-4 - - - name: sort-id - value: IR-04 - links: - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #35dfd59f-eef2-4f71-bdb5-6d878267456a - rel: reference - text: [SP 800-86] - - - href: #1e2c475a-84ae-4c60-b420-8fb2ea552b71 - rel: reference - text: [SP 800-101] - - - href: #ad3e8f21-07c6-4968-b002-00b64dfa70ae - rel: reference - text: [SP 800-150] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #08f518f7-f9b9-4bee-8986-860214f46b16 - rel: reference - text: [SP 800-184] - - - href: #09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - rel: reference - text: [IR 7559] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-10 - rel: related - text: IR-10 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: ir-4_smt - name: statement - parts: - - - id: ir-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; - - - id: ir-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Coordinate incident handling activities with contingency planning activities; - - - id: ir-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and - - - id: ir-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. - - - id: ir-4_gdn - name: guidance - prose: Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk. - - - id: ir-5 - class: SP800-53 - title: Incident Monitoring - properties: - - - name: label - value: IR-5 - - - name: sort-id - value: IR-05 - links: - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: ir-5_smt - name: statement - prose: Track and document security, privacy, and supply chain incidents. - - - id: ir-5_gdn - name: guidance - prose: Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports. - - - id: ir-6 - class: SP800-53 - title: Incident Reporting - parameters: - - - id: ir-6_prm_1 - label: organization-defined time-period - - - id: ir-6_prm_2 - label: organization-defined authorities - properties: - - - name: label - value: IR-6 - - - name: sort-id - value: IR-06 - links: - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-9 - rel: related - text: IR-9 - parts: - - - id: ir-6_smt - name: statement - parts: - - - id: ir-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and - - - id: ir-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}. - - - id: ir-6_gdn - name: guidance - prose: The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - - - id: ir-7 - class: SP800-53 - title: Incident Response Assistance - properties: - - - name: label - value: IR-7 - - - name: sort-id - value: IR-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - rel: reference - text: [IR 7559] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pm-26 - rel: related - text: PM-26 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: ir-7_smt - name: statement - prose: Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents. - - - id: ir-7_gdn - name: guidance - prose: Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required. - - - id: ir-8 - class: SP800-53 - title: Incident Response Plan - parameters: - - - id: ir-8_prm_1 - label: organization-defined personnel or roles - - - id: ir-8_prm_2 - label: organization-defined frequency - - - id: ir-8_prm_3 - label: organization-defined entities, personnel, or roles - - - id: ir-8_prm_4 - label: organization-defined incident response personnel (identified by name and/or by role) and organizational elements - - - id: ir-8_prm_5 - label: organization-defined incident response personnel (identified by name and/or by role) and organizational elements - properties: - - - name: label - value: IR-8 - - - name: sort-id - value: IR-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #389fe193-866e-46b1-bf1d-38904b56aa7b - rel: reference - text: [OMB M-17-12] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-8 - rel: related - text: SR-8 - parts: - - - id: ir-8_smt - name: statement - parts: - - - id: ir-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop an incident response plan that: - parts: - - - id: ir-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Provides the organization with a roadmap for implementing its incident response capability; - - - id: ir-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Describes the structure and organization of the incident response capability; - - - id: ir-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Provides a high-level approach for how the incident response capability fits into the overall organization; - - - id: ir-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; - - - id: ir-8_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Defines reportable incidents; - - - id: ir-8_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Provides metrics for measuring the incident response capability within the organization; - - - id: ir-8_smt.a.7 - name: item - properties: - - - name: label - value: 7. - prose: Defines the resources and management support needed to effectively maintain and mature an incident response capability; - - - id: ir-8_smt.a.8 - name: item - properties: - - - name: label - value: 8. - prose: - """ - Is reviewed and approved by {{ ir-8_prm_1 }} - {{ ir-8_prm_2 }}; and - """ - - - id: ir-8_smt.a.9 - name: item - properties: - - - name: label - value: 9. - prose: Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}. - - - id: ir-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute copies of the incident response plan to {{ ir-8_prm_4 }}; - - - id: ir-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; - - - id: ir-8_smt.d - name: item - properties: - - - name: label - value: d. - prose: Communicate incident response plan changes to {{ ir-8_prm_5 }}; and - - - id: ir-8_smt.e - name: item - properties: - - - name: label - value: e. - prose: Protect the incident response plan from unauthorized disclosure and modification. - - - id: ir-8_gdn - name: guidance - prose: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly. - - - id: ma - class: family - title: Maintenance - controls: - - - id: ma-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ma-1_prm_1 - label: organization-defined personnel or roles - - - id: ma-1_prm_2 - - - id: ma-1_prm_3 - label: organization-defined official - - - id: ma-1_prm_4 - label: organization-defined frequency - - - id: ma-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: MA-1 - - - name: sort-id - value: MA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ma-1_smt - name: statement - parts: - - - id: ma-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ma-1_prm_1 }}: - parts: - - - id: ma-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ma-1_prm_2 }} maintenance policy that: - """ - parts: - - - id: ma-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ma-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ma-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; - - - id: ma-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ma-1_prm_3 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and - - - id: ma-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current maintenance: - parts: - - - id: ma-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ma-1_prm_4 }}; and - - - id: ma-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ma-1_prm_5 }}. - - - id: ma-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ma-2 - class: SP800-53 - title: Controlled Maintenance - parameters: - - - id: ma-2_prm_1 - label: organization-defined personnel or roles - - - id: ma-2_prm_2 - label: organization-defined information - - - id: ma-2_prm_3 - label: organization-defined information - properties: - - - name: label - value: MA-2 - - - name: sort-id - value: MA-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: ma-2_smt - name: statement - parts: - - - id: ma-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; - - - id: ma-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; - - - id: ma-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Require that {{ ma-2_prm_1 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; - - - id: ma-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ ma-2_prm_2 }}; - - - id: ma-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and - - - id: ma-2_smt.f - name: item - properties: - - - name: label - value: f. - prose: Include the following information in organizational maintenance records: {{ ma-2_prm_3 }}. - - - id: ma-2_gdn - name: guidance - prose: Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems. - - - id: ma-4 - class: SP800-53 - title: Nonlocal Maintenance - properties: - - - name: label - value: MA-4 - - - name: sort-id - value: MA-04 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #bbc7085f-b383-444e-af74-722a55cccc0f - rel: reference - text: [FIPS 197] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #fed6a3b5-2b74-499f-9172-46671f7c24c8 - rel: reference - text: [SP 800-88] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-10 - rel: related - text: SC-10 - parts: - - - id: ma-4_smt - name: statement - parts: - - - id: ma-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Approve and monitor nonlocal maintenance and diagnostic activities; - - - id: ma-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; - - - id: ma-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; - - - id: ma-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Maintain records for nonlocal maintenance and diagnostic activities; and - - - id: ma-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Terminate session and network connections when nonlocal maintenance is completed. - - - id: ma-4_gdn - name: guidance - prose: Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. - - - id: ma-5 - class: SP800-53 - title: Maintenance Personnel - properties: - - - name: label - value: MA-5 - - - name: sort-id - value: MA-05 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: ma-5_smt - name: statement - parts: - - - id: ma-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; - - - id: ma-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and - - - id: ma-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. - - - id: ma-5_gdn - name: guidance - prose: Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods. - - - id: mp - class: family - title: Media Protection - controls: - - - id: mp-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: mp-1_prm_1 - label: organization-defined personnel or roles - - - id: mp-1_prm_2 - - - id: mp-1_prm_3 - label: organization-defined official - - - id: mp-1_prm_4 - label: organization-defined frequency - - - id: mp-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: MP-1 - - - name: sort-id - value: MP-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: mp-1_smt - name: statement - parts: - - - id: mp-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ mp-1_prm_1 }}: - parts: - - - id: mp-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ mp-1_prm_2 }} media protection policy that: - """ - parts: - - - id: mp-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: mp-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: mp-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; - - - id: mp-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and - - - id: mp-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current media protection: - parts: - - - id: mp-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ mp-1_prm_4 }}; and - - - id: mp-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ mp-1_prm_5 }}. - - - id: mp-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: mp-2 - class: SP800-53 - title: Media Access - parameters: - - - id: mp-2_prm_1 - label: organization-defined types of digital and/or non-digital media - - - id: mp-2_prm_2 - label: organization-defined personnel or roles - properties: - - - name: label - value: MP-2 - - - name: sort-id - value: MP-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #1b14b50f-7154-4226-958c-7dfff8276755 - rel: reference - text: [SP 800-111] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: mp-2_smt - name: statement - prose: Restrict access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}. - - - id: mp-2_gdn - name: guidance - prose: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media. - - - id: mp-6 - class: SP800-53 - title: Media Sanitization - parameters: - - - id: mp-6_prm_1 - label: organization-defined system media - - - id: mp-6_prm_2 - label: organization-defined sanitization techniques and procedures - properties: - - - name: label - value: MP-6 - - - name: sort-id - value: MP-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #fed6a3b5-2b74-499f-9172-46671f7c24c8 - rel: reference - text: [SP 800-88] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #a52271dc-11b5-423a-8b6f-14867bd94259 - rel: reference - text: [NSA MEDIA] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #si-18 - rel: related - text: SI-18 - - - href: #si-19 - rel: related - text: SI-19 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: mp-6_smt - name: statement - parts: - - - id: mp-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and - - - id: mp-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. - - - id: mp-6_gdn - name: guidance - prose: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information. - - - id: mp-7 - class: SP800-53 - title: Media Use - parameters: - - - id: mp-7_prm_1 - - - id: mp-7_prm_2 - label: organization-defined types of system media - - - id: mp-7_prm_3 - label: organization-defined systems or system components - - - id: mp-7_prm_4 - label: organization-defined controls - properties: - - - name: label - value: MP-7 - - - name: sort-id - value: MP-07 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #1b14b50f-7154-4226-958c-7dfff8276755 - rel: reference - text: [SP 800-111] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #sc-41 - rel: related - text: SC-41 - parts: - - - id: mp-7_smt - name: statement - parts: - - - id: mp-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: - """ - - {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}; and - """ - - - id: mp-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. - - - id: mp-7_gdn - name: guidance - prose: System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices. - - - id: pe - class: family - title: Physical and Environmental Protection - controls: - - - id: pe-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: pe-1_prm_1 - label: organization-defined personnel or roles - - - id: pe-1_prm_2 - - - id: pe-1_prm_3 - label: organization-defined official - - - id: pe-1_prm_4 - label: organization-defined frequency - - - id: pe-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PE-1 - - - name: sort-id - value: PE-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pe-1_smt - name: statement - parts: - - - id: pe-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ pe-1_prm_1 }}: - parts: - - - id: pe-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ pe-1_prm_2 }} physical and environmental protection policy that: - """ - parts: - - - id: pe-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: pe-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: pe-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; - - - id: pe-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ pe-1_prm_3 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and - - - id: pe-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current physical and environmental protection: - parts: - - - id: pe-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ pe-1_prm_4 }}; and - - - id: pe-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ pe-1_prm_5 }}. - - - id: pe-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: pe-2 - class: SP800-53 - title: Physical Access Authorizations - parameters: - - - id: pe-2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PE-2 - - - name: sort-id - value: PE-02 - links: - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #pe-5 - rel: related - text: PE-5 - - - href: #pe-8 - rel: related - text: PE-8 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-6 - rel: related - text: PS-6 - parts: - - - id: pe-2_smt - name: statement - parts: - - - id: pe-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; - - - id: pe-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Issue authorization credentials for facility access; - - - id: pe-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review the access list detailing authorized facility access by individuals {{ pe-2_prm_1 }}; and - - - id: pe-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Remove individuals from the facility access list when access is no longer required. - - - id: pe-2_gdn - name: guidance - prose: Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible. - - - id: pe-3 - class: SP800-53 - title: Physical Access Control - parameters: - - - id: pe-3_prm_1 - label: organization-defined entry and exit points to the facility where the system resides - - - id: pe-3_prm_2 - - - id: pe-3_prm_3 - depends-on: pe-3_prm_2 - label: organization-defined physical access control systems or devices - - - id: pe-3_prm_4 - label: organization-defined entry or exit points - - - id: pe-3_prm_5 - label: organization-defined controls - - - id: pe-3_prm_6 - label: organization-defined circumstances requiring visitor escorts and monitoring - - - id: pe-3_prm_7 - label: organization-defined physical access devices - - - id: pe-3_prm_8 - label: organization-defined frequency - - - id: pe-3_prm_9 - label: organization-defined frequency - properties: - - - name: label - value: PE-3 - - - name: sort-id - value: PE-03 - links: - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #ad7d575f-b5fe-489b-8d48-36a93d964a5f - rel: reference - text: [SP 800-116] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #pe-5 - rel: related - text: PE-5 - - - href: #pe-8 - rel: related - text: PE-8 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #sr-3 - rel: related - text: SR-3 - parts: - - - id: pe-3_smt - name: statement - parts: - - - id: pe-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Enforce physical access authorizations at {{ pe-3_prm_1 }} by: - parts: - - - id: pe-3_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Verifying individual access authorizations before granting access to the facility; and - - - id: pe-3_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Controlling ingress and egress to the facility using {{ pe-3_prm_2 }}; - - - id: pe-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Maintain physical access audit logs for {{ pe-3_prm_4 }}; - - - id: pe-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ pe-3_prm_5 }}; - - - id: pe-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Escort visitors and monitor visitor activity {{ pe-3_prm_6 }}; - - - id: pe-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Secure keys, combinations, and other physical access devices; - - - id: pe-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Inventory {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }}; and - - - id: pe-3_smt.g - name: item - properties: - - - name: label - value: g. - prose: Change combinations and keys {{ pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. - - - id: pe-3_gdn - name: guidance - prose: Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components. - - - id: pe-6 - class: SP800-53 - title: Monitoring Physical Access - parameters: - - - id: pe-6_prm_1 - label: organization-defined frequency - - - id: pe-6_prm_2 - label: organization-defined events or potential indications of events - properties: - - - name: label - value: PE-6 - - - name: sort-id - value: PE-06 - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - parts: - - - id: pe-6_smt - name: statement - parts: - - - id: pe-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; - - - id: pe-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review physical access logs {{ pe-6_prm_1 }} and upon occurrence of {{ pe-6_prm_2 }}; and - - - id: pe-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Coordinate results of reviews and investigations with the organizational incident response capability. - - - id: pe-6_gdn - name: guidance - prose: Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses. - - - id: pe-8 - class: SP800-53 - title: Visitor Access Records - parameters: - - - id: pe-8_prm_1 - label: organization-defined time-period - - - id: pe-8_prm_2 - label: organization-defined frequency - - - id: pe-8_prm_3 - label: organization-defined personnel - properties: - - - name: label - value: PE-8 - - - name: sort-id - value: PE-08 - links: - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - parts: - - - id: pe-8_smt - name: statement - parts: - - - id: pe-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Maintain visitor access records to the facility where the system resides for {{ pe-8_prm_1 }}; - - - id: pe-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review visitor access records {{ pe-8_prm_2 }}; and - - - id: pe-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: Report anomalies in visitor access records to {{ pe-8_prm_3 }}. - - - id: pe-8_gdn - name: guidance - prose: Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas. - - - id: pe-12 - class: SP800-53 - title: Emergency Lighting - properties: - - - name: label - value: PE-12 - - - name: sort-id - value: PE-12 - links: - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-7 - rel: related - text: CP-7 - parts: - - - id: pe-12_smt - name: statement - prose: Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. - - - id: pe-12_gdn - name: guidance - prose: The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites. - - - id: pe-13 - class: SP800-53 - title: Fire Protection - properties: - - - name: label - value: PE-13 - - - name: sort-id - value: PE-13 - links: - - - href: #at-3 - rel: related - text: AT-3 - parts: - - - id: pe-13_smt - name: statement - prose: Employ and maintain fire detection and suppression systems that are supported by an independent energy source. - - - id: pe-13_gdn - name: guidance - prose: The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors. - - - id: pe-14 - class: SP800-53 - title: Environmental Controls - parameters: - - - id: pe-14_prm_1 - - - id: pe-14_prm_2 - depends-on: pe-14_prm_1 - label: organization-defined environmental control - - - id: pe-14_prm_3 - label: organization-defined acceptable levels - - - id: pe-14_prm_4 - label: organization-defined frequency - properties: - - - name: label - value: PE-14 - - - name: sort-id - value: PE-14 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #pe-21 - rel: related - text: PE-21 - parts: - - - id: pe-14_smt - name: statement - parts: - - - id: pe-14_smt.a - name: item - properties: - - - name: label - value: a. - prose: Maintain {{ pe-14_prm_1 }} levels within the facility where the system resides at {{ pe-14_prm_3 }}; and - - - id: pe-14_smt.b - name: item - properties: - - - name: label - value: b. - prose: Monitor environmental control levels {{ pe-14_prm_4 }}. - - - id: pe-14_gdn - name: guidance - prose: The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure. - - - id: pe-15 - class: SP800-53 - title: Water Damage Protection - properties: - - - name: label - value: PE-15 - - - name: sort-id - value: PE-15 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pe-10 - rel: related - text: PE-10 - parts: - - - id: pe-15_smt - name: statement - prose: Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. - - - id: pe-15_gdn - name: guidance - prose: The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. - - - id: pe-16 - class: SP800-53 - title: Delivery and Removal - parameters: - - - id: pe-16_prm_1 - label: organization-defined types of system components - properties: - - - name: label - value: PE-16 - - - name: sort-id - value: PE-16 - links: - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-6 - rel: related - text: SR-6 - parts: - - - id: pe-16_smt - name: statement - parts: - - - id: pe-16_smt.a - name: item - properties: - - - name: label - value: a. - prose: Authorize and control {{ pe-16_prm_1 }} entering and exiting the facility; and - - - id: pe-16_smt.b - name: item - properties: - - - name: label - value: b. - prose: Maintain records of the system components. - - - id: pe-16_gdn - name: guidance - prose: Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries. - - - id: pl - class: family - title: Planning - controls: - - - id: pl-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: pl-1_prm_1 - label: organization-defined personnel or roles - - - id: pl-1_prm_2 - - - id: pl-1_prm_3 - label: organization-defined official - - - id: pl-1_prm_4 - label: organization-defined frequency - - - id: pl-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PL-1 - - - name: sort-id - value: PL-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pl-1_smt - name: statement - parts: - - - id: pl-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ pl-1_prm_1 }}: - parts: - - - id: pl-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ pl-1_prm_2 }} planning policy that: - """ - parts: - - - id: pl-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: pl-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: pl-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the planning policy and the associated planning controls; - - - id: pl-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and - - - id: pl-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current planning: - parts: - - - id: pl-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ pl-1_prm_4 }}; and - - - id: pl-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ pl-1_prm_5 }}. - - - id: pl-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: pl-2 - class: SP800-53 - title: System Security and Privacy Plans - parameters: - - - id: pl-2_prm_1 - label: organization-defined individuals or groups - - - id: pl-2_prm_2 - label: organization-defined personnel or roles - - - id: pl-2_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: PL-2 - - - name: sort-id - value: PL-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pl-7 - rel: related - text: PL-7 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-22 - rel: related - text: SA-22 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: pl-2_smt - name: statement - parts: - - - id: pl-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop security and privacy plans for the system that: - parts: - - - id: pl-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are consistent with the organization’s enterprise architecture; - - - id: pl-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Explicitly define the constituent system components; - - - id: pl-2_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Describe the operational context of the system in terms of missions and business processes; - - - id: pl-2_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Provide the security categorization of the system, including supporting rationale; - - - id: pl-2_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Describe any specific threats to the system that are of concern to the organization; - - - id: pl-2_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Provide the results of a privacy risk assessment for systems processing personally identifiable information; - - - id: pl-2_smt.a.7 - name: item - properties: - - - name: label - value: 7. - prose: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; - - - id: pl-2_smt.a.8 - name: item - properties: - - - name: label - value: 8. - prose: Provide an overview of the security and privacy requirements for the system; - - - id: pl-2_smt.a.9 - name: item - properties: - - - name: label - value: 9. - prose: Identify any relevant control baselines or overlays, if applicable; - - - id: pl-2_smt.a.10 - name: item - properties: - - - name: label - value: 10. - prose: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; - - - id: pl-2_smt.a.11 - name: item - properties: - - - name: label - value: 11. - prose: Include risk determinations for security and privacy architecture and design decisions; - - - id: pl-2_smt.a.12 - name: item - properties: - - - name: label - value: 12. - prose: Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and - - - id: pl-2_smt.a.13 - name: item - properties: - - - name: label - value: 13. - prose: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. - - - id: pl-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }}; - - - id: pl-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review the plans {{ pl-2_prm_3 }}; - - - id: pl-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and - - - id: pl-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Protect the plans from unauthorized disclosure and modification. - - - id: pl-2_gdn - name: guidance - prose: - """ - System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls. - Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation. - Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. - Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate. - """ - - - id: pl-4 - class: SP800-53 - title: Rules of Behavior - parameters: - - - id: pl-4_prm_1 - label: organization-defined frequency - - - id: pl-4_prm_2 - - - id: pl-4_prm_3 - depends-on: pl-4_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: PL-4 - - - name: sort-id - value: PL-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ac-9 - rel: related - text: AC-9 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pl-4_smt - name: statement - parts: - - - id: pl-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; - - - id: pl-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; - - - id: pl-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the rules of behavior {{ pl-4_prm_1 }}; and - - - id: pl-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}. - - - id: pl-4_gdn - name: guidance - prose: Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons. - controls: - - - id: pl-4.1 - class: SP800-53-enhancement - title: Social Media and External Site/application Usage Restrictions - properties: - - - name: label - value: PL-4(1) - - - name: sort-id - value: PL-04(01) - links: - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #au-13 - rel: related - text: AU-13 - parts: - - - id: pl-4.1_smt - name: statement - prose: Include in the rules of behavior, restrictions on: - parts: - - - id: pl-4.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Use of social media, social networking sites, and external sites/applications; - - - id: pl-4.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Posting organizational information on public websites; and - - - id: pl-4.1_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications. - - - id: pl-4.1_gdn - name: guidance - prose: Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information. - - - id: pl-10 - class: SP800-53 - title: Baseline Selection - properties: - - - name: label - value: PL-10 - - - name: sort-id - value: PL-10 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #31f3c9de-c57c-4281-929b-f9951f9640f1 - rel: reference - text: [SP 800-53B] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ee96f130-3f91-46ed-a4d8-57e5f220a623 - rel: reference - text: [CNSSI 1253] - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: pl-10_smt - name: statement - prose: Select a control baseline for the system. - - - id: pl-10_gdn - name: guidance - prose: Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments. - - - id: pl-11 - class: SP800-53 - title: Baseline Tailoring - properties: - - - name: label - value: PL-11 - - - name: sort-id - value: PL-11 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #31f3c9de-c57c-4281-929b-f9951f9640f1 - rel: reference - text: [SP 800-53B] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ee96f130-3f91-46ed-a4d8-57e5f220a623 - rel: reference - text: [CNSSI 1253] - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: pl-11_smt - name: statement - prose: Tailor the selected control baseline by applying specified tailoring actions. - - - id: pl-11_gdn - name: guidance - prose: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities. - - - id: pm - class: family - title: Program Management - controls: - - - id: pm-1 - class: SP800-53 - title: Information Security Program Plan - parameters: - - - id: pm-1_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-1 - - - name: sort-id - value: PM-01 - links: - - - href: #14958422-54f6-471f-a345-802dca594dd8 - rel: reference - text: [FISMA] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: pm-1_smt - name: statement - parts: - - - id: pm-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and disseminate an organization-wide information security program plan that: - parts: - - - id: pm-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; - - - id: pm-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; - - - id: pm-1_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Reflects the coordination among organizational entities responsible for information security; and - - - id: pm-1_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; - - - id: pm-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review the organization-wide information security program plan {{ pm-1_prm_1 }}; - - - id: pm-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and - - - id: pm-1_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect the information security program plan from unauthorized disclosure and modification. - - - id: pm-1_gdn - name: guidance - prose: - """ - An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents. - Information security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended. - Program management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization. - Common controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls. - """ - - - id: pm-2 - class: SP800-53 - title: Information Security Program Leadership Role - properties: - - - name: label - value: PM-2 - - - name: sort-id - value: PM-02 - links: - - - href: #ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3 - rel: reference - text: [OMB M-17-25] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - parts: - - - id: pm-2_smt - name: statement - prose: Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. - - - id: pm-2_gdn - name: guidance - prose: The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer. - - - id: pm-3 - class: SP800-53 - title: Information Security and Privacy Resources - properties: - - - name: label - value: PM-3 - - - name: sort-id - value: PM-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #sa-2 - rel: related - text: SA-2 - parts: - - - id: pm-3_smt - name: statement - parts: - - - id: pm-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; - - - id: pm-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and - - - id: pm-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Make available for expenditure, the planned information security and privacy resources. - - - id: pm-3_gdn - name: guidance - prose: Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process. - - - id: pm-4 - class: SP800-53 - title: Plan of Action and Milestones Process - properties: - - - name: label - value: PM-4 - - - name: sort-id - value: PM-04 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-3 - rel: related - text: PM-3 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pm-4_smt - name: statement - parts: - - - id: pm-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems: - parts: - - - id: pm-4_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are developed and maintained; - - - id: pm-4_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and - - - id: pm-4_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Are reported in accordance with established reporting requirements. - - - id: pm-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. - - - id: pm-4_gdn - name: guidance - prose: The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5. - - - id: pm-5 - class: SP800-53 - title: System Inventory - parameters: - - - id: pm-5_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-5 - - - name: sort-id - value: PM-05 - links: - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - parts: - - - id: pm-5_smt - name: statement - prose: Develop and update {{ pm-5_prm_1 }} an inventory of organizational systems. - - - id: pm-5_gdn - name: guidance - prose: [OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8. - controls: - - - id: pm-5.1 - class: SP800-53-enhancement - title: Inventory of Personally Identifiable Information - parameters: - - - id: pm-5.1_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-5(1) - - - name: sort-id - value: PM-05(01) - links: - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-12 - rel: related - text: CM-12 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pm-5.1_smt - name: statement - prose: Establish, maintain, and update {{ pm-5.1_prm_1 }} an inventory of all systems, applications, and projects that process personally identifiable information. - - - id: pm-5.1_gdn - name: guidance - prose: An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein. - - - id: pm-6 - class: SP800-53 - title: Measures of Performance - properties: - - - name: label - value: PM-6 - - - name: sort-id - value: PM-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #8ba0d54e-fa16-4f5d-baa1-763ec3e33e26 - rel: reference - text: [SP 800-55] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ca-7 - rel: related - text: CA-7 - parts: - - - id: pm-6_smt - name: statement - prose: Develop, monitor, and report on the results of information security and privacy measures of performance. - - - id: pm-6_gdn - name: guidance - prose: Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. - - - id: pm-7 - class: SP800-53 - title: Enterprise Architecture - properties: - - - name: label - value: PM-7 - - - name: sort-id - value: PM-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #au-6 - rel: related - text: AU-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-17 - rel: related - text: SA-17 - parts: - - - id: pm-7_smt - name: statement - prose: Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation. - - - id: pm-7_gdn - name: guidance - prose: The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines. - controls: - - - id: pm-7.1 - class: SP800-53-enhancement - title: Offloading - parameters: - - - id: pm-7.1_prm_1 - label: organization-defined non-essential functions or services - properties: - - - name: label - value: PM-7(1) - - - name: sort-id - value: PM-07(01) - links: - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: pm-7.1_smt - name: statement - prose: Offload {{ pm-7.1_prm_1 }} to other systems, system components, or an external provider. - - - id: pm-7.1_gdn - name: guidance - prose: Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services. - - - id: pm-8 - class: SP800-53 - title: Critical Infrastructure Plan - properties: - - - name: label - value: PM-8 - - - name: sort-id - value: PM-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #cde25174-38e0-4a00-8919-8ee3674b8088 - rel: reference - text: [HSPD 7] - - - href: #24b7b1ec-6430-41de-9353-29fdb1b488fc - rel: reference - text: [DHS NIPP] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #pe-18 - rel: related - text: PE-18 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pm-8_smt - name: statement - prose: Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. - - - id: pm-8_gdn - name: guidance - prose: Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. - - - id: pm-9 - class: SP800-53 - title: Risk Management Strategy - parameters: - - - id: pm-9_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-9 - - - name: sort-id - value: PM-09 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #at-1 - rel: related - text: AT-1 - - - href: #ca-1 - rel: related - text: CA-1 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cp-1 - rel: related - text: CP-1 - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ma-1 - rel: related - text: MA-1 - - - href: #mp-1 - rel: related - text: MP-1 - - - href: #pe-1 - rel: related - text: PE-1 - - - href: #pl-1 - rel: related - text: PL-1 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-2 - rel: related - text: PM-2 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #ps-1 - rel: related - text: PS-1 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-1 - rel: related - text: SA-1 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sc-1 - rel: related - text: SC-1 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-1 - rel: related - text: SI-1 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: pm-9_smt - name: statement - parts: - - - id: pm-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develops a comprehensive strategy to manage: - parts: - - - id: pm-9_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and - - - id: pm-9_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Privacy risk to individuals resulting from the authorized processing of personally identifiable information; - - - id: pm-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the risk management strategy consistently across the organization; and - - - id: pm-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes. - - - id: pm-9_gdn - name: guidance - prose: An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive. - - - id: pm-10 - class: SP800-53 - title: Authorization Process - properties: - - - name: label - value: PM-10 - - - name: sort-id - value: PM-10 - links: - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pl-2 - rel: related - text: PL-2 - parts: - - - id: pm-10_smt - name: statement - parts: - - - id: pm-10_smt.a - name: item - properties: - - - name: label - value: a. - prose: Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; - - - id: pm-10_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and - - - id: pm-10_smt.c - name: item - properties: - - - name: label - value: c. - prose: Integrate the authorization processes into an organization-wide risk management program. - - - id: pm-10_gdn - name: guidance - prose: Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation. - - - id: pm-11 - class: SP800-53 - title: Mission and Business Process Definition - parameters: - - - id: pm-11_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-11 - - - name: sort-id - value: PM-11 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-2 - rel: related - text: SA-2 - parts: - - - id: pm-11_smt - name: statement - parts: - - - id: pm-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and - - - id: pm-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and - - - id: pm-11_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and revise the mission and business processes {{ pm-11_prm_1 }}. - - - id: pm-11_gdn - name: guidance - prose: Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures. - - - id: pm-12 - class: SP800-53 - title: Insider Threat Program - properties: - - - name: label - value: PM-12 - - - name: sort-id - value: PM-12 - links: - - - href: #2b5e12fb-633f-49e6-8aff-81d75bf53545 - rel: reference - text: [EO 13587] - - - href: #286d42a1-efbe-49a2-9ce1-4c9bf68feb3b - rel: reference - text: [ODNI NITP] - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-16 - rel: related - text: PM-16 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #pm-14 - rel: related - text: PM-14 - parts: - - - id: pm-12_smt - name: statement - prose: Implement an insider threat program that includes a cross-discipline insider threat incident handling team. - - - id: pm-12_gdn - name: guidance - prose: - """ - Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture. - Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - """ - - - id: pm-13 - class: SP800-53 - title: Security and Privacy Workforce - properties: - - - name: label - value: PM-13 - - - name: sort-id - value: PM-13 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #f4c3f657-de83-47ae-9aec-e144de8268d1 - rel: reference - text: [SP 800-181] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - parts: - - - id: pm-13_smt - name: statement - prose: Establish a security and privacy workforce development and improvement program. - - - id: pm-13_gdn - name: guidance - prose: Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals. - - - id: pm-14 - class: SP800-53 - title: Testing, Training, and Monitoring - properties: - - - name: label - value: PM-14 - - - name: sort-id - value: PM-14 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: pm-14_smt - name: statement - parts: - - - id: pm-14_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: - parts: - - - id: pm-14_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are developed and maintained; and - - - id: pm-14_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Continue to be executed; and - - - id: pm-14_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. - - - id: pm-14_gdn - name: guidance - prose: This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. - - - id: pm-15 - class: SP800-53 - title: Security and Privacy Groups and Associations - properties: - - - name: label - value: PM-15 - - - name: sort-id - value: PM-15 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #si-5 - rel: related - text: SI-5 - parts: - - - id: pm-15_smt - name: statement - prose: Establish and institutionalize contact with selected groups and associations within the security and privacy communities: - parts: - - - id: pm-15_smt.a - name: item - properties: - - - name: label - value: a. - prose: To facilitate ongoing security and privacy education and training for organizational personnel; - - - id: pm-15_smt.b - name: item - properties: - - - name: label - value: b. - prose: To maintain currency with recommended security and privacy practices, techniques, and technologies; and - - - id: pm-15_smt.c - name: item - properties: - - - name: label - value: c. - prose: To share current security and privacy information, including threats, vulnerabilities, and incidents. - - - id: pm-15_gdn - name: guidance - prose: Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. - - - id: pm-16 - class: SP800-53 - title: Threat Awareness Program - properties: - - - name: label - value: PM-16 - - - name: sort-id - value: PM-16 - links: - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #pm-12 - rel: related - text: PM-12 - parts: - - - id: pm-16_smt - name: statement - prose: Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. - - - id: pm-16_gdn - name: guidance - prose: Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared. - controls: - - - id: pm-16.1 - class: SP800-53-enhancement - title: Automated Means for Sharing Threat Intelligence - properties: - - - name: label - value: PM-16(1) - - - name: sort-id - value: PM-16(01) - parts: - - - id: pm-16.1_smt - name: statement - prose: Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information. - - - id: pm-16.1_gdn - name: guidance - prose: To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures. - - - id: pm-17 - class: SP800-53 - title: Protecting Controlled Unclassified Information on External Systems - parameters: - - - id: pm-17_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-17 - - - name: sort-id - value: PM-17 - links: - - - href: #742b7c0e-218e-4fca-9c3d-5f264bbaf2bc - rel: reference - text: [32 CFR 2002] - - - href: #0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - rel: reference - text: [SP 800-171] - - - href: #dd87fdf0-840d-4392-9de4-220b2327e340 - rel: reference - text: [NARA CUI] - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #pm-10 - rel: related - text: PM-10 - parts: - - - id: pm-17_smt - name: statement - parts: - - - id: pm-17_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards. - - - id: pm-17_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update the policy and procedures {{ pm-17_prm_1 }}. - - - id: pm-17_gdn - name: guidance - prose: Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes. - - - id: pm-18 - class: SP800-53 - title: Privacy Program Plan - properties: - - - name: label - value: PM-18 - - - name: sort-id - value: PM-18 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-19 - rel: related - text: PM-19 - parts: - - - id: pm-18_smt - name: statement - parts: - - - id: pm-18_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: - parts: - - - id: pm-18_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; - - - id: pm-18_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements; - - - id: pm-18_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities; - - - id: pm-18_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; - - - id: pm-18_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Reflects coordination among organizational entities responsible for the different aspects of privacy; and - - - id: pm-18_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and - - - id: pm-18_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments. - - - id: pm-18_gdn - name: guidance - prose: - """ - A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents. - The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended. - Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization. - Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls. - """ - - - id: pm-19 - class: SP800-53 - title: Privacy Program Leadership Role - properties: - - - name: label - value: PM-19 - - - name: sort-id - value: PM-19 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #pm-20 - rel: related - text: PM-20 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-24 - rel: related - text: PM-24 - parts: - - - id: pm-19_smt - name: statement - prose: Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. - - - id: pm-19_gdn - name: guidance - prose: The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24). - - - id: pm-20 - class: SP800-53 - title: Dissemination of Privacy Program Information - properties: - - - name: label - value: PM-20 - - - name: sort-id - value: PM-20 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #f7d3617a-9a4f-4f1a-a688-845081b70390 - rel: reference - text: [OMB M-17-06] - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #pt-7 - rel: related - text: PT-7 - - - href: #ra-8 - rel: related - text: RA-8 - parts: - - - id: pm-20_smt - name: statement - prose: Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that: - parts: - - - id: pm-20_smt.a - name: item - properties: - - - name: label - value: a. - prose: Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; - - - id: pm-20_smt.b - name: item - properties: - - - name: label - value: b. - prose: Ensures that organizational privacy practices and reports are publicly available; and - - - id: pm-20_smt.c - name: item - properties: - - - name: label - value: c. - prose: Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. - - - id: pm-20_gdn - name: guidance - prose: Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications. - - - id: pm-21 - class: SP800-53 - title: Accounting of Disclosures - properties: - - - name: label - value: PM-21 - - - name: sort-id - value: PM-21 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #pt-2 - rel: related - text: PT-2 - parts: - - - id: pm-21_smt - name: statement - parts: - - - id: pm-21_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: - parts: - - - id: pm-21_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Date, nature, and purpose of each disclosure; and - - - id: pm-21_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Name and address, or other contact information of the person or organization to which the disclosure was made; - - - id: pm-21_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and - - - id: pm-21_smt.c - name: item - properties: - - - name: label - value: c. - prose: Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request. - - - id: pm-21_gdn - name: guidance - prose: - """ - The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision. - Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions. - """ - - - id: pm-22 - class: SP800-53 - title: Personally Identifiable Information Quality Management - properties: - - - name: label - value: PM-22 - - - name: sort-id - value: PM-22 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #eadef75e-7e4d-4554-b818-44946c1dde0e - rel: reference - text: [SP 800-188] - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pm-22_smt - name: statement - prose: Develop and document policies and procedures for: - parts: - - - id: pm-22_smt.a - name: item - properties: - - - name: label - value: a. - prose: Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle; - - - id: pm-22_smt.b - name: item - properties: - - - name: label - value: b. - prose: Correcting or deleting inaccurate or outdated personally identifiable information; - - - id: pm-22_smt.c - name: item - properties: - - - name: label - value: c. - prose: Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and - - - id: pm-22_smt.d - name: item - properties: - - - name: label - value: d. - prose: Appeals of adverse decisions on correction or deletion requests. - - - id: pm-22_gdn - name: guidance - prose: - """ - Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information. - The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations. - Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem. - """ - - - id: pm-23 - class: SP800-53 - title: Data Governance Body - parameters: - - - id: pm-23_prm_1 - label: organization-defined roles - - - id: pm-23_prm_2 - label: organization-defined responsibilities - properties: - - - name: label - value: PM-23 - - - name: sort-id - value: PM-23 - links: - - - href: #43facb7b-0afb-480f-8191-34790d5b444b - rel: reference - text: [EVIDACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #d843e915-eeb6-4bbe-8cab-ccc802088703 - rel: reference - text: [OMB M-19-23] - - - href: #eadef75e-7e4d-4554-b818-44946c1dde0e - rel: reference - text: [SP 800-188] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-19 - rel: related - text: SI-19 - parts: - - - id: pm-23_smt - name: statement - prose: Establish a Data Governance Body consisting of {{ pm-23_prm_1 }} with {{ pm-23_prm_2 }}. - - - id: pm-23_gdn - name: guidance - prose: A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23]. - - - id: pm-24 - class: SP800-53 - title: Data Integrity Board - properties: - - - name: label - value: PM-24 - - - name: sort-id - value: PM-24 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pt-8 - rel: related - text: PT-8 - parts: - - - id: pm-24_smt - name: statement - prose: Establish a Data Integrity Board to: - parts: - - - id: pm-24_smt.a - name: item - properties: - - - name: label - value: a. - prose: Review proposals to conduct or participate in a matching program; and - - - id: pm-24_smt.b - name: item - properties: - - - name: label - value: b. - prose: Conduct an annual review of all matching programs in which the agency has participated. - - - id: pm-24_gdn - name: guidance - prose: A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy. - - - id: pm-25 - class: SP800-53 - title: Minimization of Pii Used in Testing, Training, and Research - parameters: - - - id: pm-25_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-25 - - - name: sort-id - value: PM-25 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #sa-3 - rel: related - text: SA-3 - parts: - - - id: pm-25_smt - name: statement - parts: - - - id: pm-25_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; - - - id: pm-25_smt.b - name: item - properties: - - - name: label - value: b. - prose: Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; - - - id: pm-25_smt.c - name: item - properties: - - - name: label - value: c. - prose: Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and - - - id: pm-25_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review and update policies and procedures {{ pm-25_prm_1 }}. - - - id: pm-25_gdn - name: guidance - prose: The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2). - - - id: pm-26 - class: SP800-53 - title: Complaint Management - parameters: - - - id: pm-26_prm_1 - label: organization-defined time-period - - - id: pm-26_prm_2 - label: organization-defined time-period - - - id: pm-26_prm_3 - label: organization-defined time-period - properties: - - - name: label - value: PM-26 - - - name: sort-id - value: PM-26 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pm-26_smt - name: statement - prose: Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes: - parts: - - - id: pm-26_smt.a - name: item - properties: - - - name: label - value: a. - prose: Mechanisms that are easy to use and readily accessible by the public; - - - id: pm-26_smt.b - name: item - properties: - - - name: label - value: b. - prose: All information necessary for successfully filing complaints; - - - id: pm-26_smt.c - name: item - properties: - - - name: label - value: c. - prose: Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }}; - - - id: pm-26_smt.d - name: item - properties: - - - name: label - value: d. - prose: Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and - - - id: pm-26_smt.e - name: item - properties: - - - name: label - value: e. - prose: Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}. - - - id: pm-26_gdn - name: guidance - prose: Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information. - - - id: pm-27 - class: SP800-53 - title: Privacy Reporting - parameters: - - - id: pm-27_prm_1 - label: organization-defined privacy reports - - - id: pm-27_prm_2 - label: organization-defined officials - - - id: pm-27_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: PM-27 - - - name: sort-id - value: PM-27 - links: - - - href: #14958422-54f6-471f-a345-802dca594dd8 - rel: reference - text: [FISMA] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-19 - rel: related - text: PM-19 - parts: - - - id: pm-27_smt - name: statement - parts: - - - id: pm-27_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop {{ pm-27_prm_1 }} and disseminate to: - parts: - - - id: pm-27_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and - - - id: pm-27_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: - """ - - {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and - """ - - - id: pm-27_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update privacy reports {{ pm-27_prm_3 }}. - - - id: pm-27_gdn - name: guidance - prose: Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements. - - - id: pm-28 - class: SP800-53 - title: Risk Framing - parameters: - - - id: pm-28_prm_1 - label: organization-defined personnel - - - id: pm-28_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: PM-28 - - - name: sort-id - value: PM-28 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-7 - rel: related - text: RA-7 - parts: - - - id: pm-28_smt - name: statement - parts: - - - id: pm-28_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify and document: - parts: - - - id: pm-28_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Assumptions affecting risk assessments, risk responses, and risk monitoring; - - - id: pm-28_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Constraints affecting risk assessments, risk responses, and risk monitoring; - - - id: pm-28_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Priorities and trade-offs considered by the organization for managing risk; and - - - id: pm-28_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Organizational risk tolerance; and - - - id: pm-28_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute the results of risk framing activities to {{ pm-28_prm_1 }}; - - - id: pm-28_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update risk framing considerations {{ pm-28_prm_2 }}. - - - id: pm-28_gdn - name: guidance - prose: Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management. - - - id: pm-29 - class: SP800-53 - title: Risk Management Program Leadership Roles - properties: - - - name: label - value: PM-29 - - - name: sort-id - value: PM-29 - links: - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #pm-2 - rel: related - text: PM-2 - - - href: #pm-19 - rel: related - text: PM-19 - parts: - - - id: pm-29_smt - name: statement - parts: - - - id: pm-29_smt.a - name: item - properties: - - - name: label - value: a. - prose: Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and - - - id: pm-29_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization. - - - id: pm-29_gdn - name: guidance - prose: The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities. - - - id: pm-30 - class: SP800-53 - title: Supply Chain Risk Management Strategy - parameters: - - - id: pm-30_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-30 - - - name: sort-id - value: PM-30 - links: - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-7 - rel: related - text: SR-7 - - - href: #sr-8 - rel: related - text: SR-8 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: pm-30_smt - name: statement - parts: - - - id: pm-30_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; - - - id: pm-30_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the supply chain risk management strategy consistently across the organization; and - - - id: pm-30_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the supply chain risk management strategy on {{ pm-30_prm_1 }} or as required, to address organizational changes. - - - id: pm-30_gdn - name: guidance - prose: An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level. - - - id: pm-31 - class: SP800-53 - title: Continuous Monitoring Strategy - parameters: - - - id: pm-31_prm_1 - label: organization-defined metrics - - - id: pm-31_prm_2 - label: organization-defined frequencies - - - id: pm-31_prm_3 - label: organization-defined frequencies - - - id: pm-31_prm_4 - label: organization-defined personnel or roles - - - id: pm-31_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PM-31 - - - name: sort-id - value: PM-31 - links: - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pe-14 - rel: related - text: PE-14 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-6 - rel: related - text: PM-6 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: pm-31_smt - name: statement - prose: Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: - parts: - - - id: pm-31_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }}; - - - id: pm-31_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness; - - - id: pm-31_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; - - - id: pm-31_smt.d - name: item - properties: - - - name: label - value: d. - prose: Correlation and analysis of information generated by control assessments and monitoring; - - - id: pm-31_smt.e - name: item - properties: - - - name: label - value: e. - prose: Response actions to address results of the analysis of control assessment and monitoring information; and - - - id: pm-31_smt.f - name: item - properties: - - - name: label - value: f. - prose: - """ - Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }} - {{ pm-31_prm_5 }}. - """ - - - id: pm-31_gdn - name: guidance - prose: Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4. - - - id: pm-32 - class: SP800-53 - title: Purposing - parameters: - - - id: pm-32_prm_1 - label: organization-defined systems or systems components - properties: - - - name: label - value: PM-32 - - - name: sort-id - value: PM-32 - links: - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - parts: - - - id: pm-32_smt - name: statement - prose: Analyze {{ pm-32_prm_1 }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose. - - - id: pm-32_gdn - name: guidance - prose: Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures. - - - id: ps - class: family - title: Personnel Security - controls: - - - id: ps-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ps-1_prm_1 - label: organization-defined personnel or roles - - - id: ps-1_prm_2 - - - id: ps-1_prm_3 - label: organization-defined official - - - id: ps-1_prm_4 - label: organization-defined frequency - - - id: ps-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PS-1 - - - name: sort-id - value: PS-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ps-1_smt - name: statement - parts: - - - id: ps-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ps-1_prm_1 }}: - parts: - - - id: ps-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ps-1_prm_2 }} personnel security policy that: - """ - parts: - - - id: ps-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ps-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ps-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; - - - id: ps-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ps-1_prm_3 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and - - - id: ps-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current personnel security: - parts: - - - id: ps-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ps-1_prm_4 }}; and - - - id: ps-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ps-1_prm_5 }}. - - - id: ps-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ps-2 - class: SP800-53 - title: Position Risk Designation - parameters: - - - id: ps-2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PS-2 - - - name: sort-id - value: PS-02 - links: - - - href: #2383ccfd-d8a0-4e3a-bf40-21288ae1e07a - rel: reference - text: [5 CFR 731] - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-21 - rel: related - text: SA-21 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ps-2_smt - name: statement - parts: - - - id: ps-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Assign a risk designation to all organizational positions; - - - id: ps-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establish screening criteria for individuals filling those positions; and - - - id: ps-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update position risk designations {{ ps-2_prm_1 }}. - - - id: ps-2_gdn - name: guidance - prose: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions. - - - id: ps-3 - class: SP800-53 - title: Personnel Screening - parameters: - - - id: ps-3_prm_1 - label: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening - properties: - - - name: label - value: PS-3 - - - name: sort-id - value: PS-03 - links: - - - href: #52a8b0c6-0c6b-424b-928d-41c50ba87838 - rel: reference - text: [EO 13526] - - - href: #2b5e12fb-633f-49e6-8aff-81d75bf53545 - rel: reference - text: [EO 13587] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-21 - rel: related - text: SA-21 - parts: - - - id: ps-3_smt - name: statement - parts: - - - id: ps-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Screen individuals prior to authorizing access to the system; and - - - id: ps-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Rescreen individuals in accordance with {{ ps-3_prm_1 }}. - - - id: ps-3_gdn - name: guidance - prose: Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems. - - - id: ps-4 - class: SP800-53 - title: Personnel Termination - parameters: - - - id: ps-4_prm_1 - label: organization-defined time-period - - - id: ps-4_prm_2 - label: organization-defined information security topics - properties: - - - name: label - value: PS-4 - - - name: sort-id - value: PS-04 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - parts: - - - id: ps-4_smt - name: statement - prose: Upon termination of individual employment: - parts: - - - id: ps-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Disable system access within {{ ps-4_prm_1 }}; - - - id: ps-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Terminate or revoke any authenticators and credentials associated with the individual; - - - id: ps-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Conduct exit interviews that include a discussion of {{ ps-4_prm_2 }}; - - - id: ps-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Retrieve all security-related organizational system-related property; and - - - id: ps-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Retain access to organizational information and systems formerly controlled by terminated individual. - - - id: ps-4_gdn - name: guidance - prose: System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified. - - - id: ps-5 - class: SP800-53 - title: Personnel Transfer - parameters: - - - id: ps-5_prm_1 - label: organization-defined transfer or reassignment actions - - - id: ps-5_prm_2 - label: organization-defined time-period following the formal transfer action - - - id: ps-5_prm_3 - label: organization-defined personnel or roles - - - id: ps-5_prm_4 - label: organization-defined time-period - properties: - - - name: label - value: PS-5 - - - name: sort-id - value: PS-05 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-7 - rel: related - text: PS-7 - parts: - - - id: ps-5_smt - name: statement - parts: - - - id: ps-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; - - - id: ps-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Initiate {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }}; - - - id: ps-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and - - - id: ps-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Notify {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}. - - - id: ps-5_gdn - name: guidance - prose: Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts. - - - id: ps-6 - class: SP800-53 - title: Access Agreements - parameters: - - - id: ps-6_prm_1 - label: organization-defined frequency - - - id: ps-6_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: PS-6 - - - name: sort-id - value: PS-06 - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-21 - rel: related - text: SA-21 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ps-6_smt - name: statement - parts: - - - id: ps-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and document access agreements for organizational systems; - - - id: ps-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the access agreements {{ ps-6_prm_1 }}; and - - - id: ps-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Verify that individuals requiring access to organizational information and systems: - parts: - - - id: ps-6_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Sign appropriate access agreements prior to being granted access; and - - - id: ps-6_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ ps-6_prm_2 }}. - - - id: ps-6_gdn - name: guidance - prose: Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. - - - id: ps-7 - class: SP800-53 - title: External Personnel Security - parameters: - - - id: ps-7_prm_1 - label: organization-defined personnel or roles - - - id: ps-7_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: PS-7 - - - name: sort-id - value: PS-07 - links: - - - href: #ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - rel: reference - text: [SP 800-35] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-21 - rel: related - text: SA-21 - parts: - - - id: ps-7_smt - name: statement - parts: - - - id: ps-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish personnel security requirements, including security roles and responsibilities for external providers; - - - id: ps-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Require external providers to comply with personnel security policies and procedures established by the organization; - - - id: ps-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document personnel security requirements; - - - id: ps-7_smt.d - name: item - properties: - - - name: label - value: d. - prose: Require external providers to notify {{ ps-7_prm_1 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ ps-7_prm_2 }}; and - - - id: ps-7_smt.e - name: item - properties: - - - name: label - value: e. - prose: Monitor provider compliance with personnel security requirements. - - - id: ps-7_gdn - name: guidance - prose: External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated. - - - id: ps-8 - class: SP800-53 - title: Personnel Sanctions - parameters: - - - id: ps-8_prm_1 - label: organization-defined personnel or roles - - - id: ps-8_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: PS-8 - - - name: sort-id - value: PS-08 - links: - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #at-1 - rel: related - text: AT-1 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #ca-1 - rel: related - text: CA-1 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cp-1 - rel: related - text: CP-1 - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ma-1 - rel: related - text: MA-1 - - - href: #mp-1 - rel: related - text: MP-1 - - - href: #pe-1 - rel: related - text: PE-1 - - - href: #pl-1 - rel: related - text: PL-1 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #ps-1 - rel: related - text: PS-1 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #sa-1 - rel: related - text: SA-1 - - - href: #sc-1 - rel: related - text: SC-1 - - - href: #si-1 - rel: related - text: SI-1 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #pt-1 - rel: related - text: PT-1 - parts: - - - id: ps-8_smt - name: statement - parts: - - - id: ps-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and - - - id: ps-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Notify {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. - - - id: ps-8_gdn - name: guidance - prose: Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. - - - id: ra - class: family - title: Risk Assessment - controls: - - - id: ra-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ra-1_prm_1 - label: organization-defined personnel or roles - - - id: ra-1_prm_2 - - - id: ra-1_prm_3 - label: organization-defined official - - - id: ra-1_prm_4 - label: organization-defined frequency - - - id: ra-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: RA-1 - - - name: sort-id - value: RA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ra-1_smt - name: statement - parts: - - - id: ra-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ra-1_prm_1 }}: - parts: - - - id: ra-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ra-1_prm_2 }} risk assessment policy that: - """ - parts: - - - id: ra-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ra-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ra-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; - - - id: ra-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and - - - id: ra-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current risk assessment: - parts: - - - id: ra-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ra-1_prm_4 }}; and - - - id: ra-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ra-1_prm_5 }}. - - - id: ra-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ra-2 - class: SP800-53 - title: Security Categorization - properties: - - - name: label - value: RA-2 - - - name: sort-id - value: RA-02 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ra-2_smt - name: statement - parts: - - - id: ra-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Categorize the system and information it processes, stores, and transmits; - - - id: ra-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document the security categorization results, including supporting rationale, in the security plan for the system; and - - - id: ra-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. - - - id: ra-2_gdn - name: guidance - prose: - """ - Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. - Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts. - Security categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant. - """ - - - id: ra-3 - class: SP800-53 - title: Risk Assessment - parameters: - - - id: ra-3_prm_1 - - - id: ra-3_prm_2 - depends-on: ra-3_prm_1 - label: organization-defined document - - - id: ra-3_prm_3 - label: organization-defined frequency - - - id: ra-3_prm_4 - label: organization-defined personnel or roles - - - id: ra-3_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: RA-3 - - - name: sort-id - value: RA-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-18 - rel: related - text: PE-18 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ra-3_smt - name: statement - parts: - - - id: ra-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Conduct a risk assessment, including: - parts: - - - id: ra-3_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and - - - id: ra-3_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; - - - id: ra-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; - - - id: ra-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document risk assessment results in {{ ra-3_prm_1 }}; - - - id: ra-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review risk assessment results {{ ra-3_prm_3 }}; - - - id: ra-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Disseminate risk assessment results to {{ ra-3_prm_4 }}; and - - - id: ra-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. - - - id: ra-3_gdn - name: guidance - prose: - """ - Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities. - Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. - In addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination. - """ - controls: - - - id: ra-3.1 - class: SP800-53-enhancement - title: Supply Chain Risk Assessment - parameters: - - - id: ra-3.1_prm_1 - label: organization-defined systems, system components, and system services - - - id: ra-3.1_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: RA-3(1) - - - name: sort-id - value: RA-03(01) - links: - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #pm-17 - rel: related - text: PM-17 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: ra-3.1_smt - name: statement - parts: - - - id: ra-3.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Assess supply chain risks associated with {{ ra-3.1_prm_1 }}; and - - - id: ra-3.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Update the supply chain risk assessment {{ ra-3.1_prm_2 }}, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. - - - id: ra-3.1_gdn - name: guidance - prose: Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required. - - - id: ra-5 - class: SP800-53 - title: Vulnerability Monitoring and Scanning - parameters: - - - id: ra-5_prm_1 - label: organization-defined frequency and/or randomly in accordance with organization-defined process - - - id: ra-5_prm_2 - label: organization-defined response times - - - id: ra-5_prm_3 - label: organization-defined personnel or roles - properties: - - - name: label - value: RA-5 - - - name: sort-id - value: RA-05 - links: - - - href: #1126ec09-2b27-4a21-80b2-fef70b31c49d - rel: reference - text: [SP 800-40] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f - rel: reference - text: [SP 800-126] - - - href: #bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c - rel: reference - text: [IR 7788] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: ra-5_smt - name: statement - parts: - - - id: ra-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor and scan for vulnerabilities in the system and hosted applications {{ ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported; - - - id: ra-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: - parts: - - - id: ra-5_smt.b.1 - name: item - properties: - - - name: label - value: 1. - prose: Enumerating platforms, software flaws, and improper configurations; - - - id: ra-5_smt.b.2 - name: item - properties: - - - name: label - value: 2. - prose: Formatting checklists and test procedures; and - - - id: ra-5_smt.b.3 - name: item - properties: - - - name: label - value: 3. - prose: Measuring vulnerability impact; - - - id: ra-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Analyze vulnerability scan reports and results from vulnerability monitoring; - - - id: ra-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Remediate legitimate vulnerabilities {{ ra-5_prm_2 }} in accordance with an organizational assessment of risk; - - - id: ra-5_smt.e - name: item - properties: - - - name: label - value: e. - prose: Share information obtained from the vulnerability monitoring process and control assessments with {{ ra-5_prm_3 }} to help eliminate similar vulnerabilities in other systems; and - - - id: ra-5_smt.f - name: item - properties: - - - name: label - value: f. - prose: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. - - - id: ra-5_gdn - name: guidance - prose: - """ - Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers. - Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). - Vulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation. - Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points. - """ - controls: - - - id: ra-5.2 - class: SP800-53-enhancement - title: Update System Vulnerabilities - parameters: - - - id: ra-5.2_prm_1 - - - id: ra-5.2_prm_2 - depends-on: ra-5.2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: RA-5(2) - - - name: sort-id - value: RA-05(02) - links: - - - href: #si-5 - rel: related - text: SI-5 - parts: - - - id: ra-5.2_smt - name: statement - prose: Update the system vulnerabilities to be scanned {{ ra-5.2_prm_1 }}. - - - id: ra-5.2_gdn - name: guidance - prose: Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner. - - - id: ra-7 - class: SP800-53 - title: Risk Response - properties: - - - name: label - value: RA-7 - - - name: sort-id - value: RA-07 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: ra-7_smt - name: statement - prose: Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. - - - id: ra-7_gdn - name: guidance - prose: Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated. - - - id: sa - class: family - title: System and Services Acquisition - controls: - - - id: sa-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: sa-1_prm_1 - label: organization-defined personnel or roles - - - id: sa-1_prm_2 - - - id: sa-1_prm_3 - label: organization-defined official - - - id: sa-1_prm_4 - label: organization-defined frequency - - - id: sa-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SA-1 - - - name: sort-id - value: SA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: sa-1_smt - name: statement - parts: - - - id: sa-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ sa-1_prm_1 }}: - parts: - - - id: sa-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ sa-1_prm_2 }} system and services acquisition policy that: - """ - parts: - - - id: sa-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: sa-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: sa-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; - - - id: sa-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and - - - id: sa-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current system and services acquisition: - parts: - - - id: sa-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ sa-1_prm_4 }}; and - - - id: sa-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ sa-1_prm_5 }}. - - - id: sa-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: sa-2 - class: SP800-53 - title: Allocation of Resources - properties: - - - name: label - value: SA-2 - - - name: sort-id - value: SA-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #pl-7 - rel: related - text: PL-7 - - - href: #pm-3 - rel: related - text: PM-3 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-2_smt - name: statement - parts: - - - id: sa-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; - - - id: sa-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and - - - id: sa-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. - - - id: sa-2_gdn - name: guidance - prose: Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle. - - - id: sa-3 - class: SP800-53 - title: System Development Life Cycle - parameters: - - - id: sa-3_prm_1 - label: organization-defined system development life cycle - properties: - - - name: label - value: SA-3 - - - name: sort-id - value: SA-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - rel: reference - text: [SP 800-171] - - - href: #aad55f03-8ece-4b21-b09c-9ef65b5a9f55 - rel: reference - text: [SP 800-171B] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-22 - rel: related - text: SA-22 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-9 - rel: related - text: SR-9 - parts: - - - id: sa-3_smt - name: statement - parts: - - - id: sa-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Acquire, develop, and manage the system using {{ sa-3_prm_1 }} that incorporates information security and privacy considerations; - - - id: sa-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Define and document information security and privacy roles and responsibilities throughout the system development life cycle; - - - id: sa-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Identify individuals having information security and privacy roles and responsibilities; and - - - id: sa-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Integrate the organizational information security and privacy risk management process into system development life cycle activities. - - - id: sa-3_gdn - name: guidance - prose: - """ - A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities. - The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle. - """ - - - id: sa-4 - class: SP800-53 - title: Acquisition Process - parameters: - - - id: sa-4_prm_1 - - - id: sa-4_prm_2 - depends-on: sa-4_prm_1 - label: organization-defined contract language - properties: - - - name: label - value: SA-4 - - - name: sort-id - value: SA-04 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #6ddb507b-6ddb-4e15-a8d4-0854e704446e - rel: reference - text: [ISO 15408-1] - - - href: #18abb755-c10f-407d-b0ef-4f99e5ec4a49 - rel: reference - text: [ISO 15408-2] - - - href: #2ce3a8bf-7f8b-4249-bd16-808231415b14 - rel: reference - text: [ISO 15408-3] - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - rel: reference - text: [SP 800-35] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #d4779b49-8acc-45ef-b4f0-30f945e81d1b - rel: reference - text: [IR 7539] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #daf69edb-a0ef-4447-9880-8c4bf553181f - rel: reference - text: [IR 7676] - - - href: #197f7ba7-9af8-4a67-b3a4-5523d850e53b - rel: reference - text: [IR 7870] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #5dac2312-1d0d-416f-aebb-400fa9775b74 - rel: reference - text: [NIAP CCEVS] - - - href: #634dec27-df88-4c30-b1a4-b57cdfd24f20 - rel: reference - text: [NSA CSFC] - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-16 - rel: related - text: SA-16 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-21 - rel: related - text: SA-21 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-4_smt - name: statement - prose: Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service: - parts: - - - id: sa-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Security and privacy functional requirements; - - - id: sa-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Strength of mechanism requirements; - - - id: sa-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Security and privacy assurance requirements; - - - id: sa-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Controls needed to satisfy the security and privacy requirements. - - - id: sa-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Security and privacy documentation requirements; - - - id: sa-4_smt.f - name: item - properties: - - - name: label - value: f. - prose: Requirements for protecting security and privacy documentation; - - - id: sa-4_smt.g - name: item - properties: - - - name: label - value: g. - prose: Description of the system development environment and environment in which the system is intended to operate; - - - id: sa-4_smt.h - name: item - properties: - - - name: label - value: h. - prose: Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and - - - id: sa-4_smt.i - name: item - properties: - - - name: label - value: i. - prose: Acceptance criteria. - - - id: sa-4_gdn - name: guidance - prose: - """ - Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle. - Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle. - Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement. - """ - controls: - - - id: sa-4.10 - class: SP800-53-enhancement - title: Use of Approved PIV Products - properties: - - - name: label - value: SA-4(10) - - - name: sort-id - value: SA-04(10) - links: - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #pm-9 - rel: related - text: PM-9 - parts: - - - id: sa-4.10_smt - name: statement - prose: Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. - - - id: sa-4.10_gdn - name: guidance - prose: Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations. - - - id: sa-5 - class: SP800-53 - title: System Documentation - parameters: - - - id: sa-5_prm_1 - label: organization-defined actions - - - id: sa-5_prm_2 - label: organization-defined personnel or roles - properties: - - - name: label - value: SA-5 - - - name: sort-id - value: SA-05 - links: - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-16 - rel: related - text: SA-16 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-3 - rel: related - text: SR-3 - parts: - - - id: sa-5_smt - name: statement - parts: - - - id: sa-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Obtain administrator documentation for the system, system component, or system service that describes: - parts: - - - id: sa-5_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Secure configuration, installation, and operation of the system, component, or service; - - - id: sa-5_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Effective use and maintenance of security and privacy functions and mechanisms; and - - - id: sa-5_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Known vulnerabilities regarding configuration and use of administrative or privileged functions; - - - id: sa-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Obtain user documentation for the system, system component, or system service that describes: - parts: - - - id: sa-5_smt.b.1 - name: item - properties: - - - name: label - value: 1. - prose: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; - - - id: sa-5_smt.b.2 - name: item - properties: - - - name: label - value: 2. - prose: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and - - - id: sa-5_smt.b.3 - name: item - properties: - - - name: label - value: 3. - prose: User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; - - - id: sa-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes {{ sa-5_prm_1 }} in response; - - - id: sa-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect documentation as required, in accordance with the organizational risk management strategy; and - - - id: sa-5_smt.e - name: item - properties: - - - name: label - value: e. - prose: Distribute documentation to {{ sa-5_prm_2 }}. - - - id: sa-5_gdn - name: guidance - prose: System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation. - - - id: sa-8 - class: SP800-53 - title: Security and Privacy Engineering Principles - parameters: - - - id: sa-8_prm_1 - label: organization-defined systems security and privacy engineering principles - properties: - - - name: label - value: SA-8 - - - name: sort-id - value: SA-08 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-20 - rel: related - text: SA-20 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-32 - rel: related - text: SC-32 - - - href: #sc-39 - rel: related - text: SC-39 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-8_smt - name: statement - prose: Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ sa-8_prm_1 }}. - - - id: sa-8_gdn - name: guidance - prose: - """ - Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. - The application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. - Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design. - """ - - - id: sa-9 - class: SP800-53 - title: External System Services - parameters: - - - id: sa-9_prm_1 - label: organization-defined controls - - - id: sa-9_prm_2 - label: organization-defined processes, methods, and techniques - properties: - - - name: label - value: SA-9 - - - name: sort-id - value: SA-09 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - rel: reference - text: [SP 800-35] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-2 - rel: related - text: SA-2 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-9_smt - name: statement - parts: - - - id: sa-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }}; - - - id: sa-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Define and document organizational oversight and user roles and responsibilities with regard to external system services; and - - - id: sa-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}. - - - id: sa-9_gdn - name: guidance - prose: External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. - - - id: sa-22 - class: SP800-53 - title: Unsupported System Components - parameters: - - - id: sa-22_prm_1 - - - id: sa-22_prm_2 - depends-on: sa-22_prm_1 - label: organization-defined support from external providers - properties: - - - name: label - value: SA-22 - - - name: sort-id - value: SA-22 - links: - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sa-3 - rel: related - text: SA-3 - parts: - - - id: sa-22_smt - name: statement - parts: - - - id: sa-22_smt.a - name: item - properties: - - - name: label - value: a. - prose: Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or - - - id: sa-22_smt.b - name: item - properties: - - - name: label - value: b. - prose: Provide the following options for alternative sources for continued support for unsupported components {{ sa-22_prm_1 }}. - - - id: sa-22_gdn - name: guidance - prose: - """ - Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. - Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors. - """ - - - id: sc - class: family - title: System and Communications Protection - controls: - - - id: sc-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: sc-1_prm_1 - label: organization-defined personnel or roles - - - id: sc-1_prm_2 - - - id: sc-1_prm_3 - label: organization-defined official - - - id: sc-1_prm_4 - label: organization-defined frequency - - - id: sc-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SC-1 - - - name: sort-id - value: SC-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: sc-1_smt - name: statement - parts: - - - id: sc-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ sc-1_prm_1 }}: - parts: - - - id: sc-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ sc-1_prm_2 }} system and communications protection policy that: - """ - parts: - - - id: sc-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: sc-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: sc-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls; - - - id: sc-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ sc-1_prm_3 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and - - - id: sc-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current system and communications protection: - parts: - - - id: sc-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ sc-1_prm_4 }}; and - - - id: sc-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ sc-1_prm_5 }}. - - - id: sc-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: sc-5 - class: SP800-53 - title: Denial of Service Protection - parameters: - - - id: sc-5_prm_1 - - - id: sc-5_prm_2 - label: organization-defined types of denial of service events - - - id: sc-5_prm_3 - label: organization-defined controls by type of denial of service event - properties: - - - name: label - value: SC-5 - - - name: sort-id - value: SC-05 - links: - - - href: #3862cd94-ff25-4631-9a9a-b92c21a0a923 - rel: reference - text: [SP 800-189] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #sc-6 - rel: related - text: SC-6 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-40 - rel: related - text: SC-40 - parts: - - - id: sc-5_smt - name: statement - parts: - - - id: sc-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: - """ - - {{ sc-5_prm_1 }} the effects of the following types of denial of service events: {{ sc-5_prm_2 }}; and - """ - - - id: sc-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ the following controls to achieve the denial of service objective: {{ sc-5_prm_3 }}. - - - id: sc-5_gdn - name: guidance - prose: Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events. - - - id: sc-7 - class: SP800-53 - title: Boundary Protection - parameters: - - - id: sc-7_prm_1 - properties: - - - name: label - value: SC-7 - - - name: sort-id - value: SC-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #db7877cf-1013-4fb1-b943-ca9361d16370 - rel: reference - text: [SP 800-41] - - - href: #8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - rel: reference - text: [SP 800-77] - - - href: #3862cd94-ff25-4631-9a9a-b92c21a0a923 - rel: reference - text: [SP 800-189] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-32 - rel: related - text: SC-32 - - - href: #sc-43 - rel: related - text: SC-43 - parts: - - - id: sc-7_smt - name: statement - parts: - - - id: sc-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system; - - - id: sc-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks; and - - - id: sc-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. - - - id: sc-7_gdn - name: guidance - prose: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. - - - id: sc-12 - class: SP800-53 - title: Cryptographic Key Establishment and Management - parameters: - - - id: sc-12_prm_1 - label: organization-defined requirements for key generation, distribution, storage, access, and destruction - properties: - - - name: label - value: SC-12 - - - name: sort-id - value: SC-12 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #77dc1838-3664-4faa-bc6e-4e2a16e52f35 - rel: reference - text: [SP 800-56A] - - - href: #f417e4ec-cadb-47a8-a363-6006b32c28ad - rel: reference - text: [SP 800-56B] - - - href: #7c3ba335-62bd-4f03-888f-960790409b11 - rel: reference - text: [SP 800-56C] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #f437b52f-7f26-42aa-8e8f-999e7d67b2fe - rel: reference - text: [IR 7956] - - - href: #30213e10-2aca-47b3-8cdb-61303e0959f5 - rel: reference - text: [IR 7966] - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-11 - rel: related - text: SC-11 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-17 - rel: related - text: SC-17 - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #sc-40 - rel: related - text: SC-40 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: sc-12_smt - name: statement - prose: Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ sc-12_prm_1 }}. - - - id: sc-12_gdn - name: guidance - prose: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment. - - - id: sc-13 - class: SP800-53 - title: Cryptographic Protection - parameters: - - - id: sc-13_prm_1 - label: organization-defined cryptographic uses - - - id: sc-13_prm_2 - label: organization-defined types of cryptography for each specified cryptographic use - properties: - - - name: label - value: SC-13 - - - name: sort-id - value: SC-13 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-23 - rel: related - text: SC-23 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-40 - rel: related - text: SC-40 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: sc-13_smt - name: statement - parts: - - - id: sc-13_smt.a - name: item - properties: - - - name: label - value: a. - prose: Determine the {{ sc-13_prm_1 }}; and - - - id: sc-13_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the following types of cryptography required for each specified cryptographic use: {{ sc-13_prm_2 }}. - - - id: sc-13_gdn - name: guidance - prose: Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - - - id: sc-15 - class: SP800-53 - title: Collaborative Computing Devices and Applications - parameters: - - - id: sc-15_prm_1 - label: organization-defined exceptions where remote activation is to be allowed - properties: - - - name: label - value: SC-15 - - - name: sort-id - value: SC-15 - links: - - - href: #ac-21 - rel: related - text: AC-21 - - - href: #sc-42 - rel: related - text: SC-42 - parts: - - - id: sc-15_smt - name: statement - parts: - - - id: sc-15_smt.a - name: item - properties: - - - name: label - value: a. - prose: Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ sc-15_prm_1 }}; and - - - id: sc-15_smt.b - name: item - properties: - - - name: label - value: b. - prose: Provide an explicit indication of use to users physically present at the devices. - - - id: sc-15_gdn - name: guidance - prose: Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated. - - - id: sc-20 - class: SP800-53 - title: Secure Name/address Resolution Service (authoritative Source) - properties: - - - name: label - value: SC-20 - - - name: sort-id - value: SC-20 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #93d44344-59f9-4669-845d-6cc2a5852621 - rel: reference - text: [SP 800-81-2] - - - href: #au-10 - rel: related - text: AU-10 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-21 - rel: related - text: SC-21 - - - href: #sc-22 - rel: related - text: SC-22 - parts: - - - id: sc-20_smt - name: statement - parts: - - - id: sc-20_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and - - - id: sc-20_smt.b - name: item - properties: - - - name: label - value: b. - prose: Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. - - - id: sc-20_gdn - name: guidance - prose: This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data. - - - id: sc-21 - class: SP800-53 - title: Secure Name/address Resolution Service (recursive or Caching Resolver) - properties: - - - name: label - value: SC-21 - - - name: sort-id - value: SC-21 - links: - - - href: #93d44344-59f9-4669-845d-6cc2a5852621 - rel: reference - text: [SP 800-81-2] - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-22 - rel: related - text: SC-22 - parts: - - - id: sc-21_smt - name: statement - prose: Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. - - - id: sc-21_gdn - name: guidance - prose: Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data. - - - id: sc-22 - class: SP800-53 - title: Architecture and Provisioning for Name/address Resolution Service - properties: - - - name: label - value: SC-22 - - - name: sort-id - value: SC-22 - links: - - - href: #93d44344-59f9-4669-845d-6cc2a5852621 - rel: reference - text: [SP 800-81-2] - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-21 - rel: related - text: SC-21 - - - href: #sc-24 - rel: related - text: SC-24 - parts: - - - id: sc-22_smt - name: statement - prose: Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. - - - id: sc-22_gdn - name: guidance - prose: Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists. - - - id: sc-39 - class: SP800-53 - title: Process Isolation - properties: - - - name: label - value: SC-39 - - - name: sort-id - value: SC-39 - links: - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-25 - rel: related - text: AC-25 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #si-16 - rel: related - text: SI-16 - parts: - - - id: sc-39_smt - name: statement - prose: Maintain a separate execution domain for each executing system process. - - - id: sc-39_gdn - name: guidance - prose: Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies. - - - id: si - class: family - title: System and Information Integrity - controls: - - - id: si-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: si-1_prm_1 - label: organization-defined personnel or roles - - - id: si-1_prm_2 - - - id: si-1_prm_3 - label: organization-defined official - - - id: si-1_prm_4 - label: organization-defined frequency - - - id: si-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SI-1 - - - name: sort-id - value: SI-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: si-1_smt - name: statement - parts: - - - id: si-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ si-1_prm_1 }}: - parts: - - - id: si-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ si-1_prm_2 }} system and information integrity policy that: - """ - parts: - - - id: si-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: si-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: si-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; - - - id: si-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and - - - id: si-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current system and information integrity: - parts: - - - id: si-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ si-1_prm_4 }}; and - - - id: si-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ si-1_prm_5 }}. - - - id: si-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: si-2 - class: SP800-53 - title: Flaw Remediation - parameters: - - - id: si-2_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: SI-2 - - - name: sort-id - value: SI-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #1126ec09-2b27-4a21-80b2-fef70b31c49d - rel: reference - text: [SP 800-40] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c - rel: reference - text: [IR 7788] - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-5 - rel: related - text: SI-5 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-11 - rel: related - text: SI-11 - parts: - - - id: si-2_smt - name: statement - parts: - - - id: si-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify, report, and correct system flaws; - - - id: si-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; - - - id: si-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Install security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and - - - id: si-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Incorporate flaw remediation into the organizational configuration management process. - - - id: si-2_gdn - name: guidance - prose: - """ - The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. - Organization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. - """ - - - id: si-3 - class: SP800-53 - title: Malicious Code Protection - parameters: - - - id: si-3_prm_1 - - - id: si-3_prm_2 - label: organization-defined frequency - - - id: si-3_prm_3 - - - id: si-3_prm_4 - - - id: si-3_prm_5 - depends-on: si-3_prm_4 - label: organization-defined action - - - id: si-3_prm_6 - label: organization-defined personnel or roles - properties: - - - name: label - value: SI-3 - - - name: sort-id - value: SI-03 - links: - - - href: #8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - rel: reference - text: [SP 800-83] - - - href: #c972a85c-fa75-4596-be25-a338dc7e4e46 - rel: reference - text: [SP 800-125B] - - - href: #64e044e4-b2a9-490f-a079-1106407c812f - rel: reference - text: [SP 800-177] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-23 - rel: related - text: SC-23 - - - href: #sc-26 - rel: related - text: SC-26 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-44 - rel: related - text: SC-44 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-8 - rel: related - text: SI-8 - - - href: #si-15 - rel: related - text: SI-15 - parts: - - - id: si-3_smt - name: statement - parts: - - - id: si-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement {{ si-3_prm_1 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; - - - id: si-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; - - - id: si-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Configure malicious code protection mechanisms to: - parts: - - - id: si-3_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Perform periodic scans of the system {{ si-3_prm_2 }} and real-time scans of files from external sources at {{ si-3_prm_3 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and - - - id: si-3_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: - """ - - {{ si-3_prm_4 }}; and send alert to {{ si-3_prm_6 }} in response to malicious code detection. - """ - - - id: si-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. - - - id: si-3_gdn - name: guidance - prose: - """ - System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. - Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions. - In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files. - """ - - - id: si-4 - class: SP800-53 - title: System Monitoring - parameters: - - - id: si-4_prm_1 - label: organization-defined monitoring objectives - - - id: si-4_prm_2 - label: organization-defined techniques and methods - - - id: si-4_prm_3 - label: organization-defined system monitoring information - - - id: si-4_prm_4 - label: organization-defined personnel or roles - - - id: si-4_prm_5 - - - id: si-4_prm_6 - depends-on: si-4_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SI-4 - - - name: sort-id - value: SI-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - rel: reference - text: [SP 800-83] - - - href: #02d8ec60-6197-43f8-9f47-18732127963e - rel: reference - text: [SP 800-92] - - - href: #41e2e2c6-2260-4258-85c8-09db17c43103 - rel: reference - text: [SP 800-94] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-10 - rel: related - text: IA-10 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-26 - rel: related - text: SC-26 - - - href: #sc-31 - rel: related - text: SC-31 - - - href: #sc-35 - rel: related - text: SC-35 - - - href: #sc-36 - rel: related - text: SC-36 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-6 - rel: related - text: SI-6 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-10 - rel: related - text: SR-10 - parts: - - - id: si-4_smt - name: statement - parts: - - - id: si-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor the system to detect: - parts: - - - id: si-4_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ si-4_prm_1 }}; and - - - id: si-4_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Unauthorized local, network, and remote connections; - - - id: si-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Identify unauthorized use of the system through the following techniques and methods: {{ si-4_prm_2 }}; - - - id: si-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Invoke internal monitoring capabilities or deploy monitoring devices: - parts: - - - id: si-4_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Strategically within the system to collect organization-determined essential information; and - - - id: si-4_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: At ad hoc locations within the system to track specific types of transactions of interest to the organization; - - - id: si-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; - - - id: si-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; - - - id: si-4_smt.f - name: item - properties: - - - name: label - value: f. - prose: Obtain legal opinion regarding system monitoring activities; and - - - id: si-4_smt.g - name: item - properties: - - - name: label - value: g. - prose: - """ - Provide {{ si-4_prm_3 }} to {{ si-4_prm_4 }} - {{ si-4_prm_5 }}. - """ - - - id: si-4_gdn - name: guidance - prose: - """ - System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. - Depending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - """ - - - id: si-5 - class: SP800-53 - title: Security Alerts, Advisories, and Directives - parameters: - - - id: si-5_prm_1 - label: organization-defined external organizations - - - id: si-5_prm_2 - - - id: si-5_prm_3 - depends-on: si-5_prm_2 - label: organization-defined personnel or roles - - - id: si-5_prm_4 - depends-on: si-5_prm_2 - label: organization-defined elements within the organization - - - id: si-5_prm_5 - depends-on: si-5_prm_2 - label: organization-defined external organizations - properties: - - - name: label - value: SI-5 - - - name: sort-id - value: SI-05 - links: - - - href: #1126ec09-2b27-4a21-80b2-fef70b31c49d - rel: reference - text: [SP 800-40] - - - href: #pm-15 - rel: related - text: PM-15 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #si-2 - rel: related - text: SI-2 - parts: - - - id: si-5_smt - name: statement - parts: - - - id: si-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Receive system security alerts, advisories, and directives from {{ si-5_prm_1 }} on an ongoing basis; - - - id: si-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Generate internal security alerts, advisories, and directives as deemed necessary; - - - id: si-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Disseminate security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and - - - id: si-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. - - - id: si-5_gdn - name: guidance - prose: The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations. - - - id: si-12 - class: SP800-53 - title: Information Management and Retention - properties: - - - name: label - value: SI-12 - - - name: sort-id - value: SI-12 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #at-1 - rel: related - text: AT-1 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #ca-1 - rel: related - text: CA-1 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cp-1 - rel: related - text: CP-1 - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ma-1 - rel: related - text: MA-1 - - - href: #mp-1 - rel: related - text: MP-1 - - - href: #pe-1 - rel: related - text: PE-1 - - - href: #pl-1 - rel: related - text: PL-1 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #ps-1 - rel: related - text: PS-1 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #sa-1 - rel: related - text: SA-1 - - - href: #sc-1 - rel: related - text: SC-1 - - - href: #si-1 - rel: related - text: SI-1 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-3 - rel: related - text: MP-3 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sr-1 - rel: related - text: SR-1 - parts: - - - id: si-12_smt - name: statement - prose: Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. - - - id: si-12_gdn - name: guidance - prose: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel. - - - id: sr - class: family - title: Supply Chain Risk Management - controls: - - - id: sr-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: sr-1_prm_1 - label: organization-defined personnel or roles - - - id: sr-1_prm_2 - - - id: sr-1_prm_3 - label: organization-defined official - - - id: sr-1_prm_4 - label: organization-defined frequency - - - id: sr-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SR-1 - - - name: sort-id - value: SR-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: sr-1_smt - name: statement - parts: - - - id: sr-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ sr-1_prm_1 }}: - parts: - - - id: sr-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ sr-1_prm_2 }} supply chain risk management policy that: - """ - parts: - - - id: sr-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: sr-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: sr-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; - - - id: sr-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ sr-1_prm_3 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and - - - id: sr-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current supply chain risk management: - parts: - - - id: sr-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ sr-1_prm_4 }}; and - - - id: sr-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ sr-1_prm_5 }}. - - - id: sr-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: sr-2 - class: SP800-53 - title: Supply Chain Risk Management Plan - parameters: - - - id: sr-2_prm_1 - label: organization-defined systems, system components, or system services - - - id: sr-2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: SR-2 - - - name: sort-id - value: SR-02 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: sr-2_smt - name: statement - parts: - - - id: sr-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: {{ sr-2_prm_1 }}; - - - id: sr-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the supply chain risk management plan consistently across the organization; and - - - id: sr-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the supply chain risk management plan {{ sr-2_prm_2 }} or as required, to address threat, organizational or environmental changes. - - - id: sr-2_gdn - name: guidance - prose: - """ - The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans. - Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8). - """ - controls: - - - id: sr-2.1 - class: SP800-53-enhancement - title: Establish Scrm Team - parameters: - - - id: sr-2.1_prm_1 - label: organization-defined personnel, roles, and responsibilities - - - id: sr-2.1_prm_2 - label: organization-defined supply chain risk management activities - properties: - - - name: label - value: SR-2(1) - - - name: sort-id - value: SR-02(01) - parts: - - - id: sr-2.1_smt - name: statement - prose: Establish a supply chain risk management team consisting of {{ sr-2.1_prm_1 }} to lead and support the following SCRM activities: {{ sr-2.1_prm_2 }}. - - - id: sr-2.1_gdn - name: guidance - prose: To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team. - - - id: sr-3 - class: SP800-53 - title: Supply Chain Controls and Processes - parameters: - - - id: sr-3_prm_1 - label: organization-defined system or system component - - - id: sr-3_prm_2 - label: organization-defined supply chain personnel - - - id: sr-3_prm_3 - label: organization-defined supply chain controls - - - id: sr-3_prm_4 - - - id: sr-3_prm_5 - depends-on: sr-3_prm_4 - label: organization-defined document - properties: - - - name: label - value: SR-3 - - - name: sort-id - value: SR-03 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #sa-2 - rel: related - text: SA-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-29 - rel: related - text: SC-29 - - - href: #sc-30 - rel: related - text: SC-30 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: sr-3_smt - name: statement - parts: - - - id: sr-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ sr-3_prm_1 }} in coordination with {{ sr-3_prm_2 }}; - - - id: sr-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ sr-3_prm_3 }}; and - - - id: sr-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document the selected and implemented supply chain processes and controls in {{ sr-3_prm_4 }}. - - - id: sr-3_gdn - name: guidance - prose: Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain. - - - id: sr-5 - class: SP800-53 - title: Acquisition Strategies, Tools, and Methods - parameters: - - - id: sr-5_prm_1 - label: organization-defined acquisition strategies, contract tools, and procurement methods - properties: - - - name: label - value: SR-5 - - - name: sort-id - value: SR-05 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #sa-2 - rel: related - text: SA-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-10 - rel: related - text: SR-10 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: sr-5_smt - name: statement - prose: Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ sr-5_prm_1 }}. - - - id: sr-5_gdn - name: guidance - prose: The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements. - - - id: sr-8 - class: SP800-53 - title: Notification Agreements - parameters: - - - id: sr-8_prm_1 - - - id: sr-8_prm_2 - depends-on: sr-8_prm_1 - label: organization-defined information - properties: - - - name: label - value: SR-8 - - - name: sort-id - value: SR-08 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - parts: - - - id: sr-8_smt - name: statement - prose: Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ sr-8_prm_1 }}. - - - id: sr-8_gdn - name: guidance - prose: The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes. - - - id: sr-10 - class: SP800-53 - title: Inspection of Systems or Components - parameters: - - - id: sr-10_prm_1 - - - id: sr-10_prm_2 - depends-on: sr-10_prm_1 - label: organization-defined frequency - - - id: sr-10_prm_3 - depends-on: sr-10_prm_1 - label: organization-defined indications of need for inspection - - - id: sr-10_prm_4 - label: organization-defined systems or system components - properties: - - - name: label - value: SR-10 - - - name: sort-id - value: SR-10 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: sr-10_smt - name: statement - prose: Inspect the following systems or system components {{ sr-10_prm_1 }} to detect tampering: {{ sr-10_prm_4 }}. - - - id: sr-10_gdn - name: guidance - prose: Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations. - - - id: sr-11 - class: SP800-53 - title: Component Authenticity - parameters: - - - id: sr-11_prm_1 - - - id: sr-11_prm_2 - depends-on: sr-11_prm_1 - label: organization-defined external reporting organizations - - - id: sr-11_prm_3 - depends-on: sr-11_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: SR-11 - - - name: sort-id - value: SR-11 - links: - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-10 - rel: related - text: SR-10 - parts: - - - id: sr-11_smt - name: statement - parts: - - - id: sr-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and - - - id: sr-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Report counterfeit system components to {{ sr-11_prm_1 }}. - - - id: sr-11_gdn - name: guidance - prose: Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA. - controls: - - - id: sr-11.1 - class: SP800-53-enhancement - title: Anti-counterfeit Training - parameters: - - - id: sr-11.1_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: SR-11(1) - - - name: sort-id - value: SR-11(01) - links: - - - href: #at-3 - rel: related - text: AT-3 - parts: - - - id: sr-11.1_smt - name: statement - prose: Train {{ sr-11.1_prm_1 }} to detect counterfeit system components (including hardware, software, and firmware). - - - id: sr-11.1_gdn - name: guidance - prose: None. - - - id: sr-11.2 - class: SP800-53-enhancement - title: Configuration Control for Component Service and Repair - parameters: - - - id: sr-11.2_prm_1 - label: organization-defined system components - properties: - - - name: label - value: SR-11(2) - - - name: sort-id - value: SR-11(02) - links: - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #sa-10 - rel: related - text: SA-10 - parts: - - - id: sr-11.2_smt - name: statement - prose: Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ sr-11.2_prm_1 }}. - - - id: sr-11.2_gdn - name: guidance - prose: None. - - - id: sr-11.3 - class: SP800-53-enhancement - title: Component Disposal - parameters: - - - id: sr-11.3_prm_1 - label: organization-defined techniques and methods - properties: - - - name: label - value: SR-11(3) - - - name: sort-id - value: SR-11(03) - links: - - - href: #mp-6 - rel: related - text: MP-6 - parts: - - - id: sr-11.3_smt - name: statement - prose: Dispose of system components using the following techniques and methods: {{ sr-11.3_prm_1 }}. - - - id: sr-11.3_gdn - name: guidance - prose: Proper disposal of system components helps to prevent such components from entering the gray market. - back-matter: - resources: - - - uuid: a7dfa526-b81f-41d7-9875-c8b0faafe74b - title: [PRIVACT] - citation: - text: Privacy Act (P.L. 93-579), December 1974. - rlinks: - - - href: https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf - - - uuid: 43facb7b-0afb-480f-8191-34790d5b444b - title: [EVIDACT] - citation: - text: Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019. - rlinks: - - - href: https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf - - - uuid: 52a8b0c6-0c6b-424b-928d-41c50ba87838 - title: [EO 13526] - citation: - text: Executive Order 13526, *Classified National Security Information*, December 2009. - rlinks: - - - href: https://www.archives.gov/isoo/policy-documents/cnsi-eo.html - - - uuid: 14958422-54f6-471f-a345-802dca594dd8 - title: [FISMA] - citation: - text: Federal Information Security Modernization Act (P.L. 113-283), December 2014. - rlinks: - - - href: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf - - - uuid: 2b5e12fb-633f-49e6-8aff-81d75bf53545 - title: [EO 13587] - citation: - text: Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information*, October 2011. - rlinks: - - - href: https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net - - - uuid: cde25174-38e0-4a00-8919-8ee3674b8088 - title: [HSPD 7] - citation: - text: Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003. - rlinks: - - - href: https://www.dhs.gov/homeland-security-presidential-directive-7 - - - uuid: 2383ccfd-d8a0-4e3a-bf40-21288ae1e07a - title: [5 CFR 731] - citation: - text: Code of Federal Regulations, Title 5, *Administrative Personnel*, Section 731.106, *Designation of Public Trust Positions and Investigative Requirements*(5 C.F.R. 731.106). - rlinks: - - - href: https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf - - - uuid: 742b7c0e-218e-4fca-9c3d-5f264bbaf2bc - title: [32 CFR 2002] - citation: - text: Code of Federal Regulations, Title 32, *Controlled Unclassified Information*(32 C.F.R 2002). - rlinks: - - - href: https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information - - - uuid: 286d42a1-efbe-49a2-9ce1-4c9bf68feb3b - title: [ODNI NITP] - citation: - text: - """ - Office of the Director National Intelligence, *National Insider Threat Policy* - - """ - rlinks: - - - href: https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf - - - uuid: 395f6bb9-bcc2-41fc-977f-04372f4a6a82 - title: [OMB A-108] - citation: - text: - """ - Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf - - - uuid: a646d45d-775f-4887-86d3-5a00ffbc4090 - title: [OMB A-130] - citation: - text: Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016. - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf - - - uuid: f7d3617a-9a4f-4f1a-a688-845081b70390 - title: [OMB M-17-06] - citation: - text: - """ - Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf - - - uuid: 389fe193-866e-46b1-bf1d-38904b56aa7b - title: [OMB M-17-12] - citation: - text: - """ - Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. ** - - """ - rlinks: - - - href: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf - - - uuid: ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3 - title: [OMB M-17-25] - citation: - text: - """ - Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure*, May 2017. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf - - - uuid: d843e915-eeb6-4bbe-8cab-ccc802088703 - title: [OMB M-19-23] - citation: - text: - """ - Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance*, July 2019. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf - - - uuid: ee96f130-3f91-46ed-a4d8-57e5f220a623 - title: [CNSSI 1253] - citation: - text: Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems*, March 2014. - rlinks: - - - href: https://www.cnss.gov/CNSS/issuances/Instructions.cfm - - - uuid: 24b7b1ec-6430-41de-9353-29fdb1b488fc - title: [DHS NIPP] - citation: - text: Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009. - rlinks: - - - href: https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf - - - uuid: 6ddb507b-6ddb-4e15-a8d4-0854e704446e - title: [ISO 15408-1] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf - - - uuid: 18abb755-c10f-407d-b0ef-4f99e5ec4a49 - title: [ISO 15408-2] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf - - - uuid: 2ce3a8bf-7f8b-4249-bd16-808231415b14 - title: [ISO 15408-3] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf - - - uuid: aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - title: [FIPS 140-3] - citation: - text: National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.140-3 - - - uuid: d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - title: [FIPS 180-4] - citation: - text: National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.180-4 - - - uuid: 0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - title: [FIPS 186-4] - citation: - text: National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.186-4 - - - uuid: bbc7085f-b383-444e-af74-722a55cccc0f - title: [FIPS 197] - citation: - text: National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.197 - - - uuid: b3e26423-0687-47c7-ba9a-a96870d58a27 - title: [FIPS 199] - citation: - text: National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.199 - - - uuid: f2163084-3287-45e2-9ee7-95f020415495 - title: [FIPS 200] - citation: - text: National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.200 - - - uuid: ab414c48-b7a2-4ffe-b74d-4d8b8120adce - title: [FIPS 201-2] - citation: - text: National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.201-2 - - - uuid: 11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - title: [FIPS 202] - citation: - text: National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.202 - - - uuid: 12702585-0c72-43c9-9185-a76a59f74233 - title: [SP 800-12] - citation: - text: - """ - Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-12r1 - - - uuid: ae962073-f9bb-4210-b1ad-53ef6f6afad6 - title: [SP 800-18] - citation: - text: - """ - Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-18r1 - - - uuid: 1d9f757b-00d5-4db1-b15b-0ad641c6df7c - title: [SP 800-30] - citation: - text: Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-30r1 - - - uuid: 65774382-fcc6-4bbc-89fc-9d35aab19952 - title: [SP 800-34] - citation: - text: Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-34r1 - - - uuid: ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - title: [SP 800-35] - citation: - text: Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-35 - - - uuid: e07d73ea-96b9-4330-aff2-e0215f455343 - title: [SP 800-37] - citation: - text: Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-37r2 - - - uuid: 451e9636-402e-4c27-b3f5-e0e50f957f27 - title: [SP 800-39] - citation: - text: Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-39 - - - uuid: 1126ec09-2b27-4a21-80b2-fef70b31c49d - title: [SP 800-40] - citation: - text: Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-40r3 - - - uuid: db7877cf-1013-4fb1-b943-ca9361d16370 - title: [SP 800-41] - citation: - text: Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-41r1 - - - uuid: 7768c184-088d-4ee8-a316-f9286b52df7f - title: [SP 800-46] - citation: - text: Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-46r2 - - - uuid: 2e66c31a-190e-49ad-8e00-f306f8a0df17 - title: [SP 800-47] - citation: - text: Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-47 - - - uuid: 2e29c363-d5be-47ba-92f5-f8a58a69b65e - title: [SP 800-50] - citation: - text: Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-50 - - - uuid: 5db6dfe4-788e-4183-93b9-f6fb29d75e41 - title: [SP 800-53A] - citation: - text: Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-53Ar4 - - - uuid: 31f3c9de-c57c-4281-929b-f9951f9640f1 - title: [SP 800-53B] - citation: - text: National Institute of Standards and Technology Special Publication 800-53B, *Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations*. Projected for publication in 2020. - - - uuid: 8ba0d54e-fa16-4f5d-baa1-763ec3e33e26 - title: [SP 800-55] - citation: - text: Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-55r1 - - - uuid: 77dc1838-3664-4faa-bc6e-4e2a16e52f35 - title: [SP 800-56A] - citation: - text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-56Ar3 - - - uuid: f417e4ec-cadb-47a8-a363-6006b32c28ad - title: [SP 800-56B] - citation: - text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-56Br2 - - - uuid: 7c3ba335-62bd-4f03-888f-960790409b11 - title: [SP 800-56C] - citation: - text: Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-56Cr1 - - - uuid: 770f9bdc-4023-48ef-8206-c65397f061ea - title: [SP 800-57-1] - citation: - text: Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-57pt1r4 - - - uuid: 69644a9e-438a-47c3-bac9-cf28b5baf848 - title: [SP 800-57-2] - citation: - text: Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-57pt2r1 - - - uuid: 9933c883-e8f3-4a83-9a9a-d1e058038080 - title: [SP 800-57-3] - citation: - text: Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-57pt3r1 - - - uuid: 68949f14-9cf5-4116-91d8-e820b9df3ffd - title: [SP 800-60 v1] - citation: - text: Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-60v1r1 - - - uuid: e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - title: [SP 800-60 v2] - citation: - text: Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-60v2r1 - - - uuid: 7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - title: [SP 800-61] - citation: - text: Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-61r2 - - - uuid: 549993c0-9bdd-4d49-875c-f56950cc5f30 - title: [SP 800-63-3] - citation: - text: Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-63-3 - - - uuid: 14a7d982-9747-48e0-a877-3e8fbf6ae381 - title: [SP 800-70] - citation: - text: Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-70r4 - - - uuid: 3d6b3a16-94e7-4a43-8648-8bdeaadb271b - title: [SP 800-73-4] - citation: - text: Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-73-4 - - - uuid: d5ef0056-c807-44c3-a7b5-6eb491538f8e - title: [SP 800-76-2] - citation: - text: - """ - Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-76-2 - - - uuid: 8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - title: [SP 800-77] - citation: - text: Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-77 - - - uuid: 013e098f-0680-4856-a130-b768c69dab9c - title: [SP 800-78-4] - citation: - text: - """ - Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-78-4 - - - uuid: bb55e71a-e059-4263-8dd8-bc96fd3f063d - title: [SP 800-79-2] - citation: - text: - """ - Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-79-2 - - - uuid: 93d44344-59f9-4669-845d-6cc2a5852621 - title: [SP 800-81-2] - citation: - text: - """ - Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-81-2 - - - uuid: 8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - title: [SP 800-83] - citation: - text: Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-83r1 - - - uuid: 20bf433b-074c-47a0-8fca-cd591772ccd6 - title: [SP 800-84] - citation: - text: Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-84 - - - uuid: 35dfd59f-eef2-4f71-bdb5-6d878267456a - title: [SP 800-86] - citation: - text: Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-86 - - - uuid: fed6a3b5-2b74-499f-9172-46671f7c24c8 - title: [SP 800-88] - citation: - text: Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-88r1 - - - uuid: 02d8ec60-6197-43f8-9f47-18732127963e - title: [SP 800-92] - citation: - text: Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-92 - - - uuid: 41e2e2c6-2260-4258-85c8-09db17c43103 - title: [SP 800-94] - citation: - text: Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-94 - - - uuid: 6bed1550-cd5d-4e80-8d83-4e597c1514fe - title: [SP 800-97] - citation: - text: Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-97 - - - uuid: 9183bd83-170e-4701-b32c-97e08ef8bedb - title: [SP 800-100] - citation: - text: Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-100 - - - uuid: 1e2c475a-84ae-4c60-b420-8fb2ea552b71 - title: [SP 800-101] - citation: - text: - """ - Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-101r1 - - - uuid: 1b14b50f-7154-4226-958c-7dfff8276755 - title: [SP 800-111] - citation: - text: - """ - Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-111 - - - uuid: 36132a58-56fd-4980-9f6c-c010d3faf52b - title: [SP 800-113] - citation: - text: Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-113 - - - uuid: 49fa1ee1-aaf7-4270-bb5a-a86497f717dc - title: [SP 800-114] - citation: - text: Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-114r1 - - - uuid: a6b97214-55d4-4b86-a3a4-53d5911d96f7 - title: [SP 800-115] - citation: - text: Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-115 - - - uuid: ad7d575f-b5fe-489b-8d48-36a93d964a5f - title: [SP 800-116] - citation: - text: Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-116r1 - - - uuid: 60b24979-65b8-4ca5-a442-11b74339fab5 - title: [SP 800-121] - citation: - text: Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-121r2 - - - uuid: 18c6942b-95f8-414c-b548-c8e6b8d8a172 - title: [SP 800-124] - citation: - text: Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-124r1 - - - uuid: c972a85c-fa75-4596-be25-a338dc7e4e46 - title: [SP 800-125B] - citation: - text: Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-125B - - - uuid: 0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f - title: [SP 800-126] - citation: - text: Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-126r3 - - - uuid: a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - title: [SP 800-128] - citation: - text: Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-128 - - - uuid: ae412317-c2b4-47bb-b47b-c329ce0d7a0b - title: [SP 800-130] - citation: - text: Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-130 - - - uuid: c3b34083-77b2-4dab-a980-73068f8933bd - title: [SP 800-137] - citation: - text: Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-137 - - - uuid: ad3e8f21-07c6-4968-b002-00b64dfa70ae - title: [SP 800-150] - citation: - text: Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-150 - - - uuid: 38dbdf55-9a14-446f-b563-c48e4e3d37fb - title: [SP 800-152] - citation: - text: Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-152 - - - uuid: f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa - title: [SP 800-156] - citation: - text: Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-156 - - - uuid: 8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - title: [SP 800-160 v1] - citation: - text: Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-160v1 - - - uuid: 8411e6e8-09bd-431d-bbcb-3423d36ad880 - title: [SP 800-160 v2] - citation: - text: Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-160v2 - - - uuid: 66476e76-46b4-47fb-be19-d13e6f3840df - title: [SP 800-161] - citation: - text: Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-161 - - - uuid: 359f960c-2598-454c-ba3b-a30c553e498f - title: [SP 800-162] - citation: - text: Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-162 - - - uuid: a8f55663-86c5-415b-aabe-d2a126981d65 - title: [SP 800-166] - citation: - text: Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-166 - - - uuid: 893d1736-324c-41d6-a5f4-d526b5ca981a - title: [SP 800-167] - citation: - text: Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-167 - - - uuid: 0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - title: [SP 800-171] - citation: - text: Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-171r2 - - - uuid: aad55f03-8ece-4b21-b09c-9ef65b5a9f55 - title: [SP 800-171B] - citation: - text: Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B. - rlinks: - - - href: https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf - - - uuid: 64e044e4-b2a9-490f-a079-1106407c812f - title: [SP 800-177] - citation: - text: Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-177r1 - - - uuid: 223b23a9-baea-4a50-8058-63cf7967b61f - title: [SP 800-178] - citation: - text: Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-178 - - - uuid: f4c3f657-de83-47ae-9aec-e144de8268d1 - title: [SP 800-181] - citation: - text: Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-181 - - - uuid: 08f518f7-f9b9-4bee-8986-860214f46b16 - title: [SP 800-184] - citation: - text: Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-184 - - - uuid: eadef75e-7e4d-4554-b818-44946c1dde0e - title: [SP 800-188] - citation: - text: Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188. - rlinks: - - - href: https://csrc.nist.gov/publications/detail/sp/800-188/draft - - - uuid: 3862cd94-ff25-4631-9a9a-b92c21a0a923 - title: [SP 800-189] - citation: - text: Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-189 - - - uuid: 06d3c11a-4a00-42d9-ad75-e6a777ffae5e - title: [SP 800-192] - citation: - text: Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-192 - - - uuid: d4779b49-8acc-45ef-b4f0-30f945e81d1b - title: [IR 7539] - citation: - text: Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7539 - - - uuid: 09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - title: [IR 7559] - citation: - text: Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7559 - - - uuid: 7b03adec-4405-4aac-94a0-6a9eb3f42e31 - title: [IR 7622] - citation: - text: Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7622 - - - uuid: daf69edb-a0ef-4447-9880-8c4bf553181f - title: [IR 7676] - citation: - text: Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7676 - - - uuid: bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c - title: [IR 7788] - citation: - text: Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7788 - - - uuid: a49f67fc-827c-40e6-9a37-2b1cbe8142fd - title: [IR 7817] - citation: - text: Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7817 - - - uuid: 972c10bd-aedf-485f-b0db-f46a402127e2 - title: [IR 7849] - citation: - text: Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7849 - - - uuid: 197f7ba7-9af8-4a67-b3a4-5523d850e53b - title: [IR 7870] - citation: - text: Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7870 - - - uuid: bb22d510-54a9-4588-b725-00d37576562b - title: [IR 7874] - citation: - text: Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7874 - - - uuid: f437b52f-7f26-42aa-8e8f-999e7d67b2fe - title: [IR 7956] - citation: - text: Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7956 - - - uuid: 30213e10-2aca-47b3-8cdb-61303e0959f5 - title: [IR 7966] - citation: - text: Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7966 - - - uuid: 851b5ba4-6aa0-4583-857c-4c360cbdf2a0 - title: [IR 8011 v1] - citation: - text: Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8011-1 - - - uuid: 7e7538d7-9c3a-4e5f-bbb4-638cec975415 - title: [IR 8023] - citation: - text: Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8023 - - - uuid: 24738ee6-b3f3-4e37-825b-58775846bdbc - title: [IR 8040] - citation: - text: Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8040 - - - uuid: 817b4227-5857-494d-9032-915980b32f15 - title: [IR 8062] - citation: - text: Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8062 - - - uuid: 7a93e915-fd58-4147-be12-e48044c367e6 - title: [IR 8179] - citation: - text: Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8179 - - - uuid: 294eed19-7471-4517-9480-2ec73e7c6a78 - title: [DOD STIG] - citation: - text: Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*. - rlinks: - - - href: https://iase.disa.mil/stigs/Pages/index.aspx - - - uuid: 17ca9481-ea11-4ef2-81c1-885fd37d4be5 - title: [IETF 5905] - citation: - text: - - - uuid: dd87fdf0-840d-4392-9de4-220b2327e340 - title: [NARA CUI] - citation: - text: National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. - rlinks: - - - href: https://www.archives.gov/cui - - - uuid: 5dac2312-1d0d-416f-aebb-400fa9775b74 - title: [NIAP CCEVS] - citation: - text: National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*. - rlinks: - - - href: https://www.niap-ccevs.org/ - - - uuid: 5cc04a1c-5489-4751-a493-746a9639067b - title: [NCPR] - citation: - text: National Institute of Standards and Technology (2020) *National Checklist Program Repository*. Available at - rlinks: - - - href: https://nvd.nist.gov/ncp/repository - - - uuid: 634dec27-df88-4c30-b1a4-b57cdfd24f20 - title: [NSA CSFC] - citation: - text: National Security Agency, *Commercial Solutions for Classified Program (CSfC)*. - rlinks: - - - href: https://www.nsa.gov/resources/everyone/csfc - - - uuid: a52271dc-11b5-423a-8b6f-14867bd94259 - title: [NSA MEDIA] - citation: - text: National Security Agency, *Media Destruction Guidance*. - rlinks: - - - href: https://www.nsa.gov/resources/everyone/media-destruction - - - uuid: 06842bea-64c9-4e20-807a-b8fc003fa737 - title: [USGCB] - citation: - text: National Institute of Standards and Technology (2020) *United States Government Configuration Baseline*. Available at - rlinks: - - - href: https://csrc.nist.gov/projects/united-states-government-configuration-baseline diff --git a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.yaml b/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.yaml deleted file mode 100644 index 6bbcb24100..0000000000 --- a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.yaml +++ /dev/null @@ -1,406 +0,0 @@ -profile: - uuid: 7ef5286d-c162-439d-8c32-6eecd08f93d5 - metadata: - title: SP800-53 LOW IMPACT BASELINE - last-modified: 2020-08-26T16:28:37.432-04:00 - version: FPD - oscal-version: 1.0.0-milestone3 - roles: - - - id: creator - title: Document Creator - - - id: contact - title: Contact - parties: - - - uuid: fcba95f8-df3b-47cd-ae6f-57089a2b7174 - type: organization - party-name: Joint Task Force, Transformation Initiative - addresses: - - - postal-address: National Institute of Standards and Technology,Attn: Computer Security Division,Information Technology Laboratory,100 Bureau Drive (Mail Stop 8930) - city: Gaithersburg - state: MD - postal-code: 20899-8930 - email-addresses: sec-cert@nist.gov - responsible-parties: - creator: - party-uuids: fcba95f8-df3b-47cd-ae6f-57089a2b7174 - contact: - party-uuids: fcba95f8-df3b-47cd-ae6f-57089a2b7174 - imports: - - - href: NIST_SP-800-53_rev5-FPD_catalog.xml - include: - id-selectors: - - - control-id: ac-1 - - - control-id: ac-2 - - - control-id: ac-3 - - - control-id: ac-6.7 - - - control-id: ac-6.9 - - - control-id: ac-7 - - - control-id: ac-8 - - - control-id: ac-14 - - - control-id: ac-17 - - - control-id: ac-18 - - - control-id: ac-19 - - - control-id: ac-20 - - - control-id: ac-22 - - - control-id: at-1 - - - control-id: at-2 - - - control-id: at-2.2 - - - control-id: at-3 - - - control-id: at-4 - - - control-id: au-1 - - - control-id: au-2 - - - control-id: au-3 - - - control-id: au-4 - - - control-id: au-5 - - - control-id: au-6 - - - control-id: au-8 - - - control-id: au-9 - - - control-id: au-11 - - - control-id: au-12 - - - control-id: ca-1 - - - control-id: ca-2 - - - control-id: ca-3 - - - control-id: ca-5 - - - control-id: ca-6 - - - control-id: ca-7 - - - control-id: ca-7.4 - - - control-id: ca-9 - - - control-id: cm-1 - - - control-id: cm-2 - - - control-id: cm-4 - - - control-id: cm-5 - - - control-id: cm-6 - - - control-id: cm-7 - - - control-id: cm-8 - - - control-id: cm-10 - - - control-id: cm-11 - - - control-id: cp-1 - - - control-id: cp-2 - - - control-id: cp-3 - - - control-id: cp-4 - - - control-id: cp-9 - - - control-id: cp-10 - - - control-id: ia-1 - - - control-id: ia-2 - - - control-id: ia-2.1 - - - control-id: ia-2.2 - - - control-id: ia-2.8 - - - control-id: ia-2.12 - - - control-id: ia-4 - - - control-id: ia-5 - - - control-id: ia-5.1 - - - control-id: ia-6 - - - control-id: ia-7 - - - control-id: ia-8 - - - control-id: ia-8.1 - - - control-id: ia-8.2 - - - control-id: ia-8.4 - - - control-id: ia-11 - - - control-id: ir-1 - - - control-id: ir-2 - - - control-id: ir-4 - - - control-id: ir-5 - - - control-id: ir-6 - - - control-id: ir-7 - - - control-id: ir-8 - - - control-id: ma-1 - - - control-id: ma-2 - - - control-id: ma-4 - - - control-id: ma-5 - - - control-id: mp-1 - - - control-id: mp-2 - - - control-id: mp-6 - - - control-id: mp-7 - - - control-id: pe-1 - - - control-id: pe-2 - - - control-id: pe-3 - - - control-id: pe-6 - - - control-id: pe-8 - - - control-id: pe-12 - - - control-id: pe-13 - - - control-id: pe-14 - - - control-id: pe-15 - - - control-id: pe-16 - - - control-id: pl-1 - - - control-id: pl-2 - - - control-id: pl-4 - - - control-id: pl-4.1 - - - control-id: pl-10 - - - control-id: pl-11 - - - control-id: pm-1 - - - control-id: pm-2 - - - control-id: pm-3 - - - control-id: pm-4 - - - control-id: pm-5 - - - control-id: pm-5.1 - - - control-id: pm-6 - - - control-id: pm-7 - - - control-id: pm-7.1 - - - control-id: pm-8 - - - control-id: pm-9 - - - control-id: pm-10 - - - control-id: pm-11 - - - control-id: pm-12 - - - control-id: pm-13 - - - control-id: pm-14 - - - control-id: pm-15 - - - control-id: pm-16 - - - control-id: pm-16.1 - - - control-id: pm-17 - - - control-id: pm-18 - - - control-id: pm-19 - - - control-id: pm-20 - - - control-id: pm-21 - - - control-id: pm-22 - - - control-id: pm-23 - - - control-id: pm-24 - - - control-id: pm-25 - - - control-id: pm-26 - - - control-id: pm-27 - - - control-id: pm-28 - - - control-id: pm-29 - - - control-id: pm-30 - - - control-id: pm-31 - - - control-id: pm-32 - - - control-id: ps-1 - - - control-id: ps-2 - - - control-id: ps-3 - - - control-id: ps-4 - - - control-id: ps-5 - - - control-id: ps-6 - - - control-id: ps-7 - - - control-id: ps-8 - - - control-id: ra-1 - - - control-id: ra-2 - - - control-id: ra-3 - - - control-id: ra-3.1 - - - control-id: ra-5 - - - control-id: ra-5.2 - - - control-id: ra-7 - - - control-id: sa-1 - - - control-id: sa-2 - - - control-id: sa-3 - - - control-id: sa-4 - - - control-id: sa-4.10 - - - control-id: sa-5 - - - control-id: sa-8 - - - control-id: sa-9 - - - control-id: sa-22 - - - control-id: sc-1 - - - control-id: sc-5 - - - control-id: sc-7 - - - control-id: sc-12 - - - control-id: sc-13 - - - control-id: sc-15 - - - control-id: sc-20 - - - control-id: sc-21 - - - control-id: sc-22 - - - control-id: sc-39 - - - control-id: si-1 - - - control-id: si-2 - - - control-id: si-3 - - - control-id: si-4 - - - control-id: si-5 - - - control-id: si-12 - - - control-id: sr-1 - - - control-id: sr-2 - - - control-id: sr-2.1 - - - control-id: sr-3 - - - control-id: sr-5 - - - control-id: sr-8 - - - control-id: sr-10 - - - control-id: sr-11 - - - control-id: sr-11.1 - - - control-id: sr-11.2 - - - control-id: sr-11.3 - merge: - as-is: true diff --git a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.yaml b/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.yaml deleted file mode 100644 index 19ec8d7cec..0000000000 --- a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline-resolved-profile_catalog.yaml +++ /dev/null @@ -1,27753 +0,0 @@ -catalog: - uuid: b50ea9d9-e0b8-4e91-a6b8-1ad84fb0488e - metadata: - title: SP800-53 MODERATE IMPACT BASELINE - last-modified: 2020-08-26T16:28:37.775-04:00 - version: FPD - oscal-version: 1.0.0-milestone3 - properties: - - - name: resolution-timestamp - value: 2020-08-31T17:39:50.308351Z - links: - - - href: NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml - rel: resolution-source - text: SP800-53 MODERATE IMPACT BASELINE - roles: - - - id: creator - title: Document Creator - - - id: contact - title: Contact - parties: - - - uuid: 2ef7cfec-cb8e-4571-a7a2-a5c609b4767a - type: organization - party-name: Joint Task Force, Transformation Initiative - addresses: - - - postal-address: National Institute of Standards and Technology,Attn: Computer Security Division,Information Technology Laboratory,100 Bureau Drive (Mail Stop 8930) - city: Gaithersburg - state: MD - postal-code: 20899-8930 - email-addresses: sec-cert@nist.gov - responsible-parties: - creator: - party-uuids: 2ef7cfec-cb8e-4571-a7a2-a5c609b4767a - contact: - party-uuids: 2ef7cfec-cb8e-4571-a7a2-a5c609b4767a - groups: - - - id: ac - class: family - title: Access Control - controls: - - - id: ac-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ac-1_prm_1 - label: organization-defined personnel or roles - - - id: ac-1_prm_2 - - - id: ac-1_prm_3 - label: organization-defined official - - - id: ac-1_prm_4 - label: organization-defined frequency - - - id: ac-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AC-1 - - - name: sort-id - value: AC-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ac-1_smt - name: statement - parts: - - - id: ac-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ac-1_prm_1 }}: - parts: - - - id: ac-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ac-1_prm_2 }} access control policy that: - """ - parts: - - - id: ac-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ac-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ac-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the access control policy and the associated access controls; - - - id: ac-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and - - - id: ac-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current access control: - parts: - - - id: ac-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ac-1_prm_4 }}; and - - - id: ac-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ac-1_prm_5 }}. - - - id: ac-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ac-2 - class: SP800-53 - title: Account Management - parameters: - - - id: ac-2_prm_1 - label: organization-defined attributes (as required) - - - id: ac-2_prm_2 - label: organization-defined personnel or roles - - - id: ac-2_prm_3 - label: organization-defined policy, procedures, and conditions - - - id: ac-2_prm_4 - label: organization-defined personnel or roles - - - id: ac-2_prm_5 - label: organization-defined time-period - - - id: ac-2_prm_6 - label: organization-defined time-period - - - id: ac-2_prm_7 - label: organization-defined time-period - - - id: ac-2_prm_8 - label: organization-defined attributes (as required) - - - id: ac-2_prm_9 - label: organization-defined frequency - properties: - - - name: label - value: AC-2 - - - name: sort-id - value: AC-02 - links: - - - href: #359f960c-2598-454c-ba3b-a30c553e498f - rel: reference - text: [SP 800-162] - - - href: #223b23a9-baea-4a50-8058-63cf7967b61f - rel: reference - text: [SP 800-178] - - - href: #06d3c11a-4a00-42d9-ad75-e6a777ffae5e - rel: reference - text: [SP 800-192] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ac-24 - rel: related - text: AC-24 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-37 - rel: related - text: SC-37 - parts: - - - id: ac-2_smt - name: statement - parts: - - - id: ac-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Define and document the types of accounts allowed for use within the system; - - - id: ac-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Assign account managers; - - - id: ac-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Establish conditions for group and role membership; - - - id: ac-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Specify: - parts: - - - id: ac-2_smt.d.1 - name: item - properties: - - - name: label - value: 1. - prose: Authorized users of the system; - - - id: ac-2_smt.d.2 - name: item - properties: - - - name: label - value: 2. - prose: Group and role membership; and - - - id: ac-2_smt.d.3 - name: item - properties: - - - name: label - value: 3. - prose: Access authorizations (i.e., privileges) and {{ ac-2_prm_1 }} for each account; - - - id: ac-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Require approvals by {{ ac-2_prm_2 }} for requests to create accounts; - - - id: ac-2_smt.f - name: item - properties: - - - name: label - value: f. - prose: Create, enable, modify, disable, and remove accounts in accordance with {{ ac-2_prm_3 }}; - - - id: ac-2_smt.g - name: item - properties: - - - name: label - value: g. - prose: Monitor the use of accounts; - - - id: ac-2_smt.h - name: item - properties: - - - name: label - value: h. - prose: Notify account managers and {{ ac-2_prm_4 }} within: - parts: - - - id: ac-2_smt.h.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ac-2_prm_5 }} when accounts are no longer required; - """ - - - id: ac-2_smt.h.2 - name: item - properties: - - - name: label - value: 2. - prose: - """ - - {{ ac-2_prm_6 }} when users are terminated or transferred; and - """ - - - id: ac-2_smt.h.3 - name: item - properties: - - - name: label - value: 3. - prose: - """ - - {{ ac-2_prm_7 }} when system usage or need-to-know changes for an individual; - """ - - - id: ac-2_smt.i - name: item - properties: - - - name: label - value: i. - prose: Authorize access to the system based on: - parts: - - - id: ac-2_smt.i.1 - name: item - properties: - - - name: label - value: 1. - prose: A valid access authorization; - - - id: ac-2_smt.i.2 - name: item - properties: - - - name: label - value: 2. - prose: Intended system usage; and - - - id: ac-2_smt.i.3 - name: item - properties: - - - name: label - value: 3. - prose: - """ - - {{ ac-2_prm_8 }}; - """ - - - id: ac-2_smt.j - name: item - properties: - - - name: label - value: j. - prose: Review accounts for compliance with account management requirements {{ ac-2_prm_9 }}; - - - id: ac-2_smt.k - name: item - properties: - - - name: label - value: k. - prose: Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and - - - id: ac-2_smt.l - name: item - properties: - - - name: label - value: l. - prose: Align account management processes with personnel termination and transfer processes. - - - id: ac-2_gdn - name: guidance - prose: - """ - Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy. - Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability. - Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training. - """ - controls: - - - id: ac-2.1 - class: SP800-53-enhancement - title: Automated System Account Management - parameters: - - - id: ac-2.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: AC-2(1) - - - name: sort-id - value: AC-02(01) - parts: - - - id: ac-2.1_smt - name: statement - prose: Support the management of system accounts using {{ ac-2.1_prm_1 }}. - - - id: ac-2.1_gdn - name: guidance - prose: Automated mechanisms include using email or text messaging to automatically notify account managers when users are terminated or transferred; using the system to monitor account usage; and using telephonic notification to report atypical system account usage. - - - id: ac-2.2 - class: SP800-53-enhancement - title: Automated Temporary and Emergency Account Management - parameters: - - - id: ac-2.2_prm_1 - - - id: ac-2.2_prm_2 - label: organization-defined time-period for each type of account - properties: - - - name: label - value: AC-2(2) - - - name: sort-id - value: AC-02(02) - parts: - - - id: ac-2.2_smt - name: statement - prose: Automatically {{ ac-2.2_prm_1 }} temporary and emergency accounts after {{ ac-2.2_prm_2 }}. - - - id: ac-2.2_gdn - name: guidance - prose: Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time-period, rather than at the convenience of the systems administrator. Automatic removal or disabling of accounts provides a more consistent implementation. - - - id: ac-2.3 - class: SP800-53-enhancement - title: Disable Accounts - parameters: - - - id: ac-2.3_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: AC-2(3) - - - name: sort-id - value: AC-02(03) - parts: - - - id: ac-2.3_smt - name: statement - prose: Disable accounts when the accounts: - parts: - - - id: ac-2.3_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Have expired; - - - id: ac-2.3_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Are no longer associated with a user or individual; - - - id: ac-2.3_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Are in violation of organizational policy; or - - - id: ac-2.3_smt.d - name: item - properties: - - - name: label - value: (d) - prose: Have been inactive for {{ ac-2.3_prm_1 }}. - - - id: ac-2.3_gdn - name: guidance - prose: Disabling expired, inactive, or otherwise anomalous accounts supports the concept of least privilege and least functionality which reduces the attack surface of the system. - - - id: ac-2.4 - class: SP800-53-enhancement - title: Automated Audit Actions - properties: - - - name: label - value: AC-2(4) - - - name: sort-id - value: AC-02(04) - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - parts: - - - id: ac-2.4_smt - name: statement - prose: Automatically audit account creation, modification, enabling, disabling, and removal actions. - - - id: ac-2.4_gdn - name: guidance - prose: Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6. - - - id: ac-2.5 - class: SP800-53-enhancement - title: Inactivity Logout - parameters: - - - id: ac-2.5_prm_1 - label: organization-defined time-period of expected inactivity or description of when to log out - properties: - - - name: label - value: AC-2(5) - - - name: sort-id - value: AC-02(05) - links: - - - href: #ac-11 - rel: related - text: AC-11 - parts: - - - id: ac-2.5_smt - name: statement - prose: Require that users log out when {{ ac-2.5_prm_1 }}. - - - id: ac-2.5_gdn - name: guidance - prose: Inactivity logout is behavior or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of this control enhancement is addressed by AC-11. - - - id: ac-2.13 - class: SP800-53-enhancement - title: Disable Accounts for High-risk Individuals - parameters: - - - id: ac-2.13_prm_1 - label: organization-defined time-period - - - id: ac-2.13_prm_2 - label: organization-defined significant risks - properties: - - - name: label - value: AC-2(13) - - - name: sort-id - value: AC-02(13) - links: - - - href: #au-6 - rel: related - text: AU-6 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-2.13_smt - name: statement - prose: Disable accounts of users within {{ ac-2.13_prm_1 }} of discovery of {{ ac-2.13_prm_2 }}. - - - id: ac-2.13_gdn - name: guidance - prose: Users posing a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes the adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential for execution of this control enhancement. - - - id: ac-3 - class: SP800-53 - title: Access Enforcement - properties: - - - name: label - value: AC-3 - - - name: sort-id - value: AC-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #359f960c-2598-454c-ba3b-a30c553e498f - rel: reference - text: [SP 800-162] - - - href: #223b23a9-baea-4a50-8058-63cf7967b61f - rel: reference - text: [SP 800-178] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ac-21 - rel: related - text: AC-21 - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #ac-24 - rel: related - text: AC-24 - - - href: #ac-25 - rel: related - text: AC-25 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-6 - rel: related - text: IA-6 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #ia-11 - rel: related - text: IA-11 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pm-2 - rel: related - text: PM-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-4 - rel: related - text: SC-4 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-31 - rel: related - text: SC-31 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-3_smt - name: statement - prose: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - - - id: ac-3_gdn - name: guidance - prose: Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family. - - - id: ac-4 - class: SP800-53 - title: Information Flow Enforcement - parameters: - - - id: ac-4_prm_1 - label: organization-defined information flow control policies - properties: - - - name: label - value: AC-4 - - - name: sort-id - value: AC-04 - links: - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #359f960c-2598-454c-ba3b-a30c553e498f - rel: reference - text: [SP 800-162] - - - href: #223b23a9-baea-4a50-8058-63cf7967b61f - rel: reference - text: [SP 800-178] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-21 - rel: related - text: AC-21 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sc-4 - rel: related - text: SC-4 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-16 - rel: related - text: SC-16 - - - href: #sc-31 - rel: related - text: SC-31 - parts: - - - id: ac-4_smt - name: statement - prose: Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ ac-4_prm_1 }}. - - - id: ac-4_gdn - name: guidance - prose: - """ - Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization; keeping export-controlled information from being transmitted in the clear to the Internet; restricting web requests that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only); verifying write permissions before accepting information from another security or privacy domain or connected system; employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and security or privacy labels. - Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. This control also applies to control plane traffic (e.g., routing and DNS). - """ - - - id: ac-5 - class: SP800-53 - title: Separation of Duties - parameters: - - - id: ac-5_prm_1 - label: organization-defined duties of individuals requiring separation - properties: - - - name: label - value: AC-5 - - - name: sort-id - value: AC-05 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-17 - rel: related - text: SA-17 - parts: - - - id: ac-5_smt - name: statement - parts: - - - id: ac-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify and document {{ ac-5_prm_1 }}; and - - - id: ac-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Define system access authorizations to support separation of duties. - - - id: ac-5_gdn - name: guidance - prose: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles; conducting system support functions with different individuals; and ensuring security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. This control is enforced through the account management activities in AC-2 and access control mechanisms in AC-3. - - - id: ac-6 - class: SP800-53 - title: Least Privilege - properties: - - - name: label - value: AC-6 - - - name: sort-id - value: AC-06 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sc-38 - rel: related - text: SC-38 - parts: - - - id: ac-6_smt - name: statement - prose: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. - - - id: ac-6_gdn - name: guidance - prose: Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary, to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems. - controls: - - - id: ac-6.1 - class: SP800-53-enhancement - title: Authorize Access to Security Functions - parameters: - - - id: ac-6.1_prm_1 - label: organization-defined individuals or roles - - - id: ac-6.1_prm_2 - label: organization-defined security functions (deployed in hardware, software, and firmware) - - - id: ac-6.1_prm_3 - label: organization-defined security-relevant information - properties: - - - name: label - value: AC-6(1) - - - name: sort-id - value: AC-06(01) - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #pe-2 - rel: related - text: PE-2 - parts: - - - id: ac-6.1_smt - name: statement - prose: Explicitly authorize access for {{ ac-6.1_prm_1 }} to: - parts: - - - id: ac-6.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: - """ - - {{ ac-6.1_prm_2 }}; and - """ - - - id: ac-6.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: - """ - - {{ ac-6.1_prm_3 }}. - """ - - - id: ac-6.1_gdn - name: guidance - prose: Security functions include establishing system accounts; configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Explicitly authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users. - - - id: ac-6.2 - class: SP800-53-enhancement - title: Non-privileged Access for Nonsecurity Functions - parameters: - - - id: ac-6.2_prm_1 - label: organization-defined security functions or security-relevant information - properties: - - - name: label - value: AC-6(2) - - - name: sort-id - value: AC-06(02) - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #pl-4 - rel: related - text: PL-4 - parts: - - - id: ac-6.2_smt - name: statement - prose: Require that users of system accounts (or roles) with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or roles, when accessing nonsecurity functions. - - - id: ac-6.2_gdn - name: guidance - prose: Requiring use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. - - - id: ac-6.5 - class: SP800-53-enhancement - title: Privileged Accounts - parameters: - - - id: ac-6.5_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: AC-6(5) - - - name: sort-id - value: AC-06(05) - links: - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - parts: - - - id: ac-6.5_smt - name: statement - prose: Restrict privileged accounts on the system to {{ ac-6.5_prm_1 }}. - - - id: ac-6.5_gdn - name: guidance - prose: Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided they retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. - - - id: ac-6.7 - class: SP800-53-enhancement - title: Review of User Privileges - parameters: - - - id: ac-6.7_prm_1 - label: organization-defined frequency - - - id: ac-6.7_prm_2 - label: organization-defined roles or classes of users - properties: - - - name: label - value: AC-6(7) - - - name: sort-id - value: AC-06(07) - links: - - - href: #ca-7 - rel: related - text: CA-7 - parts: - - - id: ac-6.7_smt - name: statement - parts: - - - id: ac-6.7_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Review {{ ac-6.7_prm_1 }} the privileges assigned to {{ ac-6.7_prm_2 }} to validate the need for such privileges; and - - - id: ac-6.7_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs. - - - id: ac-6.7_gdn - name: guidance - prose: The need for certain assigned user privileges may change over time reflecting changes in organizational missions and business functions, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. - - - id: ac-6.9 - class: SP800-53-enhancement - title: Log Use of Privileged Functions - properties: - - - name: label - value: AC-6(9) - - - name: sort-id - value: AC-06(09) - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-12 - rel: related - text: AU-12 - parts: - - - id: ac-6.9_smt - name: statement - prose: Audit the execution of privileged functions. - - - id: ac-6.9_gdn - name: guidance - prose: The misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Capturing the use of privileged functions in audit logs is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat. - - - id: ac-6.10 - class: SP800-53-enhancement - title: Prohibit Non-privileged Users from Executing Privileged Functions - properties: - - - name: label - value: AC-6(10) - - - name: sort-id - value: AC-06(10) - parts: - - - id: ac-6.10_smt - name: statement - prose: Prevent non-privileged users from executing privileged functions. - - - id: ac-6.10_gdn - name: guidance - prose: Privileged functions include disabling, circumventing, or altering implemented security or privacy controls; establishing system accounts; performing system integrity checks; and administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. This control enhancement is enforced by AC-3. - - - id: ac-7 - class: SP800-53 - title: Unsuccessful Logon Attempts - parameters: - - - id: ac-7_prm_1 - label: organization-defined number - - - id: ac-7_prm_2 - label: organization-defined time-period - - - id: ac-7_prm_3 - - - id: ac-7_prm_4 - depends-on: ac-7_prm_3 - label: organization-defined time-period - - - id: ac-7_prm_5 - depends-on: ac-7_prm_3 - label: organization-defined delay algorithm - - - id: ac-7_prm_6 - depends-on: ac-7_prm_3 - label: organization-defined action - properties: - - - name: label - value: AC-7 - - - name: sort-id - value: AC-07 - links: - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-9 - rel: related - text: AC-9 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ia-5 - rel: related - text: IA-5 - parts: - - - id: ac-7_smt - name: statement - parts: - - - id: ac-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Enforce a limit of {{ ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ ac-7_prm_2 }}; and - - - id: ac-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Automatically {{ ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded. - - - id: ac-7_gdn - name: guidance - prose: - """ - This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address. - Techniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need. - """ - - - id: ac-8 - class: SP800-53 - title: System Use Notification - parameters: - - - id: ac-8_prm_1 - label: organization-defined system use notification message or banner - - - id: ac-8_prm_2 - label: organization-defined conditions - properties: - - - name: label - value: AC-8 - - - name: sort-id - value: AC-08 - links: - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-8_smt - name: statement - parts: - - - id: ac-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Display {{ ac-8_prm_1 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: - parts: - - - id: ac-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Users are accessing a U.S. Government system; - - - id: ac-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: System usage may be monitored, recorded, and subject to audit; - - - id: ac-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and - - - id: ac-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Use of the system indicates consent to monitoring and recording; - - - id: ac-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and - - - id: ac-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: For publicly accessible systems: - parts: - - - id: ac-8_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Display system use information {{ ac-8_prm_2 }}, before granting further access to the publicly accessible system; - - - id: ac-8_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and - - - id: ac-8_smt.c.3 - name: item - properties: - - - name: label - value: 3. - prose: Include a description of the authorized uses of the system. - - - id: ac-8_gdn - name: guidance - prose: System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. - - - id: ac-11 - class: SP800-53 - title: Device Lock - parameters: - - - id: ac-11_prm_1 - - - id: ac-11_prm_2 - depends-on: ac-11_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: AC-11 - - - name: sort-id - value: AC-11 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ia-11 - rel: related - text: IA-11 - - - href: #pl-4 - rel: related - text: PL-4 - parts: - - - id: ac-11_smt - name: statement - parts: - - - id: ac-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Prevent further access to the system by {{ ac-11_prm_1 }}; and - - - id: ac-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain the device lock until the user reestablishes access using established identification and authentication procedures. - - - id: ac-11_gdn - name: guidance - prose: Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User initiated device locking is behavior or policy-based and as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, for example, if organizations require users to log out at the end of workdays. - controls: - - - id: ac-11.1 - class: SP800-53-enhancement - title: Pattern-hiding Displays - properties: - - - name: label - value: AC-11(1) - - - name: sort-id - value: AC-11(01) - parts: - - - id: ac-11.1_smt - name: statement - prose: Conceal, via the device lock, information previously visible on the display with a publicly viewable image. - - - id: ac-11.1_gdn - name: guidance - prose: The pattern-hiding display can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the caveat that controlled unclassified information is not displayed. - - - id: ac-12 - class: SP800-53 - title: Session Termination - parameters: - - - id: ac-12_prm_1 - label: organization-defined conditions or trigger events requiring session disconnect - properties: - - - name: label - value: AC-12 - - - name: sort-id - value: AC-12 - links: - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #sc-10 - rel: related - text: SC-10 - - - href: #sc-23 - rel: related - text: SC-23 - parts: - - - id: ac-12_smt - name: statement - prose: Automatically terminate a user session after {{ ac-12_prm_1 }}. - - - id: ac-12_gdn - name: guidance - prose: Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use. - - - id: ac-14 - class: SP800-53 - title: Permitted Actions Without Identification or Authentication - parameters: - - - id: ac-14_prm_1 - label: organization-defined user actions - properties: - - - name: label - value: AC-14 - - - name: sort-id - value: AC-14 - links: - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #pl-2 - rel: related - text: PL-2 - parts: - - - id: ac-14_smt - name: statement - parts: - - - id: ac-14_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify {{ ac-14_prm_1 }} that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and - - - id: ac-14_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. - - - id: ac-14_gdn - name: guidance - prose: Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none. - - - id: ac-17 - class: SP800-53 - title: Remote Access - properties: - - - name: label - value: AC-17 - - - name: sort-id - value: AC-17 - links: - - - href: #7768c184-088d-4ee8-a316-f9286b52df7f - rel: reference - text: [SP 800-46] - - - href: #8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - rel: reference - text: [SP 800-77] - - - href: #36132a58-56fd-4980-9f6c-c010d3faf52b - rel: reference - text: [SP 800-113] - - - href: #49fa1ee1-aaf7-4270-bb5a-a86497f717dc - rel: reference - text: [SP 800-114] - - - href: #60b24979-65b8-4ca5-a442-11b74339fab5 - rel: reference - text: [SP 800-121] - - - href: #30213e10-2aca-47b3-8cdb-61303e0959f5 - rel: reference - text: [IR 7966] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-17 - rel: related - text: PE-17 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sc-10 - rel: related - text: SC-10 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-17_smt - name: statement - parts: - - - id: ac-17_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and - - - id: ac-17_smt.b - name: item - properties: - - - name: label - value: b. - prose: Authorize each type of remote access to the system prior to allowing such connections. - - - id: ac-17_gdn - name: guidance - prose: Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3. - controls: - - - id: ac-17.1 - class: SP800-53-enhancement - title: Monitoring and Control - properties: - - - name: label - value: AC-17(1) - - - name: sort-id - value: AC-17(01) - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - parts: - - - id: ac-17.1_smt - name: statement - prose: Employ automated mechanisms to monitor and control remote access methods. - - - id: ac-17.1_gdn - name: guidance - prose: Monitoring and control of remote access methods allows organizations to detect attacks and ensure compliance with remote access policies by auditing connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a. - - - id: ac-17.2 - class: SP800-53-enhancement - title: Protection of Confidentiality and Integrity Using Encryption - properties: - - - name: label - value: AC-17(2) - - - name: sort-id - value: AC-17(02) - links: - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: ac-17.2_smt - name: statement - prose: Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. - - - id: ac-17.2_gdn - name: guidance - prose: Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions. - - - id: ac-17.3 - class: SP800-53-enhancement - title: Managed Access Control Points - properties: - - - name: label - value: AC-17(3) - - - name: sort-id - value: AC-17(03) - links: - - - href: #sc-7 - rel: related - text: SC-7 - parts: - - - id: ac-17.3_smt - name: statement - prose: Route remote accesses through authorized and managed network access control points. - - - id: ac-17.3_gdn - name: guidance - prose: Organizations consider the Trusted Internet Connections initiative [DHS TIC] requirements for external network connections since limiting the number of access control points for remote accesses reduces attack surface. - - - id: ac-17.4 - class: SP800-53-enhancement - title: Privileged Commands and Access - parameters: - - - id: ac-17.4_prm_1 - label: organization-defined needs - properties: - - - name: label - value: AC-17(4) - - - name: sort-id - value: AC-17(04) - links: - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: ac-17.4_smt - name: statement - parts: - - - id: ac-17.4_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ ac-17.4_prm_1 }}; and - - - id: ac-17.4_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Document the rationale for remote access in the security plan for the system. - - - id: ac-17.4_gdn - name: guidance - prose: Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability. - - - id: ac-18 - class: SP800-53 - title: Wireless Access - properties: - - - name: label - value: AC-18 - - - name: sort-id - value: AC-18 - links: - - - href: #41e2e2c6-2260-4258-85c8-09db17c43103 - rel: reference - text: [SP 800-94] - - - href: #6bed1550-cd5d-4e80-8d83-4e597c1514fe - rel: reference - text: [SP 800-97] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sc-40 - rel: related - text: SC-40 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-18_smt - name: statement - parts: - - - id: ac-18_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and - - - id: ac-18_smt.b - name: item - properties: - - - name: label - value: b. - prose: Authorize each type of wireless access to the system prior to allowing such connections. - - - id: ac-18_gdn - name: guidance - prose: Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication. - controls: - - - id: ac-18.1 - class: SP800-53-enhancement - title: Authentication and Encryption - parameters: - - - id: ac-18.1_prm_1 - properties: - - - name: label - value: AC-18(1) - - - name: sort-id - value: AC-18(01) - links: - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: ac-18.1_smt - name: statement - prose: Protect wireless access to the system using authentication of {{ ac-18.1_prm_1 }} and encryption. - - - id: ac-18.1_gdn - name: guidance - prose: Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices with encryption can reduce susceptibility to threats by adversaries involving wireless technologies. - - - id: ac-18.3 - class: SP800-53-enhancement - title: Disable Wireless Networking - properties: - - - name: label - value: AC-18(3) - - - name: sort-id - value: AC-18(03) - parts: - - - id: ac-18.3_smt - name: statement - prose: Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment. - - - id: ac-18.3_gdn - name: guidance - prose: Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies. - - - id: ac-19 - class: SP800-53 - title: Access Control for Mobile Devices - properties: - - - name: label - value: AC-19 - - - name: sort-id - value: AC-19 - links: - - - href: #49fa1ee1-aaf7-4270-bb5a-a86497f717dc - rel: reference - text: [SP 800-114] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-11 - rel: related - text: AC-11 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ac-19_smt - name: statement - parts: - - - id: ac-19_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and - - - id: ac-19_smt.b - name: item - properties: - - - name: label - value: b. - prose: Authorize the connection of mobile devices to organizational systems. - - - id: ac-19_gdn - name: guidance - prose: - """ - A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. - Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. - Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. - """ - controls: - - - id: ac-19.5 - class: SP800-53-enhancement - title: Full Device and Container-based Encryption - parameters: - - - id: ac-19.5_prm_1 - - - id: ac-19.5_prm_2 - label: organization-defined mobile devices - properties: - - - name: label - value: AC-19(5) - - - name: sort-id - value: AC-19(05) - links: - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - parts: - - - id: ac-19.5_smt - name: statement - prose: Employ {{ ac-19.5_prm_1 }} to protect the confidentiality and integrity of information on {{ ac-19.5_prm_2 }}. - - - id: ac-19.5_gdn - name: guidance - prose: Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields. - - - id: ac-20 - class: SP800-53 - title: Use of External Systems - parameters: - - - id: ac-20_prm_1 - - - id: ac-20_prm_2 - depends-on: ac-20_prm_1 - label: organization-defined terms and conditions - - - id: ac-20_prm_3 - depends-on: ac-20_prm_1 - label: organization-defined controls asserted to be implemented on external systems - properties: - - - name: label - value: AC-20 - - - name: sort-id - value: AC-20 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - rel: reference - text: [SP 800-171] - - - href: #aad55f03-8ece-4b21-b09c-9ef65b5a9f55 - rel: reference - text: [SP 800-171B] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-7 - rel: related - text: SC-7 - parts: - - - id: ac-20_smt - name: statement - prose: Establish {{ ac-20_prm_1 }}, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: - parts: - - - id: ac-20_smt.a - name: item - properties: - - - name: label - value: a. - prose: Access the system from external systems; and - - - id: ac-20_smt.b - name: item - properties: - - - name: label - value: b. - prose: Process, store, or transmit organization-controlled information using external systems. - - - id: ac-20_gdn - name: guidance - prose: - """ - External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries. - For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. - This control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. - """ - controls: - - - id: ac-20.1 - class: SP800-53-enhancement - title: Limits on Authorized Use - properties: - - - name: label - value: AC-20(1) - - - name: sort-id - value: AC-20(01) - links: - - - href: #ca-2 - rel: related - text: CA-2 - parts: - - - id: ac-20.1_smt - name: statement - prose: Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: - parts: - - - id: ac-20.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or - - - id: ac-20.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Retention of approved system connection or processing agreements with the organizational entity hosting the external system. - - - id: ac-20.1_gdn - name: guidance - prose: Limits on authorized use recognizes the circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations. - - - id: ac-20.2 - class: SP800-53-enhancement - title: Portable Storage Devices — Restricted Use - parameters: - - - id: ac-20.2_prm_1 - label: organization-defined restrictions - properties: - - - name: label - value: AC-20(2) - - - name: sort-id - value: AC-20(02) - links: - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #sc-41 - rel: related - text: SC-41 - parts: - - - id: ac-20.2_smt - name: statement - prose: Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ ac-20.2_prm_1 }}. - - - id: ac-20.2_gdn - name: guidance - prose: Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used. - - - id: ac-21 - class: SP800-53 - title: Information Sharing - parameters: - - - id: ac-21_prm_1 - label: organization-defined information sharing circumstances where user discretion is required - - - id: ac-21_prm_2 - label: organization-defined automated mechanisms or manual processes - properties: - - - name: label - value: AC-21 - - - name: sort-id - value: AC-21 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ad3e8f21-07c6-4968-b002-00b64dfa70ae - rel: reference - text: [SP 800-150] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sc-15 - rel: related - text: SC-15 - parts: - - - id: ac-21_smt - name: statement - parts: - - - id: ac-21_smt.a - name: item - properties: - - - name: label - value: a. - prose: Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ ac-21_prm_1 }}; and - - - id: ac-21_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ {{ ac-21_prm_2 }} to assist users in making information sharing and collaboration decisions. - - - id: ac-21_gdn - name: guidance - prose: Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). - - - id: ac-22 - class: SP800-53 - title: Publicly Accessible Content - parameters: - - - id: ac-22_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: AC-22 - - - name: sort-id - value: AC-22 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-13 - rel: related - text: AU-13 - parts: - - - id: ac-22_smt - name: statement - parts: - - - id: ac-22_smt.a - name: item - properties: - - - name: label - value: a. - prose: Designate individuals authorized to make information publicly accessible; - - - id: ac-22_smt.b - name: item - properties: - - - name: label - value: b. - prose: Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; - - - id: ac-22_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and - - - id: ac-22_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review the content on the publicly accessible system for nonpublic information {{ ac-22_prm_1 }} and remove such information, if discovered. - - - id: ac-22_gdn - name: guidance - prose: In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible. - - - id: at - class: family - title: Awareness and Training - controls: - - - id: at-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: at-1_prm_1 - label: organization-defined personnel or roles - - - id: at-1_prm_2 - - - id: at-1_prm_3 - label: organization-defined official - - - id: at-1_prm_4 - label: organization-defined frequency - - - id: at-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AT-1 - - - name: sort-id - value: AT-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: at-1_smt - name: statement - parts: - - - id: at-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ at-1_prm_1 }}: - parts: - - - id: at-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ at-1_prm_2 }} awareness and training policy that: - """ - parts: - - - id: at-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: at-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: at-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; - - - id: at-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and - - - id: at-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current awareness and training: - parts: - - - id: at-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ at-1_prm_4 }}; and - - - id: at-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ at-1_prm_5 }}. - - - id: at-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: at-2 - class: SP800-53 - title: Awareness Training - parameters: - - - id: at-2_prm_1 - label: organization-defined frequency - - - id: at-2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: AT-2 - - - name: sort-id - value: AT-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-13 - rel: related - text: PM-13 - - - href: #pm-21 - rel: related - text: PM-21 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-16 - rel: related - text: SA-16 - parts: - - - id: at-2_smt - name: statement - parts: - - - id: at-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide security and privacy awareness training to system users (including managers, senior executives, and contractors): - parts: - - - id: at-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and - - - id: at-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: When required by system changes; and - - - id: at-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update awareness training {{ at-2_prm_2 }}. - - - id: at-2_gdn - name: guidance - prose: - """ - Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information. - Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective. - """ - controls: - - - id: at-2.2 - class: SP800-53-enhancement - title: Insider Threat - properties: - - - name: label - value: AT-2(2) - - - name: sort-id - value: AT-02(02) - links: - - - href: #pm-12 - rel: related - text: PM-12 - parts: - - - id: at-2.2_smt - name: statement - prose: Provide awareness training on recognizing and reporting potential indicators of insider threat. - - - id: at-2.2_gdn - name: guidance - prose: Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations. - - - id: at-2.3 - class: SP800-53-enhancement - title: Social Engineering and Mining - properties: - - - name: label - value: AT-2(3) - - - name: sort-id - value: AT-02(03) - parts: - - - id: at-2.3_smt - name: statement - prose: Provide awareness training on recognizing and reporting potential and actual instances of social engineering and social mining. - - - id: at-2.3_gdn - name: guidance - prose: Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Awareness training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures. - - - id: at-3 - class: SP800-53 - title: Role-based Training - parameters: - - - id: at-3_prm_1 - label: organization-defined roles and responsibilities - - - id: at-3_prm_2 - label: organization-defined frequency - - - id: at-3_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: AT-3 - - - name: sort-id - value: AT-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #ir-10 - rel: related - text: IR-10 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-13 - rel: related - text: PM-13 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-16 - rel: related - text: SA-16 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: at-3_smt - name: statement - parts: - - - id: at-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}: - parts: - - - id: at-3_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and - - - id: at-3_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: When required by system changes; and - - - id: at-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update role-based training {{ at-3_prm_3 }}. - - - id: at-3_gdn - name: guidance - prose: - """ - Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information. - Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective. - """ - - - id: at-4 - class: SP800-53 - title: Training Records - parameters: - - - id: at-4_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: AT-4 - - - name: sort-id - value: AT-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: at-4_smt - name: statement - parts: - - - id: at-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and - - - id: at-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain individual training records for {{ at-4_prm_1 }}. - - - id: at-4_gdn - name: guidance - prose: Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies. - - - id: au - class: family - title: Audit and Accountability - controls: - - - id: au-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: au-1_prm_1 - label: organization-defined personnel or roles - - - id: au-1_prm_2 - - - id: au-1_prm_3 - label: organization-defined official - - - id: au-1_prm_4 - label: organization-defined frequency - - - id: au-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AU-1 - - - name: sort-id - value: AU-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: au-1_smt - name: statement - parts: - - - id: au-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ au-1_prm_1 }}: - parts: - - - id: au-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ au-1_prm_2 }} audit and accountability policy that: - """ - parts: - - - id: au-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: au-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: au-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; - - - id: au-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and - - - id: au-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current audit and accountability: - parts: - - - id: au-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ au-1_prm_4 }}; and - - - id: au-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ au-1_prm_5 }}. - - - id: au-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: au-2 - class: SP800-53 - title: Event Logging - parameters: - - - id: au-2_prm_1 - label: organization-defined event types that the system is capable of logging - - - id: au-2_prm_2 - label: organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type - - - id: au-2_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: AU-2 - - - name: sort-id - value: AU-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #02d8ec60-6197-43f8-9f47-18732127963e - rel: reference - text: [SP 800-92] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pm-21 - rel: related - text: PM-21 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-10 - rel: related - text: SI-10 - - - href: #si-11 - rel: related - text: SI-11 - parts: - - - id: au-2_smt - name: statement - parts: - - - id: au-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }}; - - - id: au-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; - - - id: au-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Specify the following event types for logging within the system: {{ au-2_prm_2 }}; - - - id: au-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and - - - id: au-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Review and update the event types selected for logging {{ au-2_prm_3 }}. - - - id: au-2_gdn - name: guidance - prose: - """ - An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. - To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage. - Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures. - """ - - - id: au-3 - class: SP800-53 - title: Content of Audit Records - properties: - - - name: label - value: AU-3 - - - name: sort-id - value: AU-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-8 - rel: related - text: AU-8 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-11 - rel: related - text: SI-11 - parts: - - - id: au-3_smt - name: statement - prose: Ensure that audit records contain information that establishes the following: - parts: - - - id: au-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: What type of event occurred; - - - id: au-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: When the event occurred; - - - id: au-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Where the event occurred; - - - id: au-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Source of the event; - - - id: au-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Outcome of the event; and - - - id: au-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Identity of any individuals, subjects, or objects/entities associated with the event. - - - id: au-3_gdn - name: guidance - prose: Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage. - controls: - - - id: au-3.1 - class: SP800-53-enhancement - title: Additional Audit Information - parameters: - - - id: au-3.1_prm_1 - label: organization-defined additional information - properties: - - - name: label - value: AU-3(1) - - - name: sort-id - value: AU-03(01) - parts: - - - id: au-3.1_smt - name: statement - prose: Generate audit records containing the following additional information: {{ au-3.1_prm_1 }}. - - - id: au-3.1_gdn - name: guidance - prose: The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading or that could make it more difficult to locate information of interest. - - - id: au-4 - class: SP800-53 - title: Audit Log Storage Capacity - parameters: - - - id: au-4_prm_1 - label: organization-defined audit log retention requirements - properties: - - - name: label - value: AU-4 - - - name: sort-id - value: AU-04 - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: au-4_smt - name: statement - prose: Allocate audit log storage capacity to accommodate {{ au-4_prm_1 }}. - - - id: au-4_gdn - name: guidance - prose: Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability. - - - id: au-5 - class: SP800-53 - title: Response to Audit Logging Process Failures - parameters: - - - id: au-5_prm_1 - label: organization-defined personnel or roles - - - id: au-5_prm_2 - label: organization-defined time-period - - - id: au-5_prm_3 - label: organization-defined additional actions - properties: - - - name: label - value: AU-5 - - - name: sort-id - value: AU-05 - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: au-5_smt - name: statement - parts: - - - id: au-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Alert {{ au-5_prm_1 }} within {{ au-5_prm_2 }} in the event of an audit logging process failure; and - - - id: au-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Take the following additional actions: {{ au-5_prm_3 }}. - - - id: au-5_gdn - name: guidance - prose: Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel. - - - id: au-6 - class: SP800-53 - title: Audit Record Review, Analysis, and Reporting - parameters: - - - id: au-6_prm_1 - label: organization-defined frequency - - - id: au-6_prm_2 - label: organization-defined inappropriate or unusual activity - - - id: au-6_prm_3 - label: organization-defined personnel or roles - properties: - - - name: label - value: AU-6 - - - name: sort-id - value: AU-06 - links: - - - href: #35dfd59f-eef2-4f71-bdb5-6d878267456a - rel: reference - text: [SP 800-86] - - - href: #1e2c475a-84ae-4c60-b420-8fb2ea552b71 - rel: reference - text: [SP 800-101] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-16 - rel: related - text: AU-16 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: au-6_smt - name: statement - parts: - - - id: au-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Review and analyze system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }}; - - - id: au-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Report findings to {{ au-6_prm_3 }}; and - - - id: au-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. - - - id: au-6_gdn - name: guidance - prose: Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. - controls: - - - id: au-6.1 - class: SP800-53-enhancement - title: Automated Process Integration - parameters: - - - id: au-6.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: AU-6(1) - - - name: sort-id - value: AU-06(01) - links: - - - href: #pm-7 - rel: related - text: PM-7 - parts: - - - id: au-6.1_smt - name: statement - prose: Integrate audit record review, analysis, and reporting processes using {{ au-6.1_prm_1 }}. - - - id: au-6.1_gdn - name: guidance - prose: Organizational processes benefiting from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits. - - - id: au-6.3 - class: SP800-53-enhancement - title: Correlate Audit Record Repositories - properties: - - - name: label - value: AU-6(3) - - - name: sort-id - value: AU-06(03) - links: - - - href: #au-12 - rel: related - text: AU-12 - - - href: #ir-4 - rel: related - text: IR-4 - parts: - - - id: au-6.3_smt - name: statement - prose: Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. - - - id: au-6.3_gdn - name: guidance - prose: Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness. - - - id: au-7 - class: SP800-53 - title: Audit Record Reduction and Report Generation - properties: - - - name: label - value: AU-7 - - - name: sort-id - value: AU-07 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-16 - rel: related - text: AU-16 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: au-7_smt - name: statement - prose: Provide and implement an audit record reduction and report generation capability that: - parts: - - - id: au-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and - - - id: au-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Does not alter the original content or time ordering of audit records. - - - id: au-7_gdn - name: guidance - prose: Audit record reduction is a process that manipulates collected audit log information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities conducting audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient. - controls: - - - id: au-7.1 - class: SP800-53-enhancement - title: Automatic Processing - parameters: - - - id: au-7.1_prm_1 - label: organization-defined fields within audit records - properties: - - - name: label - value: AU-7(1) - - - name: sort-id - value: AU-07(01) - parts: - - - id: au-7.1_smt - name: statement - prose: Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ au-7.1_prm_1 }}. - - - id: au-7.1_gdn - name: guidance - prose: Events of interest can be identified by the content of audit records including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, for example, locations selectable by a general networking location or by specific system component. - - - id: au-8 - class: SP800-53 - title: Time Stamps - parameters: - - - id: au-8_prm_1 - label: organization-defined granularity of time measurement - properties: - - - name: label - value: AU-8 - - - name: sort-id - value: AU-08 - links: - - - href: #17ca9481-ea11-4ef2-81c1-885fd37d4be5 - rel: reference - text: [IETF 5905] - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #sc-45 - rel: related - text: SC-45 - parts: - - - id: au-8_smt - name: statement - parts: - - - id: au-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Use internal system clocks to generate time stamps for audit records; and - - - id: au-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Record time stamps for audit records that meet {{ au-8_prm_1 }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. - - - id: au-8_gdn - name: guidance - prose: Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. - controls: - - - id: au-8.1 - class: SP800-53-enhancement - title: Synchronization with Authoritative Time Source - parameters: - - - id: au-8.1_prm_1 - label: organization-defined frequency - - - id: au-8.1_prm_2 - label: organization-defined authoritative time source - - - id: au-8.1_prm_3 - label: organization-defined time-period - properties: - - - name: label - value: AU-8(1) - - - name: sort-id - value: AU-08(01) - parts: - - - id: au-8.1_smt - name: statement - parts: - - - id: au-8.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Compare the internal system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and - - - id: au-8.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ au-8.1_prm_3 }}. - - - id: au-8.1_gdn - name: guidance - prose: Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network. - - - id: au-9 - class: SP800-53 - title: Protection of Audit Information - properties: - - - name: label - value: AU-9 - - - name: sort-id - value: AU-09 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #au-15 - rel: related - text: AU-15 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: au-9_smt - name: statement - prose: Protect audit information and audit logging tools from unauthorized access, modification, and deletion. - - - id: au-9_gdn - name: guidance - prose: Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls. - controls: - - - id: au-9.4 - class: SP800-53-enhancement - title: Access by Subset of Privileged Users - parameters: - - - id: au-9.4_prm_1 - label: organization-defined subset of privileged users or roles - properties: - - - name: label - value: AU-9(4) - - - name: sort-id - value: AU-09(04) - links: - - - href: #ac-5 - rel: related - text: AC-5 - parts: - - - id: au-9.4_smt - name: statement - prose: Authorize access to management of audit logging functionality to only {{ au-9.4_prm_1 }}. - - - id: au-9.4_gdn - name: guidance - prose: Individuals or roles with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges, limits the number of users or roles with audit-related privileges. - - - id: au-11 - class: SP800-53 - title: Audit Record Retention - parameters: - - - id: au-11_prm_1 - label: organization-defined time-period consistent with records retention policy - properties: - - - name: label - value: AU-11 - - - name: sort-id - value: AU-11 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: au-11_smt - name: statement - prose: Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. - - - id: au-11_gdn - name: guidance - prose: Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. - - - id: au-12 - class: SP800-53 - title: Audit Record Generation - parameters: - - - id: au-12_prm_1 - label: organization-defined system components - - - id: au-12_prm_2 - label: organization-defined personnel or roles - properties: - - - name: label - value: AU-12 - - - name: sort-id - value: AU-12 - links: - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-10 - rel: related - text: SI-10 - parts: - - - id: au-12_smt - name: statement - parts: - - - id: au-12_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on {{ au-12_prm_1 }}; - - - id: au-12_smt.b - name: item - properties: - - - name: label - value: b. - prose: Allow {{ au-12_prm_2 }} to select the event types that are to be logged by specific components of the system; and - - - id: au-12_smt.c - name: item - properties: - - - name: label - value: c. - prose: Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. - - - id: au-12_gdn - name: guidance - prose: Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records. - - - id: ca - class: family - title: Assessment, Authorization, and Monitoring - controls: - - - id: ca-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ca-1_prm_1 - label: organization-defined personnel or roles - - - id: ca-1_prm_2 - - - id: ca-1_prm_3 - label: organization-defined official - - - id: ca-1_prm_4 - label: organization-defined frequency - - - id: ca-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CA-1 - - - name: sort-id - value: CA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-1_smt - name: statement - parts: - - - id: ca-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ca-1_prm_1 }}: - parts: - - - id: ca-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that: - """ - parts: - - - id: ca-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ca-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ca-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; - - - id: ca-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and - - - id: ca-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current assessment, authorization, and monitoring: - parts: - - - id: ca-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ca-1_prm_4 }}; and - - - id: ca-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ca-1_prm_5 }}. - - - id: ca-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ca-2 - class: SP800-53 - title: Control Assessments - parameters: - - - id: ca-2_prm_1 - label: organization-defined frequency - - - id: ca-2_prm_2 - label: organization-defined individuals or roles - properties: - - - name: label - value: CA-2 - - - name: sort-id - value: CA-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - parts: - - - id: ca-2_smt - name: statement - parts: - - - id: ca-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a control assessment plan that describes the scope of the assessment including: - parts: - - - id: ca-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Controls and control enhancements under assessment; - - - id: ca-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Assessment procedures to be used to determine control effectiveness; and - - - id: ca-2_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Assessment environment, assessment team, and assessment roles and responsibilities; - - - id: ca-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; - - - id: ca-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; - - - id: ca-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Produce a control assessment report that document the results of the assessment; and - - - id: ca-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Provide the results of the control assessment to {{ ca-2_prm_2 }}. - - - id: ca-2_gdn - name: guidance - prose: - """ - Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes. - Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs. - Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives. - To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control. - """ - controls: - - - id: ca-2.1 - class: SP800-53-enhancement - title: Independent Assessors - properties: - - - name: label - value: CA-2(1) - - - name: sort-id - value: CA-02(01) - parts: - - - id: ca-2.1_smt - name: statement - prose: Employ independent assessors or assessment teams to conduct control assessments. - - - id: ca-2.1_gdn - name: guidance - prose: - """ - Independent assessors or assessment teams are individuals or groups conducting impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in positions of advocacy for the organizations acquiring their services. - Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination also includes whether contracted assessment services have sufficient independence, for example, when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, the analogy to independent assessors is having independent SMEs involved in design reviews. - When organizations that own the systems are small or the structures of the organizations require that assessments are conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions, are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments. - """ - - - id: ca-3 - class: SP800-53 - title: Information Exchange - parameters: - - - id: ca-3_prm_1 - - - id: ca-3_prm_2 - depends-on: ca-3_prm_1 - label: organization-defined type of agreement - - - id: ca-3_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: CA-3 - - - name: sort-id - value: CA-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #2e66c31a-190e-49ad-8e00-f306f8a0df17 - rel: reference - text: [SP 800-47] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #au-16 - rel: related - text: AU-16 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-3_smt - name: statement - parts: - - - id: ca-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Approve and manage the exchange of information between the system and other systems using {{ ca-3_prm_1 }}; - - - id: ca-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and - - - id: ca-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the agreements {{ ca-3_prm_3 }}. - - - id: ca-3_gdn - name: guidance - prose: - """ - System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk. - Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks. - """ - - - id: ca-5 - class: SP800-53 - title: Plan of Action and Milestones - parameters: - - - id: ca-5_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: CA-5 - - - name: sort-id - value: CA-05 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-5_smt - name: statement - parts: - - - id: ca-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and - - - id: ca-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities. - - - id: ca-5_gdn - name: guidance - prose: Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB. - - - id: ca-6 - class: SP800-53 - title: Authorization - parameters: - - - id: ca-6_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: CA-6 - - - name: sort-id - value: CA-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-6_smt - name: statement - parts: - - - id: ca-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Assign a senior official as the authorizing official for the system; - - - id: ca-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; - - - id: ca-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ensure that the authorizing official for the system, before commencing operations: - parts: - - - id: ca-6_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Accepts the use of common controls inherited by the system; and - - - id: ca-6_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Authorizes the system to operate; - - - id: ca-6_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; - - - id: ca-6_smt.e - name: item - properties: - - - name: label - value: e. - prose: Update the authorizations {{ ca-6_prm_1 }}. - - - id: ca-6_gdn - name: guidance - prose: - """ - Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. - Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. - """ - - - id: ca-7 - class: SP800-53 - title: Continuous Monitoring - parameters: - - - id: ca-7_prm_1 - label: organization-defined system-level metrics - - - id: ca-7_prm_2 - label: organization-defined frequencies - - - id: ca-7_prm_3 - label: organization-defined frequencies - - - id: ca-7_prm_4 - label: organization-defined personnel or roles - - - id: ca-7_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CA-7 - - - name: sort-id - value: CA-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #851b5ba4-6aa0-4583-857c-4c360cbdf2a0 - rel: reference - text: [IR 8011 v1] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pe-14 - rel: related - text: PE-14 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-6 - rel: related - text: PM-6 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #pm-31 - rel: related - text: PM-31 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-6 - rel: related - text: SR-6 - parts: - - - id: ca-7_smt - name: statement - prose: Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: - parts: - - - id: ca-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }}; - - - id: ca-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness; - - - id: ca-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ongoing control assessments in accordance with the continuous monitoring strategy; - - - id: ca-7_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; - - - id: ca-7_smt.e - name: item - properties: - - - name: label - value: e. - prose: Correlation and analysis of information generated by control assessments and monitoring; - - - id: ca-7_smt.f - name: item - properties: - - - name: label - value: f. - prose: Response actions to address results of the analysis of control assessment and monitoring information; and - - - id: ca-7_smt.g - name: item - properties: - - - name: label - value: g. - prose: - """ - Reporting the security and privacy status of the system to {{ ca-7_prm_4 }} - {{ ca-7_prm_5 }}. - """ - - - id: ca-7_gdn - name: guidance - prose: - """ - Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. - Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4. - """ - controls: - - - id: ca-7.1 - class: SP800-53-enhancement - title: Independent Assessment - properties: - - - name: label - value: CA-7(1) - - - name: sort-id - value: CA-07(01) - parts: - - - id: ca-7.1_smt - name: statement - prose: Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis. - - - id: ca-7.1_gdn - name: guidance - prose: Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in advocacy positions for the organizations acquiring their services. - - - id: ca-7.4 - class: SP800-53-enhancement - title: Risk Monitoring - properties: - - - name: label - value: CA-7(4) - - - name: sort-id - value: CA-07(04) - parts: - - - id: ca-7.4_smt - name: statement - prose: Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: - parts: - - - id: ca-7.4_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Effectiveness monitoring; - - - id: ca-7.4_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Compliance monitoring; and - - - id: ca-7.4_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Change monitoring. - - - id: ca-7.4_gdn - name: guidance - prose: Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk. - - - id: ca-9 - class: SP800-53 - title: Internal System Connections - parameters: - - - id: ca-9_prm_1 - label: organization-defined system components or classes of components - - - id: ca-9_prm_2 - label: organization-defined conditions - - - id: ca-9_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: CA-9 - - - name: sort-id - value: CA-09 - links: - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-9_smt - name: statement - parts: - - - id: ca-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Authorize internal connections of {{ ca-9_prm_1 }} to the system; - - - id: ca-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; - - - id: ca-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Terminate internal system connections after {{ ca-9_prm_2 }}; and - - - id: ca-9_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review {{ ca-9_prm_3 }} the continued need for each internal connection. - - - id: ca-9_gdn - name: guidance - prose: Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions. - - - id: cm - class: family - title: Configuration Management - controls: - - - id: cm-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: cm-1_prm_1 - label: organization-defined personnel or roles - - - id: cm-1_prm_2 - - - id: cm-1_prm_3 - label: organization-defined official - - - id: cm-1_prm_4 - label: organization-defined frequency - - - id: cm-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CM-1 - - - name: sort-id - value: CM-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cm-1_smt - name: statement - parts: - - - id: cm-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ cm-1_prm_1 }}: - parts: - - - id: cm-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ cm-1_prm_2 }} configuration management policy that: - """ - parts: - - - id: cm-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: cm-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: cm-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; - - - id: cm-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and - - - id: cm-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current configuration management: - parts: - - - id: cm-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ cm-1_prm_4 }}; and - - - id: cm-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ cm-1_prm_5 }}. - - - id: cm-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: cm-2 - class: SP800-53 - title: Baseline Configuration - parameters: - - - id: cm-2_prm_1 - label: organization-defined frequency - - - id: cm-2_prm_2 - label: Assignment organization-defined circumstances - properties: - - - name: label - value: CM-2 - - - name: sort-id - value: CM-02 - links: - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #cp-12 - rel: related - text: CP-12 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-18 - rel: related - text: SC-18 - parts: - - - id: cm-2_smt - name: statement - parts: - - - id: cm-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and maintain under configuration control, a current baseline configuration of the system; and - - - id: cm-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the baseline configuration of the system: - parts: - - - id: cm-2_smt.b.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ cm-2_prm_1 }}; - """ - - - id: cm-2_smt.b.2 - name: item - properties: - - - name: label - value: 2. - prose: When required due to {{ cm-2_prm_2 }}; and - - - id: cm-2_smt.b.3 - name: item - properties: - - - name: label - value: 3. - prose: When system components are installed or upgraded. - - - id: cm-2_gdn - name: guidance - prose: Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture. - controls: - - - id: cm-2.2 - class: SP800-53-enhancement - title: Automation Support for Accuracy and Currency - parameters: - - - id: cm-2.2_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: CM-2(2) - - - name: sort-id - value: CM-02(02) - links: - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ra-5 - rel: related - text: RA-5 - parts: - - - id: cm-2.2_smt - name: statement - prose: Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ cm-2.2_prm_1 }}. - - - id: cm-2.2_gdn - name: guidance - prose: Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, and firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission/business process level or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities. - - - id: cm-2.3 - class: SP800-53-enhancement - title: Retention of Previous Configurations - parameters: - - - id: cm-2.3_prm_1 - label: organization-defined number - properties: - - - name: label - value: CM-2(3) - - - name: sort-id - value: CM-02(03) - parts: - - - id: cm-2.3_smt - name: statement - prose: Retain {{ cm-2.3_prm_1 }} of previous versions of baseline configurations of the system to support rollback. - - - id: cm-2.3_gdn - name: guidance - prose: Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, and configuration records. - - - id: cm-2.7 - class: SP800-53-enhancement - title: Configure Systems and Components for High-risk Areas - parameters: - - - id: cm-2.7_prm_1 - label: organization-defined systems or system components - - - id: cm-2.7_prm_2 - label: organization-defined configurations - - - id: cm-2.7_prm_3 - label: organization-defined controls - properties: - - - name: label - value: CM-2(7) - - - name: sort-id - value: CM-02(07) - links: - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - parts: - - - id: cm-2.7_smt - name: statement - parts: - - - id: cm-2.7_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Issue {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems to be of significant risk; and - - - id: cm-2.7_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Apply the following controls to the systems or components when the individuals return from travel: {{ cm-2.7_prm_3 }}. - - - id: cm-2.7_gdn - name: guidance - prose: When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family. - - - id: cm-3 - class: SP800-53 - title: Configuration Change Control - parameters: - - - id: cm-3_prm_1 - label: organization-defined time-period - - - id: cm-3_prm_2 - label: organization-defined configuration change control element - - - id: cm-3_prm_3 - - - id: cm-3_prm_4 - depends-on: cm-3_prm_3 - label: organization-defined frequency - - - id: cm-3_prm_5 - depends-on: cm-3_prm_3 - label: organization-defined configuration change conditions - properties: - - - name: label - value: CM-3 - - - name: sort-id - value: CM-03 - links: - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pt-7 - rel: related - text: PT-7 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-10 - rel: related - text: SI-10 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: cm-3_smt - name: statement - parts: - - - id: cm-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Determine and document the types of changes to the system that are configuration-controlled; - - - id: cm-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; - - - id: cm-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document configuration change decisions associated with the system; - - - id: cm-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Implement approved configuration-controlled changes to the system; - - - id: cm-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Retain records of configuration-controlled changes to the system for {{ cm-3_prm_1 }}; - - - id: cm-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Monitor and review activities associated with configuration-controlled changes to the system; and - - - id: cm-3_smt.g - name: item - properties: - - - name: label - value: g. - prose: Coordinate and provide oversight for configuration change control activities through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}. - - - id: cm-3_gdn - name: guidance - prose: Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations and configuration items of systems; changes to operational procedures; changes to configuration settings for system components; unscheduled or unauthorized changes; and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes impacting privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10. - controls: - - - id: cm-3.2 - class: SP800-53-enhancement - title: Testing, Validation, and Documentation of Changes - properties: - - - name: label - value: CM-3(2) - - - name: sort-id - value: CM-03(02) - parts: - - - id: cm-3.2_smt - name: statement - prose: Test, validate, and document changes to the system before finalizing the implementation of the changes. - - - id: cm-3.2_gdn - name: guidance - prose: Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with system operations supporting organizational missions and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls. - - - id: cm-3.4 - class: SP800-53-enhancement - title: Security and Privacy Representatives - parameters: - - - id: cm-3.4_prm_1 - label: organization-defined security and privacy representatives - - - id: cm-3.4_prm_2 - label: organization-defined configuration change control element - properties: - - - name: label - value: CM-3(4) - - - name: sort-id - value: CM-03(04) - parts: - - - id: cm-3.4_smt - name: statement - prose: Require {{ cm-3.4_prm_1 }} to be members of the {{ cm-3.4_prm_2 }}. - - - id: cm-3.4_gdn - name: guidance - prose: Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3. - - - id: cm-4 - class: SP800-53 - title: Impact Analyses - properties: - - - name: label - value: CM-4 - - - name: sort-id - value: CM-04 - links: - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #si-2 - rel: related - text: SI-2 - parts: - - - id: cm-4_smt - name: statement - prose: Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. - - - id: cm-4_gdn - name: guidance - prose: Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required. - controls: - - - id: cm-4.2 - class: SP800-53-enhancement - title: Verification of Controls - properties: - - - name: label - value: CM-4(2) - - - name: sort-id - value: CM-04(02) - links: - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #si-6 - rel: related - text: SI-6 - parts: - - - id: cm-4.2_smt - name: statement - prose: After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system. - - - id: cm-4.2_gdn - name: guidance - prose: Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls. - - - id: cm-5 - class: SP800-53 - title: Access Restrictions for Change - properties: - - - name: label - value: CM-5 - - - name: sort-id - value: CM-05 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-10 - rel: related - text: SI-10 - parts: - - - id: cm-5_smt - name: statement - prose: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. - - - id: cm-5_gdn - name: guidance - prose: Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times). - - - id: cm-6 - class: SP800-53 - title: Configuration Settings - parameters: - - - id: cm-6_prm_1 - label: organization-defined common secure configurations - - - id: cm-6_prm_2 - label: organization-defined system components - - - id: cm-6_prm_3 - label: organization-defined operational requirements - properties: - - - name: label - value: CM-6 - - - name: sort-id - value: CM-06 - links: - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f - rel: reference - text: [SP 800-126] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #06842bea-64c9-4e20-807a-b8fc003fa737 - rel: reference - text: [USGCB] - - - href: #5cc04a1c-5489-4751-a493-746a9639067b - rel: reference - text: [NCPR] - - - href: #294eed19-7471-4517-9480-2ec73e7c6a78 - rel: reference - text: [DOD STIG] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-6 - rel: related - text: SI-6 - parts: - - - id: cm-6_smt - name: statement - parts: - - - id: cm-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish and document configuration settings for components employed within the system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements; - - - id: cm-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the configuration settings; - - - id: cm-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Identify, document, and approve any deviations from established configuration settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and - - - id: cm-6_smt.d - name: item - properties: - - - name: label - value: d. - prose: Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. - - - id: cm-6_gdn - name: guidance - prose: - """ - Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. - Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. - Implementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings. - """ - - - id: cm-7 - class: SP800-53 - title: Least Functionality - parameters: - - - id: cm-7_prm_1 - label: organization-defined mission essential capabilities - - - id: cm-7_prm_2 - label: organization-defined prohibited or restricted functions, ports, protocols, software, and/or services - properties: - - - name: label - value: CM-7 - - - name: sort-id - value: CM-07 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #893d1736-324c-41d6-a5f4-d526b5ca981a - rel: reference - text: [SP 800-167] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: cm-7_smt - name: statement - parts: - - - id: cm-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Configure the system to provide only {{ cm-7_prm_1 }}; and - - - id: cm-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ cm-7_prm_2 }}. - - - id: cm-7_gdn - name: guidance - prose: Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3). - controls: - - - id: cm-7.1 - class: SP800-53-enhancement - title: Periodic Review - parameters: - - - id: cm-7.1_prm_1 - label: organization-defined frequency - - - id: cm-7.1_prm_2 - label: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure - properties: - - - name: label - value: CM-7(1) - - - name: sort-id - value: CM-07(01) - links: - - - href: #ac-18 - rel: related - text: AC-18 - parts: - - - id: cm-7.1_smt - name: statement - parts: - - - id: cm-7.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Review the system {{ cm-7.1_prm_1 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and - - - id: cm-7.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Disable or remove {{ cm-7.1_prm_2 }}. - - - id: cm-7.1_gdn - name: guidance - prose: Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking. - - - id: cm-7.2 - class: SP800-53-enhancement - title: Prevent Program Execution - parameters: - - - id: cm-7.2_prm_1 - - - id: cm-7.2_prm_2 - depends-on: cm-7.2_prm_1 - label: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions - properties: - - - name: label - value: CM-7(2) - - - name: sort-id - value: CM-07(02) - links: - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #ps-6 - rel: related - text: PS-6 - parts: - - - id: cm-7.2_smt - name: statement - prose: Prevent program execution in accordance with {{ cm-7.2_prm_1 }}. - - - id: cm-7.2_gdn - name: guidance - prose: Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements restricting software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features; restricting roles allowed to approve program execution; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. - - - id: cm-7.5 - class: SP800-53-enhancement - title: Authorized Software — Whitelisting - parameters: - - - id: cm-7.5_prm_1 - label: organization-defined software programs authorized to execute on the system - - - id: cm-7.5_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: CM-7(5) - - - name: sort-id - value: CM-07(05) - links: - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: cm-7.5_smt - name: statement - parts: - - - id: cm-7.5_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Identify {{ cm-7.5_prm_1 }}; - - - id: cm-7.5_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and - - - id: cm-7.5_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Review and update the list of authorized software programs {{ cm-7.5_prm_2 }}. - - - id: cm-7.5_gdn - name: guidance - prose: The process used to identify specific software programs or entire categories of software programs that are authorized to execute on organizational systems is commonly referred to as whitelisting. Software programs identified can be limited to specific versions or from a specific source. To facilitate comprehensive whitelisting and increase the strength of protection for attacks that bypass application level whitelisting, software programs may be decomposed into and monitored at different levels of detail. Software program levels of detail include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of whitelisting may also be applied to user actions, ports, IP addresses, and media access control (MAC) addresses. Organizations consider verifying the integrity of white-listed software programs using, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Whitelisting of URLs for websites is addressed in CA-3(5) and SC-7. - - - id: cm-8 - class: SP800-53 - title: System Component Inventory - parameters: - - - id: cm-8_prm_1 - label: organization-defined information deemed necessary to achieve effective system component accountability - - - id: cm-8_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: CM-8 - - - name: sort-id - value: CM-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: cm-8_smt - name: statement - parts: - - - id: cm-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and document an inventory of system components that: - parts: - - - id: cm-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Accurately reflects the system; - - - id: cm-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Includes all components within the system; - - - id: cm-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Is at the level of granularity deemed necessary for tracking and reporting; and - - - id: cm-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Includes the following information to achieve system component accountability: {{ cm-8_prm_1 }}; and - - - id: cm-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the system component inventory {{ cm-8_prm_2 }}. - - - id: cm-8_gdn - name: guidance - prose: System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location. - controls: - - - id: cm-8.1 - class: SP800-53-enhancement - title: Updates During Installation and Removal - properties: - - - name: label - value: CM-8(1) - - - name: sort-id - value: CM-08(01) - links: - - - href: #pm-16 - rel: related - text: PM-16 - parts: - - - id: cm-8.1_smt - name: statement - prose: Update the inventory of system components as part of component installations, removals, and system updates. - - - id: cm-8.1_gdn - name: guidance - prose: Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated routinely as part of component installations or removals, or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components. - - - id: cm-8.3 - class: SP800-53-enhancement - title: Automated Unauthorized Component Detection - parameters: - - - id: cm-8.3_prm_1 - label: organization-defined automated mechanisms - - - id: cm-8.3_prm_2 - label: organization-defined frequency - - - id: cm-8.3_prm_3 - - - id: cm-8.3_prm_4 - depends-on: cm-8.3_prm_3 - label: organization-defined personnel or roles - properties: - - - name: label - value: CM-8(3) - - - name: sort-id - value: CM-08(03) - links: - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-39 - rel: related - text: SC-39 - - - href: #sc-44 - rel: related - text: SC-44 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: cm-8.3_smt - name: statement - parts: - - - id: cm-8.3_smt.a - name: item - properties: - - - name: label - value: (a) - prose: - """ - Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ cm-8.3_prm_1 }} - {{ cm-8.3_prm_2 }}; and - """ - - - id: cm-8.3_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Take the following actions when unauthorized components are detected: {{ cm-8.3_prm_3 }}. - - - id: cm-8.3_gdn - name: guidance - prose: Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices). Isolation can be achieved, for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing. - - - id: cm-9 - class: SP800-53 - title: Configuration Management Plan - parameters: - - - id: cm-9_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: CM-9 - - - name: sort-id - value: CM-09 - links: - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cm-9_smt - name: statement - prose: Develop, document, and implement a configuration management plan for the system that: - parts: - - - id: cm-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Addresses roles, responsibilities, and configuration management processes and procedures; - - - id: cm-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; - - - id: cm-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Defines the configuration items for the system and places the configuration items under configuration management; - - - id: cm-9_smt.d - name: item - properties: - - - name: label - value: d. - prose: Is reviewed and approved by {{ cm-9_prm_1 }}; and - - - id: cm-9_smt.e - name: item - properties: - - - name: label - value: e. - prose: Protects the configuration management plan from unauthorized disclosure and modification. - - - id: cm-9_gdn - name: guidance - prose: - """ - Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities. - Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes, how to update configuration settings and baselines, how to maintain component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. - Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Templates can represent a master configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, for example, the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control. - """ - - - id: cm-10 - class: SP800-53 - title: Software Usage Restrictions - properties: - - - name: label - value: CM-10 - - - name: sort-id - value: CM-10 - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #sc-7 - rel: related - text: SC-7 - parts: - - - id: cm-10_smt - name: statement - parts: - - - id: cm-10_smt.a - name: item - properties: - - - name: label - value: a. - prose: Use software and associated documentation in accordance with contract agreements and copyright laws; - - - id: cm-10_smt.b - name: item - properties: - - - name: label - value: b. - prose: Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and - - - id: cm-10_smt.c - name: item - properties: - - - name: label - value: c. - prose: Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. - - - id: cm-10_gdn - name: guidance - prose: Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement. - - - id: cm-11 - class: SP800-53 - title: User-installed Software - parameters: - - - id: cm-11_prm_1 - label: organization-defined policies - - - id: cm-11_prm_2 - label: organization-defined methods - - - id: cm-11_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: CM-11 - - - name: sort-id - value: CM-11 - links: - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: cm-11_smt - name: statement - parts: - - - id: cm-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish {{ cm-11_prm_1 }} governing the installation of software by users; - - - id: cm-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Enforce software installation policies through the following methods: {{ cm-11_prm_2 }}; and - - - id: cm-11_smt.c - name: item - properties: - - - name: label - value: c. - prose: Monitor policy compliance {{ cm-11_prm_3 }}. - - - id: cm-11_gdn - name: guidance - prose: If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods. - - - id: cm-12 - class: SP800-53 - title: Information Location - parameters: - - - id: cm-12_prm_1 - label: organization-defined information - properties: - - - name: label - value: CM-12 - - - name: sort-id - value: CM-12 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-23 - rel: related - text: AC-23 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sc-4 - rel: related - text: SC-4 - - - href: #sc-16 - rel: related - text: SC-16 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: cm-12_smt - name: statement - parts: - - - id: cm-12_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify and document the location of {{ cm-12_prm_1 }} and the specific system components on which the information is processed and stored; - - - id: cm-12_smt.b - name: item - properties: - - - name: label - value: b. - prose: Identify and document the users who have access to the system and system components where the information is processed and stored; and - - - id: cm-12_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document changes to the location (i.e., system or system components) where the information is processed and stored. - - - id: cm-12_gdn - name: guidance - prose: Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and associated information reside in the system components; and how information is being processed so that information flow can be understood, and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17). - controls: - - - id: cm-12.1 - class: SP800-53-enhancement - title: Automated Tools to Support Information Location - parameters: - - - id: cm-12.1_prm_1 - label: organization-defined information by information type - - - id: cm-12.1_prm_2 - label: organization-defined system components - properties: - - - name: label - value: CM-12(1) - - - name: sort-id - value: CM-12(01) - parts: - - - id: cm-12.1_smt - name: statement - prose: Use automated tools to identify {{ cm-12.1_prm_1 }} on {{ cm-12.1_prm_2 }} to ensure controls are in place to protect organizational information and individual privacy. - - - id: cm-12.1_gdn - name: guidance - prose: The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information organization-wide. The output of automated information location tools can be used to guide and inform system architecture and design decisions. - - - id: cp - class: family - title: Contingency Planning - controls: - - - id: cp-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: cp-1_prm_1 - label: organization-defined personnel or roles - - - id: cp-1_prm_2 - - - id: cp-1_prm_3 - label: organization-defined official - - - id: cp-1_prm_4 - label: organization-defined frequency - - - id: cp-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CP-1 - - - name: sort-id - value: CP-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cp-1_smt - name: statement - parts: - - - id: cp-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ cp-1_prm_1 }}: - parts: - - - id: cp-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ cp-1_prm_2 }} contingency planning policy that: - """ - parts: - - - id: cp-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: cp-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: cp-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; - - - id: cp-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ cp-1_prm_3 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and - - - id: cp-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current contingency planning: - parts: - - - id: cp-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ cp-1_prm_4 }}; and - - - id: cp-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ cp-1_prm_5 }}. - - - id: cp-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: cp-2 - class: SP800-53 - title: Contingency Plan - parameters: - - - id: cp-2_prm_1 - label: organization-defined personnel or roles - - - id: cp-2_prm_2 - label: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - - - id: cp-2_prm_3 - label: organization-defined frequency - - - id: cp-2_prm_4 - label: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - properties: - - - name: label - value: CP-2 - - - name: sort-id - value: CP-02 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #7a93e915-fd58-4147-be12-e48044c367e6 - rel: reference - text: [IR 8179] - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #cp-11 - rel: related - text: CP-11 - - - href: #cp-13 - rel: related - text: CP-13 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-20 - rel: related - text: SA-20 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-23 - rel: related - text: SC-23 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cp-2_smt - name: statement - parts: - - - id: cp-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a contingency plan for the system that: - parts: - - - id: cp-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Identifies essential missions and business functions and associated contingency requirements; - - - id: cp-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Provides recovery objectives, restoration priorities, and metrics; - - - id: cp-2_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Addresses contingency roles, responsibilities, assigned individuals with contact information; - - - id: cp-2_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure; - - - id: cp-2_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and - - - id: cp-2_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Is reviewed and approved by {{ cp-2_prm_1 }}; - - - id: cp-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute copies of the contingency plan to {{ cp-2_prm_2 }}; - - - id: cp-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Coordinate contingency planning activities with incident handling activities; - - - id: cp-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review the contingency plan for the system {{ cp-2_prm_3 }}; - - - id: cp-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; - - - id: cp-2_smt.f - name: item - properties: - - - name: label - value: f. - prose: Communicate contingency plan changes to {{ cp-2_prm_4 }}; and - - - id: cp-2_smt.g - name: item - properties: - - - name: label - value: g. - prose: Protect the contingency plan from unauthorized disclosure and modification. - - - id: cp-2_gdn - name: guidance - prose: - """ - Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - In addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family. - """ - controls: - - - id: cp-2.1 - class: SP800-53-enhancement - title: Coordinate with Related Plans - properties: - - - name: label - value: CP-2(1) - - - name: sort-id - value: CP-02(01) - parts: - - - id: cp-2.1_smt - name: statement - prose: Coordinate contingency plan development with organizational elements responsible for related plans. - - - id: cp-2.1_gdn - name: guidance - prose: Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. - - - id: cp-2.3 - class: SP800-53-enhancement - title: Resume Missions and Business Functions - parameters: - - - id: cp-2.3_prm_1 - - - id: cp-2.3_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: CP-2(3) - - - name: sort-id - value: CP-02(03) - parts: - - - id: cp-2.3_smt - name: statement - prose: Plan for the resumption of {{ cp-2.3_prm_1 }} missions and business functions within {{ cp-2.3_prm_2 }} of contingency plan activation. - - - id: cp-2.3_gdn - name: guidance - prose: Organizations may choose to conduct contingency planning activities to resume missions and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of missions and business functions. The time-period for the resumption of missions and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure. - - - id: cp-2.8 - class: SP800-53-enhancement - title: Identify Critical Assets - parameters: - - - id: cp-2.8_prm_1 - properties: - - - name: label - value: CP-2(8) - - - name: sort-id - value: CP-02(08) - links: - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ra-9 - rel: related - text: RA-9 - parts: - - - id: cp-2.8_smt - name: statement - prose: Identify critical system assets supporting {{ cp-2.8_prm_1 }} missions and business functions. - - - id: cp-2.8_gdn - name: guidance - prose: Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational missions and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (manually executed operations) and personnel (individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement. - - - id: cp-3 - class: SP800-53 - title: Contingency Training - parameters: - - - id: cp-3_prm_1 - label: organization-defined time-period - - - id: cp-3_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: CP-3 - - - name: sort-id - value: CP-03 - links: - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-9 - rel: related - text: IR-9 - parts: - - - id: cp-3_smt - name: statement - prose: Provide contingency training to system users consistent with assigned roles and responsibilities: - parts: - - - id: cp-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Within {{ cp-3_prm_1 }} of assuming a contingency role or responsibility; - - - id: cp-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: When required by system changes; and - - - id: cp-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: - """ - - {{ cp-3_prm_2 }} thereafter. - """ - - - id: cp-3_gdn - name: guidance - prose: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. - - - id: cp-4 - class: SP800-53 - title: Contingency Plan Testing - parameters: - - - id: cp-4_prm_1 - label: organization-defined frequency - - - id: cp-4_prm_2 - label: organization-defined tests - properties: - - - name: label - value: CP-4 - - - name: sort-id - value: CP-04 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #20bf433b-074c-47a0-8fca-cd591772ccd6 - rel: reference - text: [SP 800-84] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: cp-4_smt - name: statement - parts: - - - id: cp-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Test the contingency plan for the system {{ cp-4_prm_1 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ cp-4_prm_2 }}. - - - id: cp-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review the contingency plan test results; and - - - id: cp-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Initiate corrective actions, if needed. - - - id: cp-4_gdn - name: guidance - prose: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. - controls: - - - id: cp-4.1 - class: SP800-53-enhancement - title: Coordinate with Related Plans - properties: - - - name: label - value: CP-4(1) - - - name: sort-id - value: CP-04(01) - links: - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pm-8 - rel: related - text: PM-8 - parts: - - - id: cp-4.1_smt - name: statement - prose: Coordinate contingency plan testing with organizational elements responsible for related plans. - - - id: cp-4.1_gdn - name: guidance - prose: Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations coordinate with those elements. - - - id: cp-6 - class: SP800-53 - title: Alternate Storage Site - properties: - - - name: label - value: CP-6 - - - name: sort-id - value: CP-06 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sc-36 - rel: related - text: SC-36 - - - href: #si-13 - rel: related - text: SI-13 - parts: - - - id: cp-6_smt - name: statement - parts: - - - id: cp-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and - - - id: cp-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Ensure that the alternate storage site provides controls equivalent to that of the primary site. - - - id: cp-6_gdn - name: guidance - prose: Alternate storage sites are sites that are geographically distinct from primary storage sites and that maintain duplicate copies of information and data if the primary storage site is not available. In contrast to alternate storage sites, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may also be considered as alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems. - controls: - - - id: cp-6.1 - class: SP800-53-enhancement - title: Separation from Primary Site - properties: - - - name: label - value: CP-6(1) - - - name: sort-id - value: CP-06(01) - links: - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: cp-6.1_smt - name: statement - prose: Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. - - - id: cp-6.1_gdn - name: guidance - prose: Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant. - - - id: cp-6.3 - class: SP800-53-enhancement - title: Accessibility - properties: - - - name: label - value: CP-6(3) - - - name: sort-id - value: CP-06(03) - links: - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: cp-6.3_smt - name: statement - prose: Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions. - - - id: cp-6.3_gdn - name: guidance - prose: Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted. - - - id: cp-7 - class: SP800-53 - title: Alternate Processing Site - parameters: - - - id: cp-7_prm_1 - label: organization-defined system operations - - - id: cp-7_prm_2 - label: organization-defined time-period consistent with recovery time and recovery point objectives - properties: - - - name: label - value: CP-7 - - - name: sort-id - value: CP-07 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-11 - rel: related - text: PE-11 - - - href: #pe-12 - rel: related - text: PE-12 - - - href: #pe-17 - rel: related - text: PE-17 - - - href: #sc-36 - rel: related - text: SC-36 - - - href: #si-13 - rel: related - text: SI-13 - parts: - - - id: cp-7_smt - name: statement - parts: - - - id: cp-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ cp-7_prm_1 }} for essential missions and business functions within {{ cp-7_prm_2 }} when the primary processing capabilities are unavailable; - - - id: cp-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time-period for transfer and resumption; and - - - id: cp-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Provide controls at the alternate processing site that are equivalent to those at the primary site. - - - id: cp-7_gdn - name: guidance - prose: Alternate processing sites are sites that are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives such as failover to a cloud-based service provider or other internally- or externally-provided processing service. Geographically distributed architectures that support contingency requirements may also be considered as alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites; access rules; physical and environmental protection requirements; and the coordination for the transfer and assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems. - controls: - - - id: cp-7.1 - class: SP800-53-enhancement - title: Separation from Primary Site - properties: - - - name: label - value: CP-7(1) - - - name: sort-id - value: CP-07(01) - links: - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: cp-7.1_smt - name: statement - prose: Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. - - - id: cp-7.1_gdn - name: guidance - prose: Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant. - - - id: cp-7.2 - class: SP800-53-enhancement - title: Accessibility - properties: - - - name: label - value: CP-7(2) - - - name: sort-id - value: CP-07(02) - links: - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: cp-7.2_smt - name: statement - prose: Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. - - - id: cp-7.2_gdn - name: guidance - prose: Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. - - - id: cp-7.3 - class: SP800-53-enhancement - title: Priority of Service - properties: - - - name: label - value: CP-7(3) - - - name: sort-id - value: CP-07(03) - parts: - - - id: cp-7.3_smt - name: statement - prose: Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). - - - id: cp-7.3_gdn - name: guidance - prose: Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning. - - - id: cp-8 - class: SP800-53 - title: Telecommunications Services - parameters: - - - id: cp-8_prm_1 - label: organization-defined system operations - - - id: cp-8_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: CP-8 - - - name: sort-id - value: CP-08 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-11 - rel: related - text: CP-11 - - - href: #sc-7 - rel: related - text: SC-7 - parts: - - - id: cp-8_smt - name: statement - prose: Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for essential missions and business functions within {{ cp-8_prm_2 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. - - - id: cp-8_gdn - name: guidance - prose: This control applies to telecommunications services (for data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions and business functions despite the loss of primary telecommunications services. Organizations may specify different time-periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines or the use of satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. - controls: - - - id: cp-8.1 - class: SP800-53-enhancement - title: Priority of Service Provisions - properties: - - - name: label - value: CP-8(1) - - - name: sort-id - value: CP-08(01) - parts: - - - id: cp-8.1_smt - name: statement - parts: - - - id: cp-8.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and - - - id: cp-8.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier. - - - id: cp-8.1_gdn - name: guidance - prose: Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program and the Department of Homeland Security, manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program. - - - id: cp-8.2 - class: SP800-53-enhancement - title: Single Points of Failure - properties: - - - name: label - value: CP-8(2) - - - name: sort-id - value: CP-08(02) - parts: - - - id: cp-8.2_smt - name: statement - prose: Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. - - - id: cp-8.2_gdn - name: guidance - prose: In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services. - - - id: cp-9 - class: SP800-53 - title: System Backup - parameters: - - - id: cp-9_prm_1 - label: organization-defined system components - - - id: cp-9_prm_2 - label: organization-defined frequency consistent with recovery time and recovery point objectives - - - id: cp-9_prm_3 - label: organization-defined frequency consistent with recovery time and recovery point objectives - - - id: cp-9_prm_4 - label: organization-defined frequency consistent with recovery time and recovery point objectives - properties: - - - name: label - value: CP-9 - - - name: sort-id - value: CP-09 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #ae412317-c2b4-47bb-b47b-c329ce0d7a0b - rel: reference - text: [SP 800-130] - - - href: #38dbdf55-9a14-446f-b563-c48e4e3d37fb - rel: reference - text: [SP 800-152] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-13 - rel: related - text: SI-13 - parts: - - - id: cp-9_smt - name: statement - parts: - - - id: cp-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: - """ - Conduct backups of user-level information contained in {{ cp-9_prm_1 }} - {{ cp-9_prm_2 }}; - """ - - - id: cp-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Conduct backups of system-level information contained in the system {{ cp-9_prm_3 }}; - - - id: cp-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Conduct backups of system documentation, including security and privacy-related documentation {{ cp-9_prm_4 }}; and - - - id: cp-9_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect the confidentiality, integrity, and availability of backup information. - - - id: cp-9_gdn - name: guidance - prose: System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements. - controls: - - - id: cp-9.1 - class: SP800-53-enhancement - title: Testing for Reliability and Integrity - parameters: - - - id: cp-9.1_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: CP-9(1) - - - name: sort-id - value: CP-09(01) - links: - - - href: #cp-4 - rel: related - text: CP-4 - parts: - - - id: cp-9.1_smt - name: statement - prose: Test backup information {{ cp-9.1_prm_1 }} to verify media reliability and information integrity. - - - id: cp-9.1_gdn - name: guidance - prose: Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance. - - - id: cp-9.8 - class: SP800-53-enhancement - title: Cryptographic Protection - parameters: - - - id: cp-9.8_prm_1 - label: organization-defined backup information - properties: - - - name: label - value: CP-9(8) - - - name: sort-id - value: CP-09(08) - links: - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - parts: - - - id: cp-9.8_smt - name: statement - prose: Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ cp-9.8_prm_1 }}. - - - id: cp-9.8_gdn - name: guidance - prose: The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. This control enhancement applies to system backup information in storage at primary and alternate locations. Organizations implementing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. - - - id: cp-10 - class: SP800-53 - title: System Recovery and Reconstitution - parameters: - - - id: cp-10_prm_1 - label: organization-defined time-period consistent with recovery time and recovery point objectives - properties: - - - name: label - value: CP-10 - - - name: sort-id - value: CP-10 - links: - - - href: #65774382-fcc6-4bbc-89fc-9d35aab19952 - rel: reference - text: [SP 800-34] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-24 - rel: related - text: SC-24 - - - href: #si-13 - rel: related - text: SI-13 - parts: - - - id: cp-10_smt - name: statement - prose: Provide for the recovery and reconstitution of the system to a known state within {{ cp-10_prm_1 }} after a disruption, compromise, or failure. - - - id: cp-10_gdn - name: guidance - prose: Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning. - controls: - - - id: cp-10.2 - class: SP800-53-enhancement - title: Transaction Recovery - properties: - - - name: label - value: CP-10(2) - - - name: sort-id - value: CP-10(02) - parts: - - - id: cp-10.2_smt - name: statement - prose: Implement transaction recovery for systems that are transaction-based. - - - id: cp-10.2_gdn - name: guidance - prose: Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling. - - - id: ia - class: family - title: Identification and Authentication - controls: - - - id: ia-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ia-1_prm_1 - label: organization-defined personnel or roles - - - id: ia-1_prm_2 - - - id: ia-1_prm_3 - label: organization-defined official - - - id: ia-1_prm_4 - label: organization-defined frequency - - - id: ia-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: IA-1 - - - name: sort-id - value: IA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ia-1_smt - name: statement - parts: - - - id: ia-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ia-1_prm_1 }}: - parts: - - - id: ia-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ia-1_prm_2 }} identification and authentication policy that: - """ - parts: - - - id: ia-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ia-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ia-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; - - - id: ia-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ia-1_prm_3 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and - - - id: ia-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current identification and authentication: - parts: - - - id: ia-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ia-1_prm_4 }}; and - - - id: ia-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ia-1_prm_5 }}. - - - id: ia-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ia-2 - class: SP800-53 - title: Identification and Authentication (organizational Users) - properties: - - - name: label - value: IA-2 - - - name: sort-id - value: IA-02 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #bb55e71a-e059-4263-8dd8-bc96fd3f063d - rel: reference - text: [SP 800-79-2] - - - href: #f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa - rel: reference - text: [SP 800-156] - - - href: #a8f55663-86c5-415b-aabe-d2a126981d65 - rel: reference - text: [SP 800-166] - - - href: #d4779b49-8acc-45ef-b4f0-30f945e81d1b - rel: reference - text: [IR 7539] - - - href: #daf69edb-a0ef-4447-9880-8c4bf553181f - rel: reference - text: [IR 7676] - - - href: #a49f67fc-827c-40e6-9a37-2b1cbe8142fd - rel: reference - text: [IR 7817] - - - href: #972c10bd-aedf-485f-b0db-f46a402127e2 - rel: reference - text: [IR 7849] - - - href: #197f7ba7-9af8-4a67-b3a4-5523d850e53b - rel: reference - text: [IR 7870] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #30213e10-2aca-47b3-8cdb-61303e0959f5 - rel: reference - text: [IR 7966] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: ia-2_smt - name: statement - prose: Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. - - - id: ia-2_gdn - name: guidance - prose: - """ - Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. - Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks. - The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8. - """ - controls: - - - id: ia-2.1 - class: SP800-53-enhancement - title: Multifactor Authentication to Privileged Accounts - properties: - - - name: label - value: IA-2(1) - - - name: sort-id - value: IA-02(01) - links: - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - parts: - - - id: ia-2.1_smt - name: statement - prose: Implement multifactor authentication for access to privileged accounts. - - - id: ia-2.1_gdn - name: guidance - prose: Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. - - - id: ia-2.2 - class: SP800-53-enhancement - title: Multifactor Authentication to Non-privileged Accounts - properties: - - - name: label - value: IA-2(2) - - - name: sort-id - value: IA-02(02) - links: - - - href: #ac-5 - rel: related - text: AC-5 - parts: - - - id: ia-2.2_smt - name: statement - prose: Implement multifactor authentication for access to non-privileged accounts. - - - id: ia-2.2_gdn - name: guidance - prose: Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. - - - id: ia-2.8 - class: SP800-53-enhancement - title: Access to Accounts — Replay Resistant - parameters: - - - id: ia-2.8_prm_1 - properties: - - - name: label - value: IA-2(8) - - - name: sort-id - value: IA-02(08) - parts: - - - id: ia-2.8_smt - name: statement - prose: Implement replay-resistant authentication mechanisms for access to {{ ia-2.8_prm_1 }}. - - - id: ia-2.8_gdn - name: guidance - prose: Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. - - - id: ia-2.12 - class: SP800-53-enhancement - title: Acceptance of PIV Credentials - properties: - - - name: label - value: IA-2(12) - - - name: sort-id - value: IA-02(12) - parts: - - - id: ia-2.12_smt - name: statement - prose: Accept and electronically verify Personal Identity Verification-compliant credentials. - - - id: ia-2.12_gdn - name: guidance - prose: Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential. - - - id: ia-3 - class: SP800-53 - title: Device Identification and Authentication - parameters: - - - id: ia-3_prm_1 - label: organization-defined devices and/or types of devices - - - id: ia-3_prm_2 - properties: - - - name: label - value: IA-3 - - - name: sort-id - value: IA-03 - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-9 - rel: related - text: IA-9 - - - href: #ia-11 - rel: related - text: IA-11 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: ia-3_smt - name: statement - prose: Uniquely identify and authenticate {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }} connection. - - - id: ia-3_gdn - name: guidance - prose: Devices that require unique device-to-device identification and authentication are defined by type, by device, or by a combination of type and device. Organization-defined device types can include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on large scale, organizations can restrict the application of the control to a limited number (and type) of devices based on need. - - - id: ia-4 - class: SP800-53 - title: Identifier Management - parameters: - - - id: ia-4_prm_1 - label: organization-defined personnel or roles - - - id: ia-4_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: IA-4 - - - name: sort-id - value: IA-04 - links: - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ia-9 - rel: related - text: IA-9 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #sc-37 - rel: related - text: SC-37 - parts: - - - id: ia-4_smt - name: statement - prose: Manage system identifiers by: - parts: - - - id: ia-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Receiving authorization from {{ ia-4_prm_1 }} to assign an individual, group, role, service, or device identifier; - - - id: ia-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Selecting an identifier that identifies an individual, group, role, service, or device; - - - id: ia-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Assigning the identifier to the intended individual, group, role, service, or device; and - - - id: ia-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Preventing reuse of identifiers for {{ ia-4_prm_2 }}. - - - id: ia-4_gdn - name: guidance - prose: Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices. - controls: - - - id: ia-4.4 - class: SP800-53-enhancement - title: Identify User Status - parameters: - - - id: ia-4.4_prm_1 - label: organization-defined characteristic identifying individual status - properties: - - - name: label - value: IA-4(4) - - - name: sort-id - value: IA-04(04) - parts: - - - id: ia-4.4_smt - name: statement - prose: Manage individual identifiers by uniquely identifying each individual as {{ ia-4.4_prm_1 }}. - - - id: ia-4.4_gdn - name: guidance - prose: Characteristics identifying the status of individuals include contractors and foreign nationals. Identifying the status of individuals by characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor. - - - id: ia-5 - class: SP800-53 - title: Authenticator Management - parameters: - - - id: ia-5_prm_1 - label: organization-defined time-period by authenticator type - properties: - - - name: label - value: IA-5 - - - name: sort-id - value: IA-05 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #d4779b49-8acc-45ef-b4f0-30f945e81d1b - rel: reference - text: [IR 7539] - - - href: #a49f67fc-827c-40e6-9a37-2b1cbe8142fd - rel: reference - text: [IR 7817] - - - href: #972c10bd-aedf-485f-b0db-f46a402127e2 - rel: reference - text: [IR 7849] - - - href: #197f7ba7-9af8-4a67-b3a4-5523d850e53b - rel: reference - text: [IR 7870] - - - href: #24738ee6-b3f3-4e37-825b-58775846bdbc - rel: reference - text: [IR 8040] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ia-9 - rel: related - text: IA-9 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - parts: - - - id: ia-5_smt - name: statement - prose: Manage system authenticators by: - parts: - - - id: ia-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; - - - id: ia-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishing initial authenticator content for any authenticators issued by the organization; - - - id: ia-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ensuring that authenticators have sufficient strength of mechanism for their intended use; - - - id: ia-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; - - - id: ia-5_smt.e - name: item - properties: - - - name: label - value: e. - prose: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; - - - id: ia-5_smt.f - name: item - properties: - - - name: label - value: f. - prose: Changing default authenticators prior to first use; - - - id: ia-5_smt.g - name: item - properties: - - - name: label - value: g. - prose: Changing or refreshing authenticators {{ ia-5_prm_1 }}; - - - id: ia-5_smt.h - name: item - properties: - - - name: label - value: h. - prose: Protecting authenticator content from unauthorized disclosure and modification; - - - id: ia-5_smt.i - name: item - properties: - - - name: label - value: i. - prose: Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and - - - id: ia-5_smt.j - name: item - properties: - - - name: label - value: j. - prose: Changing authenticators for group or role accounts when membership to those accounts changes. - - - id: ia-5_gdn - name: guidance - prose: - """ - Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. - Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. - """ - controls: - - - id: ia-5.1 - class: SP800-53-enhancement - title: Password-based Authentication - parameters: - - - id: ia-5.1_prm_1 - label: organization-defined frequency - - - id: ia-5.1_prm_2 - label: organization-defined composition and complexity rules - properties: - - - name: label - value: IA-5(1) - - - name: sort-id - value: IA-05(01) - links: - - - href: #ia-6 - rel: related - text: IA-6 - parts: - - - id: ia-5.1_smt - name: statement - prose: For password-based authentication: - parts: - - - id: ia-5.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ ia-5.1_prm_1 }} and when organizational passwords are suspected to have been compromised directly or indirectly; - - - id: ia-5.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords; - - - id: ia-5.1_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Transmit only cryptographically-protected passwords; - - - id: ia-5.1_smt.d - name: item - properties: - - - name: label - value: (d) - prose: Store passwords using an approved hash algorithm and salt, preferably using a keyed hash; - - - id: ia-5.1_smt.e - name: item - properties: - - - name: label - value: (e) - prose: Require immediate selection of a new password upon account recovery; - - - id: ia-5.1_smt.f - name: item - properties: - - - name: label - value: (f) - prose: Allow user selection of long passwords and passphrases, including spaces and all printable characters; - - - id: ia-5.1_smt.g - name: item - properties: - - - name: label - value: (g) - prose: Employ automated tools to assist the user in selecting strong password authenticators; and - - - id: ia-5.1_smt.h - name: item - properties: - - - name: label - value: (h) - prose: Enforce the following composition and complexity rules: {{ ia-5.1_prm_2 }}. - - - id: ia-5.1_gdn - name: guidance - prose: Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof. - - - id: ia-5.2 - class: SP800-53-enhancement - title: Implement a local cache of revocation data to support path discovery and validation. - properties: - - - name: label - value: IA-5(2) - - - name: sort-id - value: IA-05(02) - links: - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #sc-17 - rel: related - text: SC-17 - parts: - - - id: ia-5.2_smt - name: statement - prose: Discussion: Public key cryptography is a valid authentication mechanism for individuals and machines or devices. When PKI is implemented, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation supports system availability in situations where organizations are unable to access revocation information via the network. - - - id: ia-5.2_gdn - name: guidance - - - id: ia-5.6 - class: SP800-53-enhancement - title: Protection of Authenticators - properties: - - - name: label - value: IA-5(6) - - - name: sort-id - value: IA-05(06) - links: - - - href: #ra-2 - rel: related - text: RA-2 - parts: - - - id: ia-5.6_smt - name: statement - prose: Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access. - - - id: ia-5.6_gdn - name: guidance - prose: For systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process. - - - id: ia-6 - class: SP800-53 - title: Authenticator Feedback - properties: - - - name: label - value: IA-6 - - - name: sort-id - value: IA-06 - links: - - - href: #ac-3 - rel: related - text: AC-3 - parts: - - - id: ia-6_smt - name: statement - prose: Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. - - - id: ia-6_gdn - name: guidance - prose: Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it. - - - id: ia-7 - class: SP800-53 - title: Cryptographic Module Authentication - properties: - - - name: label - value: IA-7 - - - name: sort-id - value: IA-07 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: ia-7_smt - name: statement - prose: Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. - - - id: ia-7_gdn - name: guidance - prose: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. - - - id: ia-8 - class: SP800-53 - title: Identification and Authentication (non-organizational Users) - properties: - - - name: label - value: IA-8 - - - name: sort-id - value: IA-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #bb55e71a-e059-4263-8dd8-bc96fd3f063d - rel: reference - text: [SP 800-79-2] - - - href: #ad7d575f-b5fe-489b-8d48-36a93d964a5f - rel: reference - text: [SP 800-116] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-10 - rel: related - text: IA-10 - - - href: #ia-11 - rel: related - text: IA-11 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sc-8 - rel: related - text: SC-8 - parts: - - - id: ia-8_smt - name: statement - prose: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. - - - id: ia-8_gdn - name: guidance - prose: Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk. - controls: - - - id: ia-8.1 - class: SP800-53-enhancement - title: Acceptance of PIV Credentials from Other Agencies - properties: - - - name: label - value: IA-8(1) - - - name: sort-id - value: IA-08(01) - links: - - - href: #pe-3 - rel: related - text: PE-3 - parts: - - - id: ia-8.1_smt - name: statement - prose: Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. - - - id: ia-8.1_gdn - name: guidance - prose: Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2]. - - - id: ia-8.2 - class: SP800-53-enhancement - title: Acceptance of External Credentials - properties: - - - name: label - value: IA-8(2) - - - name: sort-id - value: IA-08(02) - parts: - - - id: ia-8.2_smt - name: statement - prose: Accept only external credentials that are NIST-compliant. - - - id: ia-8.2_gdn - name: guidance - prose: Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels. - - - id: ia-8.4 - class: SP800-53-enhancement - title: Use of Nist-issued Profiles - properties: - - - name: label - value: IA-8(4) - - - name: sort-id - value: IA-08(04) - parts: - - - id: ia-8.4_smt - name: statement - prose: Conform to NIST-issued profiles for identity management. - - - id: ia-8.4_gdn - name: guidance - prose: Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols. - - - id: ia-11 - class: SP800-53 - title: Re-authentication - parameters: - - - id: ia-11_prm_1 - label: organization-defined circumstances or situations requiring re-authentication - properties: - - - name: label - value: IA-11 - - - name: sort-id - value: IA-11 - links: - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-11 - rel: related - text: AC-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - parts: - - - id: ia-11_smt - name: statement - prose: Require users to re-authenticate when {{ ia-11_prm_1 }}. - - - id: ia-11_gdn - name: guidance - prose: In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically. - - - id: ia-12 - class: SP800-53 - title: Identity Proofing - properties: - - - name: label - value: IA-12 - - - name: sort-id - value: IA-12 - links: - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #3c50fa31-7f4d-4d30-91d7-27ee87cd5f75 - rel: reference - text: [SP 800-63A] - - - href: #bb55e71a-e059-4263-8dd8-bc96fd3f063d - rel: reference - text: [SP 800-79-2] - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-6 - rel: related - text: IA-6 - - - href: #ia-8 - rel: related - text: IA-8 - parts: - - - id: ia-12_smt - name: statement - parts: - - - id: ia-12_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; - - - id: ia-12_smt.b - name: item - properties: - - - name: label - value: b. - prose: Resolve user identities to a unique individual; and - - - id: ia-12_smt.c - name: item - properties: - - - name: label - value: c. - prose: Collect, validate, and verify identity evidence. - - - id: ia-12_gdn - name: guidance - prose: Identity proofing is the process of collecting, validating, and verifying user’s identity information for the purposes of issuing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3] and [SP 800-63A]. - controls: - - - id: ia-12.2 - class: SP800-53-enhancement - title: Identity Evidence - properties: - - - name: label - value: IA-12(2) - - - name: sort-id - value: IA-12(02) - parts: - - - id: ia-12.2_smt - name: statement - prose: Require evidence of individual identification be presented to the registration authority. - - - id: ia-12.2_gdn - name: guidance - prose: Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risk to the systems, roles, and privileges associated with the user’s account. - - - id: ia-12.3 - class: SP800-53-enhancement - title: Identity Evidence Validation and Verification - parameters: - - - id: ia-12.3_prm_1 - label: organizational defined methods of validation and verification - properties: - - - name: label - value: IA-12(3) - - - name: sort-id - value: IA-12(03) - parts: - - - id: ia-12.3_smt - name: statement - prose: Require that the presented identity evidence be validated and verified through {{ ia-12.3_prm_1 }}. - - - id: ia-12.3_gdn - name: guidance - prose: Validating and verifying identity evidence increases the assurance that accounts, identifiers, and authenticators are being issued to the correct user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an actual person or individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risk to the systems, roles, and privileges associated with the users account - - - id: ia-12.5 - class: SP800-53-enhancement - title: Address Confirmation - parameters: - - - id: ia-12.5_prm_1 - properties: - - - name: label - value: IA-12(5) - - - name: sort-id - value: IA-12(05) - links: - - - href: #ia-12 - rel: related - text: IA-12 - parts: - - - id: ia-12.5_smt - name: statement - prose: Require that a {{ ia-12.5_prm_1 }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record. - - - id: ia-12.5_gdn - name: guidance - prose: To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to increase assurance that the individual associated with an address of record is the same person that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts are obtained from records and not self-asserted by the user. The address can include a physical or a digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses. - - - id: ir - class: family - title: Incident Response - controls: - - - id: ir-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ir-1_prm_1 - label: organization-defined personnel or roles - - - id: ir-1_prm_2 - - - id: ir-1_prm_3 - label: organization-defined official - - - id: ir-1_prm_4 - label: organization-defined frequency - - - id: ir-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: IR-1 - - - name: sort-id - value: IR-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - rel: reference - text: [SP 800-83] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ir-1_smt - name: statement - parts: - - - id: ir-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ir-1_prm_1 }}: - parts: - - - id: ir-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ir-1_prm_2 }} incident response policy that: - """ - parts: - - - id: ir-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ir-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ir-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; - - - id: ir-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and - - - id: ir-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current incident response: - parts: - - - id: ir-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ir-1_prm_4 }}; and - - - id: ir-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ir-1_prm_5 }}. - - - id: ir-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ir-2 - class: SP800-53 - title: Incident Response Training - parameters: - - - id: ir-2_prm_1 - label: organization-defined time-period - - - id: ir-2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: IR-2 - - - name: sort-id - value: IR-02 - links: - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-9 - rel: related - text: IR-9 - parts: - - - id: ir-2_smt - name: statement - prose: Provide incident response training to system users consistent with assigned roles and responsibilities: - parts: - - - id: ir-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Within {{ ir-2_prm_1 }} of assuming an incident response role or responsibility or acquiring system access; - - - id: ir-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: When required by system changes; and - - - id: ir-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: - """ - - {{ ir-2_prm_2 }} thereafter. - """ - - - id: ir-2_gdn - name: guidance - prose: Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3. - - - id: ir-3 - class: SP800-53 - title: Incident Response Testing - parameters: - - - id: ir-3_prm_1 - label: organization-defined frequency - - - id: ir-3_prm_2 - label: organization-defined tests - properties: - - - name: label - value: IR-3 - - - name: sort-id - value: IR-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #20bf433b-074c-47a0-8fca-cd591772ccd6 - rel: reference - text: [SP 800-84] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pm-14 - rel: related - text: PM-14 - parts: - - - id: ir-3_smt - name: statement - prose: Test the effectiveness of the incident response capability for the system {{ ir-3_prm_1 }} using the following tests: {{ ir-3_prm_2 }}. - - - id: ir-3_gdn - name: guidance - prose: Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes. - controls: - - - id: ir-3.2 - class: SP800-53-enhancement - title: Coordination with Related Plans - properties: - - - name: label - value: IR-3(2) - - - name: sort-id - value: IR-03(02) - parts: - - - id: ir-3.2_smt - name: statement - prose: Coordinate incident response testing with organizational elements responsible for related plans. - - - id: ir-3.2_gdn - name: guidance - prose: Organizational plans related to incident response testing include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Contingency Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans. - - - id: ir-4 - class: SP800-53 - title: Incident Handling - properties: - - - name: label - value: IR-4 - - - name: sort-id - value: IR-04 - links: - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #35dfd59f-eef2-4f71-bdb5-6d878267456a - rel: reference - text: [SP 800-86] - - - href: #1e2c475a-84ae-4c60-b420-8fb2ea552b71 - rel: reference - text: [SP 800-101] - - - href: #ad3e8f21-07c6-4968-b002-00b64dfa70ae - rel: reference - text: [SP 800-150] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #08f518f7-f9b9-4bee-8986-860214f46b16 - rel: reference - text: [SP 800-184] - - - href: #09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - rel: reference - text: [IR 7559] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-10 - rel: related - text: IR-10 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: ir-4_smt - name: statement - parts: - - - id: ir-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; - - - id: ir-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Coordinate incident handling activities with contingency planning activities; - - - id: ir-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and - - - id: ir-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. - - - id: ir-4_gdn - name: guidance - prose: Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk. - controls: - - - id: ir-4.1 - class: SP800-53-enhancement - title: Automated Incident Handling Processes - parameters: - - - id: ir-4.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: IR-4(1) - - - name: sort-id - value: IR-04(01) - parts: - - - id: ir-4.1_smt - name: statement - prose: Support the incident handling process using {{ ir-4.1_prm_1 }}. - - - id: ir-4.1_gdn - name: guidance - prose: Automated mechanisms supporting incident handling processes include online incident management systems; and tools that support the collection of live response data, full network packet capture, and forensic analysis. - - - id: ir-5 - class: SP800-53 - title: Incident Monitoring - properties: - - - name: label - value: IR-5 - - - name: sort-id - value: IR-05 - links: - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: ir-5_smt - name: statement - prose: Track and document security, privacy, and supply chain incidents. - - - id: ir-5_gdn - name: guidance - prose: Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports. - - - id: ir-6 - class: SP800-53 - title: Incident Reporting - parameters: - - - id: ir-6_prm_1 - label: organization-defined time-period - - - id: ir-6_prm_2 - label: organization-defined authorities - properties: - - - name: label - value: IR-6 - - - name: sort-id - value: IR-06 - links: - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-9 - rel: related - text: IR-9 - parts: - - - id: ir-6_smt - name: statement - parts: - - - id: ir-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and - - - id: ir-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}. - - - id: ir-6_gdn - name: guidance - prose: The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - controls: - - - id: ir-6.1 - class: SP800-53-enhancement - title: Automated Reporting - parameters: - - - id: ir-6.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: IR-6(1) - - - name: sort-id - value: IR-06(01) - links: - - - href: #ir-7 - rel: related - text: IR-7 - parts: - - - id: ir-6.1_smt - name: statement - prose: Report incidents using {{ ir-6.1_prm_1 }}. - - - id: ir-6.1_gdn - name: guidance - prose: Reporting recipients are as specified in IR-6b. Automated reporting mechanisms include email, posting on web sites, and automated incident response tools and programs. - - - id: ir-6.3 - class: SP800-53-enhancement - title: Supply Chain Coordination - properties: - - - name: label - value: IR-6(3) - - - name: sort-id - value: IR-06(03) - links: - - - href: #sr-8 - rel: related - text: SR-8 - parts: - - - id: ir-6.3_smt - name: statement - prose: Provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident. - - - id: ir-6.3_gdn - name: guidance - prose: Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents including the ability to improve processes or to identify the root cause of an incident. - - - id: ir-7 - class: SP800-53 - title: Incident Response Assistance - properties: - - - name: label - value: IR-7 - - - name: sort-id - value: IR-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - rel: reference - text: [IR 7559] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pm-26 - rel: related - text: PM-26 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: ir-7_smt - name: statement - prose: Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents. - - - id: ir-7_gdn - name: guidance - prose: Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required. - controls: - - - id: ir-7.1 - class: SP800-53-enhancement - title: Automation Support for Availability of Information and Support - parameters: - - - id: ir-7.1_prm_1 - label: organization-defined automated mechanisms - properties: - - - name: label - value: IR-7(1) - - - name: sort-id - value: IR-07(01) - parts: - - - id: ir-7.1_smt - name: statement - prose: Increase the availability of incident response information and support using {{ ir-7.1_prm_1 }}. - - - id: ir-7.1_gdn - name: guidance - prose: Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. - - - id: ir-8 - class: SP800-53 - title: Incident Response Plan - parameters: - - - id: ir-8_prm_1 - label: organization-defined personnel or roles - - - id: ir-8_prm_2 - label: organization-defined frequency - - - id: ir-8_prm_3 - label: organization-defined entities, personnel, or roles - - - id: ir-8_prm_4 - label: organization-defined incident response personnel (identified by name and/or by role) and organizational elements - - - id: ir-8_prm_5 - label: organization-defined incident response personnel (identified by name and/or by role) and organizational elements - properties: - - - name: label - value: IR-8 - - - name: sort-id - value: IR-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #389fe193-866e-46b1-bf1d-38904b56aa7b - rel: reference - text: [OMB M-17-12] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-8 - rel: related - text: SR-8 - parts: - - - id: ir-8_smt - name: statement - parts: - - - id: ir-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop an incident response plan that: - parts: - - - id: ir-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Provides the organization with a roadmap for implementing its incident response capability; - - - id: ir-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Describes the structure and organization of the incident response capability; - - - id: ir-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Provides a high-level approach for how the incident response capability fits into the overall organization; - - - id: ir-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; - - - id: ir-8_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Defines reportable incidents; - - - id: ir-8_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Provides metrics for measuring the incident response capability within the organization; - - - id: ir-8_smt.a.7 - name: item - properties: - - - name: label - value: 7. - prose: Defines the resources and management support needed to effectively maintain and mature an incident response capability; - - - id: ir-8_smt.a.8 - name: item - properties: - - - name: label - value: 8. - prose: - """ - Is reviewed and approved by {{ ir-8_prm_1 }} - {{ ir-8_prm_2 }}; and - """ - - - id: ir-8_smt.a.9 - name: item - properties: - - - name: label - value: 9. - prose: Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}. - - - id: ir-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute copies of the incident response plan to {{ ir-8_prm_4 }}; - - - id: ir-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; - - - id: ir-8_smt.d - name: item - properties: - - - name: label - value: d. - prose: Communicate incident response plan changes to {{ ir-8_prm_5 }}; and - - - id: ir-8_smt.e - name: item - properties: - - - name: label - value: e. - prose: Protect the incident response plan from unauthorized disclosure and modification. - - - id: ir-8_gdn - name: guidance - prose: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly. - - - id: ma - class: family - title: Maintenance - controls: - - - id: ma-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ma-1_prm_1 - label: organization-defined personnel or roles - - - id: ma-1_prm_2 - - - id: ma-1_prm_3 - label: organization-defined official - - - id: ma-1_prm_4 - label: organization-defined frequency - - - id: ma-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: MA-1 - - - name: sort-id - value: MA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ma-1_smt - name: statement - parts: - - - id: ma-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ma-1_prm_1 }}: - parts: - - - id: ma-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ma-1_prm_2 }} maintenance policy that: - """ - parts: - - - id: ma-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ma-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ma-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; - - - id: ma-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ma-1_prm_3 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and - - - id: ma-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current maintenance: - parts: - - - id: ma-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ma-1_prm_4 }}; and - - - id: ma-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ma-1_prm_5 }}. - - - id: ma-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ma-2 - class: SP800-53 - title: Controlled Maintenance - parameters: - - - id: ma-2_prm_1 - label: organization-defined personnel or roles - - - id: ma-2_prm_2 - label: organization-defined information - - - id: ma-2_prm_3 - label: organization-defined information - properties: - - - name: label - value: MA-2 - - - name: sort-id - value: MA-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: ma-2_smt - name: statement - parts: - - - id: ma-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; - - - id: ma-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; - - - id: ma-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Require that {{ ma-2_prm_1 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; - - - id: ma-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ ma-2_prm_2 }}; - - - id: ma-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and - - - id: ma-2_smt.f - name: item - properties: - - - name: label - value: f. - prose: Include the following information in organizational maintenance records: {{ ma-2_prm_3 }}. - - - id: ma-2_gdn - name: guidance - prose: Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems. - - - id: ma-3 - class: SP800-53 - title: Maintenance Tools - parameters: - - - id: ma-3_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: MA-3 - - - name: sort-id - value: MA-03 - links: - - - href: #fed6a3b5-2b74-499f-9172-46671f7c24c8 - rel: reference - text: [SP 800-88] - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #pe-16 - rel: related - text: PE-16 - parts: - - - id: ma-3_smt - name: statement - parts: - - - id: ma-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Approve, control, and monitor the use of system maintenance tools; and - - - id: ma-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review previously approved system maintenance tools {{ ma-3_prm_1 }}. - - - id: ma-3_gdn - name: guidance - prose: Approving, controlling, monitoring, and reviewing maintenance tools are intended to address security-related issues associated with maintenance tools that are not within system boundaries but are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for approval of maintenance tools and how that approval is documented. Periodic review of maintenance tools facilitates withdrawal of the approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items. Such tools can be vehicles for transporting malicious code, intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support system maintenance and are a part of the system, including the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch, are not addressed by maintenance tools. - controls: - - - id: ma-3.1 - class: SP800-53-enhancement - title: Inspect Tools - properties: - - - name: label - value: MA-3(1) - - - name: sort-id - value: MA-03(01) - links: - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: ma-3.1_smt - name: statement - prose: Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications. - - - id: ma-3.1_gdn - name: guidance - prose: Maintenance tools can be brought into a facility directly by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. - - - id: ma-3.2 - class: SP800-53-enhancement - title: Inspect Media - properties: - - - name: label - value: MA-3(2) - - - name: sort-id - value: MA-03(02) - links: - - - href: #si-3 - rel: related - text: SI-3 - parts: - - - id: ma-3.2_smt - name: statement - prose: Check media containing diagnostic and test programs for malicious code before the media are used in the system. - - - id: ma-3.2_gdn - name: guidance - prose: If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. - - - id: ma-3.3 - class: SP800-53-enhancement - title: Prevent Unauthorized Removal - parameters: - - - id: ma-3.3_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: MA-3(3) - - - name: sort-id - value: MA-03(03) - links: - - - href: #mp-6 - rel: related - text: MP-6 - parts: - - - id: ma-3.3_smt - name: statement - prose: Prevent the removal of maintenance equipment containing organizational information by: - parts: - - - id: ma-3.3_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Verifying that there is no organizational information contained on the equipment; - - - id: ma-3.3_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Sanitizing or destroying the equipment; - - - id: ma-3.3_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Retaining the equipment within the facility; or - - - id: ma-3.3_smt.d - name: item - properties: - - - name: label - value: (d) - prose: Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly authorizing removal of the equipment from the facility. - - - id: ma-3.3_gdn - name: guidance - prose: Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards. - - - id: ma-4 - class: SP800-53 - title: Nonlocal Maintenance - properties: - - - name: label - value: MA-4 - - - name: sort-id - value: MA-04 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #bbc7085f-b383-444e-af74-722a55cccc0f - rel: reference - text: [FIPS 197] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #fed6a3b5-2b74-499f-9172-46671f7c24c8 - rel: reference - text: [SP 800-88] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-10 - rel: related - text: SC-10 - parts: - - - id: ma-4_smt - name: statement - parts: - - - id: ma-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Approve and monitor nonlocal maintenance and diagnostic activities; - - - id: ma-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; - - - id: ma-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; - - - id: ma-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Maintain records for nonlocal maintenance and diagnostic activities; and - - - id: ma-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Terminate session and network connections when nonlocal maintenance is completed. - - - id: ma-4_gdn - name: guidance - prose: Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. - - - id: ma-5 - class: SP800-53 - title: Maintenance Personnel - properties: - - - name: label - value: MA-5 - - - name: sort-id - value: MA-05 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: ma-5_smt - name: statement - parts: - - - id: ma-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; - - - id: ma-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and - - - id: ma-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. - - - id: ma-5_gdn - name: guidance - prose: Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods. - - - id: ma-6 - class: SP800-53 - title: Timely Maintenance - parameters: - - - id: ma-6_prm_1 - label: organization-defined system components - - - id: ma-6_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: MA-6 - - - name: sort-id - value: MA-06 - links: - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #si-13 - rel: related - text: SI-13 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: ma-6_smt - name: statement - prose: Obtain maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure. - - - id: ma-6_gdn - name: guidance - prose: Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place. - - - id: mp - class: family - title: Media Protection - controls: - - - id: mp-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: mp-1_prm_1 - label: organization-defined personnel or roles - - - id: mp-1_prm_2 - - - id: mp-1_prm_3 - label: organization-defined official - - - id: mp-1_prm_4 - label: organization-defined frequency - - - id: mp-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: MP-1 - - - name: sort-id - value: MP-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: mp-1_smt - name: statement - parts: - - - id: mp-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ mp-1_prm_1 }}: - parts: - - - id: mp-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ mp-1_prm_2 }} media protection policy that: - """ - parts: - - - id: mp-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: mp-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: mp-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; - - - id: mp-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and - - - id: mp-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current media protection: - parts: - - - id: mp-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ mp-1_prm_4 }}; and - - - id: mp-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ mp-1_prm_5 }}. - - - id: mp-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: mp-2 - class: SP800-53 - title: Media Access - parameters: - - - id: mp-2_prm_1 - label: organization-defined types of digital and/or non-digital media - - - id: mp-2_prm_2 - label: organization-defined personnel or roles - properties: - - - name: label - value: MP-2 - - - name: sort-id - value: MP-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #1b14b50f-7154-4226-958c-7dfff8276755 - rel: reference - text: [SP 800-111] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: mp-2_smt - name: statement - prose: Restrict access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}. - - - id: mp-2_gdn - name: guidance - prose: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media. - - - id: mp-3 - class: SP800-53 - title: Media Marking - parameters: - - - id: mp-3_prm_1 - label: organization-defined types of system media - - - id: mp-3_prm_2 - label: organization-defined controlled areas - properties: - - - name: label - value: MP-3 - - - name: sort-id - value: MP-03 - links: - - - href: #742b7c0e-218e-4fca-9c3d-5f264bbaf2bc - rel: reference - text: [32 CFR 2002] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pe-22 - rel: related - text: PE-22 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: mp-3_smt - name: statement - parts: - - - id: mp-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and - - - id: mp-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Exempt {{ mp-3_prm_1 }} from marking if the media remain within {{ mp-3_prm_2 }}. - - - id: mp-3_gdn - name: guidance - prose: Security marking refers to the application or use of human-readable security attributes. Security labeling refers to the application or use of security attributes regarding internal data structures within systems. System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002]. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. - - - id: mp-4 - class: SP800-53 - title: Media Storage - parameters: - - - id: mp-4_prm_1 - label: organization-defined types of digital and/or non-digital media - - - id: mp-4_prm_2 - label: organization-defined controlled areas - properties: - - - name: label - value: MP-4 - - - name: sort-id - value: MP-04 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #77dc1838-3664-4faa-bc6e-4e2a16e52f35 - rel: reference - text: [SP 800-56A] - - - href: #f417e4ec-cadb-47a8-a363-6006b32c28ad - rel: reference - text: [SP 800-56B] - - - href: #7c3ba335-62bd-4f03-888f-960790409b11 - rel: reference - text: [SP 800-56C] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #1b14b50f-7154-4226-958c-7dfff8276755 - rel: reference - text: [SP 800-111] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: mp-4_smt - name: statement - parts: - - - id: mp-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Physically control and securely store {{ mp-4_prm_1 }} within {{ mp-4_prm_2 }}; and - - - id: mp-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures. - - - id: mp-4_gdn - name: guidance - prose: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet; or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. For media containing information determined to be in the public domain, to be publicly releasable, or to have limited adverse impact on organizations, operations, or individuals if accessed by other than authorized personnel, fewer controls may be needed. In these situations, physical access controls provide adequate protection. - - - id: mp-5 - class: SP800-53 - title: Media Transport - parameters: - - - id: mp-5_prm_1 - label: organization-defined types of system media - - - id: mp-5_prm_2 - label: organization-defined controls - properties: - - - name: label - value: MP-5 - - - name: sort-id - value: MP-05 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #mp-3 - rel: related - text: MP-3 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-34 - rel: related - text: SC-34 - parts: - - - id: mp-5_smt - name: statement - parts: - - - id: mp-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Protect and control {{ mp-5_prm_1 }} during transport outside of controlled areas using {{ mp-5_prm_2 }}; - - - id: mp-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Maintain accountability for system media during transport outside of controlled areas; - - - id: mp-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document activities associated with the transport of system media; and - - - id: mp-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Restrict the activities associated with the transport of system media to authorized personnel. - - - id: mp-5_gdn - name: guidance - prose: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state and magnetic), compact disks, and digital video disks. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel, and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records. - - - id: mp-6 - class: SP800-53 - title: Media Sanitization - parameters: - - - id: mp-6_prm_1 - label: organization-defined system media - - - id: mp-6_prm_2 - label: organization-defined sanitization techniques and procedures - properties: - - - name: label - value: MP-6 - - - name: sort-id - value: MP-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #fed6a3b5-2b74-499f-9172-46671f7c24c8 - rel: reference - text: [SP 800-88] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #a52271dc-11b5-423a-8b6f-14867bd94259 - rel: reference - text: [NSA MEDIA] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #si-18 - rel: related - text: SI-18 - - - href: #si-19 - rel: related - text: SI-19 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: mp-6_smt - name: statement - parts: - - - id: mp-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and - - - id: mp-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. - - - id: mp-6_gdn - name: guidance - prose: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information. - - - id: mp-7 - class: SP800-53 - title: Media Use - parameters: - - - id: mp-7_prm_1 - - - id: mp-7_prm_2 - label: organization-defined types of system media - - - id: mp-7_prm_3 - label: organization-defined systems or system components - - - id: mp-7_prm_4 - label: organization-defined controls - properties: - - - name: label - value: MP-7 - - - name: sort-id - value: MP-07 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #1b14b50f-7154-4226-958c-7dfff8276755 - rel: reference - text: [SP 800-111] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #sc-41 - rel: related - text: SC-41 - parts: - - - id: mp-7_smt - name: statement - parts: - - - id: mp-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: - """ - - {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}; and - """ - - - id: mp-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. - - - id: mp-7_gdn - name: guidance - prose: System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices. - - - id: pe - class: family - title: Physical and Environmental Protection - controls: - - - id: pe-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: pe-1_prm_1 - label: organization-defined personnel or roles - - - id: pe-1_prm_2 - - - id: pe-1_prm_3 - label: organization-defined official - - - id: pe-1_prm_4 - label: organization-defined frequency - - - id: pe-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PE-1 - - - name: sort-id - value: PE-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pe-1_smt - name: statement - parts: - - - id: pe-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ pe-1_prm_1 }}: - parts: - - - id: pe-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ pe-1_prm_2 }} physical and environmental protection policy that: - """ - parts: - - - id: pe-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: pe-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: pe-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; - - - id: pe-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ pe-1_prm_3 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and - - - id: pe-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current physical and environmental protection: - parts: - - - id: pe-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ pe-1_prm_4 }}; and - - - id: pe-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ pe-1_prm_5 }}. - - - id: pe-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: pe-2 - class: SP800-53 - title: Physical Access Authorizations - parameters: - - - id: pe-2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PE-2 - - - name: sort-id - value: PE-02 - links: - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #pe-5 - rel: related - text: PE-5 - - - href: #pe-8 - rel: related - text: PE-8 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-6 - rel: related - text: PS-6 - parts: - - - id: pe-2_smt - name: statement - parts: - - - id: pe-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; - - - id: pe-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Issue authorization credentials for facility access; - - - id: pe-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review the access list detailing authorized facility access by individuals {{ pe-2_prm_1 }}; and - - - id: pe-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Remove individuals from the facility access list when access is no longer required. - - - id: pe-2_gdn - name: guidance - prose: Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible. - - - id: pe-3 - class: SP800-53 - title: Physical Access Control - parameters: - - - id: pe-3_prm_1 - label: organization-defined entry and exit points to the facility where the system resides - - - id: pe-3_prm_2 - - - id: pe-3_prm_3 - depends-on: pe-3_prm_2 - label: organization-defined physical access control systems or devices - - - id: pe-3_prm_4 - label: organization-defined entry or exit points - - - id: pe-3_prm_5 - label: organization-defined controls - - - id: pe-3_prm_6 - label: organization-defined circumstances requiring visitor escorts and monitoring - - - id: pe-3_prm_7 - label: organization-defined physical access devices - - - id: pe-3_prm_8 - label: organization-defined frequency - - - id: pe-3_prm_9 - label: organization-defined frequency - properties: - - - name: label - value: PE-3 - - - name: sort-id - value: PE-03 - links: - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #ad7d575f-b5fe-489b-8d48-36a93d964a5f - rel: reference - text: [SP 800-116] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #pe-5 - rel: related - text: PE-5 - - - href: #pe-8 - rel: related - text: PE-8 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #sr-3 - rel: related - text: SR-3 - parts: - - - id: pe-3_smt - name: statement - parts: - - - id: pe-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Enforce physical access authorizations at {{ pe-3_prm_1 }} by: - parts: - - - id: pe-3_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Verifying individual access authorizations before granting access to the facility; and - - - id: pe-3_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Controlling ingress and egress to the facility using {{ pe-3_prm_2 }}; - - - id: pe-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Maintain physical access audit logs for {{ pe-3_prm_4 }}; - - - id: pe-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ pe-3_prm_5 }}; - - - id: pe-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Escort visitors and monitor visitor activity {{ pe-3_prm_6 }}; - - - id: pe-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Secure keys, combinations, and other physical access devices; - - - id: pe-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Inventory {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }}; and - - - id: pe-3_smt.g - name: item - properties: - - - name: label - value: g. - prose: Change combinations and keys {{ pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. - - - id: pe-3_gdn - name: guidance - prose: Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components. - - - id: pe-4 - class: SP800-53 - title: Access Control for Transmission - parameters: - - - id: pe-4_prm_1 - label: organization-defined system distribution and transmission lines - - - id: pe-4_prm_2 - label: organization-defined security controls - properties: - - - name: label - value: PE-4 - - - name: sort-id - value: PE-04 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-5 - rel: related - text: PE-5 - - - href: #pe-9 - rel: related - text: PE-9 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-8 - rel: related - text: SC-8 - parts: - - - id: pe-4_smt - name: statement - prose: Control physical access to {{ pe-4_prm_1 }} within organizational facilities using {{ pe-4_prm_2 }}. - - - id: pe-4_gdn - name: guidance - prose: Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors. - - - id: pe-5 - class: SP800-53 - title: Access Control for Output Devices - parameters: - - - id: pe-5_prm_1 - label: organization-defined output devices - properties: - - - name: label - value: PE-5 - - - name: sort-id - value: PE-05 - links: - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #pe-18 - rel: related - text: PE-18 - parts: - - - id: pe-5_smt - name: statement - prose: Control physical access to output from {{ pe-5_prm_1 }} to prevent unauthorized individuals from obtaining the output. - - - id: pe-5_gdn - name: guidance - prose: Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only; placing output devices in locations that can be monitored by personnel; installing monitor or screen filters; and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers. - - - id: pe-6 - class: SP800-53 - title: Monitoring Physical Access - parameters: - - - id: pe-6_prm_1 - label: organization-defined frequency - - - id: pe-6_prm_2 - label: organization-defined events or potential indications of events - properties: - - - name: label - value: PE-6 - - - name: sort-id - value: PE-06 - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - parts: - - - id: pe-6_smt - name: statement - parts: - - - id: pe-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; - - - id: pe-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review physical access logs {{ pe-6_prm_1 }} and upon occurrence of {{ pe-6_prm_2 }}; and - - - id: pe-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Coordinate results of reviews and investigations with the organizational incident response capability. - - - id: pe-6_gdn - name: guidance - prose: Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses. - controls: - - - id: pe-6.1 - class: SP800-53-enhancement - title: Intrusion Alarms and Surveillance Equipment - properties: - - - name: label - value: PE-6(1) - - - name: sort-id - value: PE-06(01) - parts: - - - id: pe-6.1_smt - name: statement - prose: Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment. - - - id: pe-6.1_gdn - name: guidance - prose: Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards, triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, for example, motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility. - - - id: pe-8 - class: SP800-53 - title: Visitor Access Records - parameters: - - - id: pe-8_prm_1 - label: organization-defined time-period - - - id: pe-8_prm_2 - label: organization-defined frequency - - - id: pe-8_prm_3 - label: organization-defined personnel - properties: - - - name: label - value: PE-8 - - - name: sort-id - value: PE-08 - links: - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - parts: - - - id: pe-8_smt - name: statement - parts: - - - id: pe-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Maintain visitor access records to the facility where the system resides for {{ pe-8_prm_1 }}; - - - id: pe-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review visitor access records {{ pe-8_prm_2 }}; and - - - id: pe-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: Report anomalies in visitor access records to {{ pe-8_prm_3 }}. - - - id: pe-8_gdn - name: guidance - prose: Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas. - - - id: pe-9 - class: SP800-53 - title: Power Equipment and Cabling - properties: - - - name: label - value: PE-9 - - - name: sort-id - value: PE-09 - links: - - - href: #pe-4 - rel: related - text: PE-4 - parts: - - - id: pe-9_smt - name: statement - prose: Protect power equipment and power cabling for the system from damage and destruction. - - - id: pe-9_gdn - name: guidance - prose: Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. Power equipment and cabling includes generators and power cabling outside of buildings; internal cabling and uninterruptable power sources in offices or data centers; and power sources for self-contained components such as satellites, vehicles, and other deployable systems. - - - id: pe-10 - class: SP800-53 - title: Emergency Shutoff - parameters: - - - id: pe-10_prm_1 - label: organization-defined system or individual system components - - - id: pe-10_prm_2 - label: organization-defined location by system or system component - properties: - - - name: label - value: PE-10 - - - name: sort-id - value: PE-10 - links: - - - href: #pe-15 - rel: related - text: PE-15 - parts: - - - id: pe-10_smt - name: statement - parts: - - - id: pe-10_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide the capability of shutting off power to {{ pe-10_prm_1 }} in emergency situations; - - - id: pe-10_smt.b - name: item - properties: - - - name: label - value: b. - prose: Place emergency shutoff switches or devices in {{ pe-10_prm_2 }} to facilitate access for authorized personnel; and - - - id: pe-10_smt.c - name: item - properties: - - - name: label - value: c. - prose: Protect emergency power shutoff capability from unauthorized activation. - - - id: pe-10_gdn - name: guidance - prose: Emergency power shutoff applies primarily to organizational facilities containing concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery. - - - id: pe-11 - class: SP800-53 - title: Emergency Power - parameters: - - - id: pe-11_prm_1 - properties: - - - name: label - value: PE-11 - - - name: sort-id - value: PE-11 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-7 - rel: related - text: CP-7 - parts: - - - id: pe-11_smt - name: statement - prose: Provide an uninterruptible power supply to facilitate {{ pe-11_prm_1 }} in the event of a primary power source loss. - - - id: pe-11_gdn - name: guidance - prose: An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of most UPS is relatively short but provides sufficient time to start a standby power source such as a backup generator or properly shut down the system. - - - id: pe-12 - class: SP800-53 - title: Emergency Lighting - properties: - - - name: label - value: PE-12 - - - name: sort-id - value: PE-12 - links: - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-7 - rel: related - text: CP-7 - parts: - - - id: pe-12_smt - name: statement - prose: Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. - - - id: pe-12_gdn - name: guidance - prose: The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites. - - - id: pe-13 - class: SP800-53 - title: Fire Protection - properties: - - - name: label - value: PE-13 - - - name: sort-id - value: PE-13 - links: - - - href: #at-3 - rel: related - text: AT-3 - parts: - - - id: pe-13_smt - name: statement - prose: Employ and maintain fire detection and suppression systems that are supported by an independent energy source. - - - id: pe-13_gdn - name: guidance - prose: The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors. - controls: - - - id: pe-13.1 - class: SP800-53-enhancement - title: Detection Systems – Automatic Activation and Notification - parameters: - - - id: pe-13.1_prm_1 - label: organization-defined personnel or roles - - - id: pe-13.1_prm_2 - label: organization-defined emergency responders - properties: - - - name: label - value: PE-13(1) - - - name: sort-id - value: PE-13(01) - parts: - - - id: pe-13.1_smt - name: statement - prose: Employ fire detection systems that activate automatically and notify {{ pe-13.1_prm_1 }} and {{ pe-13.1_prm_2 }} in the event of a fire. - - - id: pe-13.1_gdn - name: guidance - prose: Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances, for example, to enter to facilities where access is restricted due to the classification or impact level of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire. - - - id: pe-14 - class: SP800-53 - title: Environmental Controls - parameters: - - - id: pe-14_prm_1 - - - id: pe-14_prm_2 - depends-on: pe-14_prm_1 - label: organization-defined environmental control - - - id: pe-14_prm_3 - label: organization-defined acceptable levels - - - id: pe-14_prm_4 - label: organization-defined frequency - properties: - - - name: label - value: PE-14 - - - name: sort-id - value: PE-14 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #pe-21 - rel: related - text: PE-21 - parts: - - - id: pe-14_smt - name: statement - parts: - - - id: pe-14_smt.a - name: item - properties: - - - name: label - value: a. - prose: Maintain {{ pe-14_prm_1 }} levels within the facility where the system resides at {{ pe-14_prm_3 }}; and - - - id: pe-14_smt.b - name: item - properties: - - - name: label - value: b. - prose: Monitor environmental control levels {{ pe-14_prm_4 }}. - - - id: pe-14_gdn - name: guidance - prose: The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure. - - - id: pe-15 - class: SP800-53 - title: Water Damage Protection - properties: - - - name: label - value: PE-15 - - - name: sort-id - value: PE-15 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pe-10 - rel: related - text: PE-10 - parts: - - - id: pe-15_smt - name: statement - prose: Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. - - - id: pe-15_gdn - name: guidance - prose: The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. - - - id: pe-16 - class: SP800-53 - title: Delivery and Removal - parameters: - - - id: pe-16_prm_1 - label: organization-defined types of system components - properties: - - - name: label - value: PE-16 - - - name: sort-id - value: PE-16 - links: - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-6 - rel: related - text: SR-6 - parts: - - - id: pe-16_smt - name: statement - parts: - - - id: pe-16_smt.a - name: item - properties: - - - name: label - value: a. - prose: Authorize and control {{ pe-16_prm_1 }} entering and exiting the facility; and - - - id: pe-16_smt.b - name: item - properties: - - - name: label - value: b. - prose: Maintain records of the system components. - - - id: pe-16_gdn - name: guidance - prose: Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries. - - - id: pe-17 - class: SP800-53 - title: Alternate Work Site - parameters: - - - id: pe-17_prm_1 - label: organization-defined alternate work sites - - - id: pe-17_prm_2 - label: organization-defined controls - properties: - - - name: label - value: PE-17 - - - name: sort-id - value: PE-17 - links: - - - href: #7768c184-088d-4ee8-a316-f9286b52df7f - rel: reference - text: [SP 800-46] - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #cp-7 - rel: related - text: CP-7 - parts: - - - id: pe-17_smt - name: statement - parts: - - - id: pe-17_smt.a - name: item - properties: - - - name: label - value: a. - prose: Determine and document the {{ pe-17_prm_1 }} allowed for use by employees; - - - id: pe-17_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ the following controls at alternate work sites: {{ pe-17_prm_2 }}; - - - id: pe-17_smt.c - name: item - properties: - - - name: label - value: c. - prose: Assess the effectiveness of controls at alternate work sites; and - - - id: pe-17_smt.d - name: item - properties: - - - name: label - value: d. - prose: Provide a means for employees to communicate with information security and privacy personnel in case of incidents. - - - id: pe-17_gdn - name: guidance - prose: Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations. - - - id: pl - class: family - title: Planning - controls: - - - id: pl-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: pl-1_prm_1 - label: organization-defined personnel or roles - - - id: pl-1_prm_2 - - - id: pl-1_prm_3 - label: organization-defined official - - - id: pl-1_prm_4 - label: organization-defined frequency - - - id: pl-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PL-1 - - - name: sort-id - value: PL-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pl-1_smt - name: statement - parts: - - - id: pl-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ pl-1_prm_1 }}: - parts: - - - id: pl-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ pl-1_prm_2 }} planning policy that: - """ - parts: - - - id: pl-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: pl-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: pl-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the planning policy and the associated planning controls; - - - id: pl-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and - - - id: pl-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current planning: - parts: - - - id: pl-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ pl-1_prm_4 }}; and - - - id: pl-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ pl-1_prm_5 }}. - - - id: pl-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: pl-2 - class: SP800-53 - title: System Security and Privacy Plans - parameters: - - - id: pl-2_prm_1 - label: organization-defined individuals or groups - - - id: pl-2_prm_2 - label: organization-defined personnel or roles - - - id: pl-2_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: PL-2 - - - name: sort-id - value: PL-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pl-7 - rel: related - text: PL-7 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-22 - rel: related - text: SA-22 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: pl-2_smt - name: statement - parts: - - - id: pl-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop security and privacy plans for the system that: - parts: - - - id: pl-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are consistent with the organization’s enterprise architecture; - - - id: pl-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Explicitly define the constituent system components; - - - id: pl-2_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Describe the operational context of the system in terms of missions and business processes; - - - id: pl-2_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Provide the security categorization of the system, including supporting rationale; - - - id: pl-2_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Describe any specific threats to the system that are of concern to the organization; - - - id: pl-2_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Provide the results of a privacy risk assessment for systems processing personally identifiable information; - - - id: pl-2_smt.a.7 - name: item - properties: - - - name: label - value: 7. - prose: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; - - - id: pl-2_smt.a.8 - name: item - properties: - - - name: label - value: 8. - prose: Provide an overview of the security and privacy requirements for the system; - - - id: pl-2_smt.a.9 - name: item - properties: - - - name: label - value: 9. - prose: Identify any relevant control baselines or overlays, if applicable; - - - id: pl-2_smt.a.10 - name: item - properties: - - - name: label - value: 10. - prose: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; - - - id: pl-2_smt.a.11 - name: item - properties: - - - name: label - value: 11. - prose: Include risk determinations for security and privacy architecture and design decisions; - - - id: pl-2_smt.a.12 - name: item - properties: - - - name: label - value: 12. - prose: Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and - - - id: pl-2_smt.a.13 - name: item - properties: - - - name: label - value: 13. - prose: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. - - - id: pl-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }}; - - - id: pl-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review the plans {{ pl-2_prm_3 }}; - - - id: pl-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and - - - id: pl-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Protect the plans from unauthorized disclosure and modification. - - - id: pl-2_gdn - name: guidance - prose: - """ - System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls. - Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation. - Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. - Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate. - """ - - - id: pl-4 - class: SP800-53 - title: Rules of Behavior - parameters: - - - id: pl-4_prm_1 - label: organization-defined frequency - - - id: pl-4_prm_2 - - - id: pl-4_prm_3 - depends-on: pl-4_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: PL-4 - - - name: sort-id - value: PL-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ac-9 - rel: related - text: AC-9 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pl-4_smt - name: statement - parts: - - - id: pl-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; - - - id: pl-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; - - - id: pl-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the rules of behavior {{ pl-4_prm_1 }}; and - - - id: pl-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}. - - - id: pl-4_gdn - name: guidance - prose: Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons. - controls: - - - id: pl-4.1 - class: SP800-53-enhancement - title: Social Media and External Site/application Usage Restrictions - properties: - - - name: label - value: PL-4(1) - - - name: sort-id - value: PL-04(01) - links: - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #au-13 - rel: related - text: AU-13 - parts: - - - id: pl-4.1_smt - name: statement - prose: Include in the rules of behavior, restrictions on: - parts: - - - id: pl-4.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Use of social media, social networking sites, and external sites/applications; - - - id: pl-4.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Posting organizational information on public websites; and - - - id: pl-4.1_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications. - - - id: pl-4.1_gdn - name: guidance - prose: Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information. - - - id: pl-8 - class: SP800-53 - title: Security and Privacy Architectures - parameters: - - - id: pl-8_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PL-8 - - - name: sort-id - value: PL-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-7 - rel: related - text: PL-7 - - - href: #pl-9 - rel: related - text: PL-9 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-17 - rel: related - text: SA-17 - parts: - - - id: pl-8_smt - name: statement - parts: - - - id: pl-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop security and privacy architectures for the system that: - parts: - - - id: pl-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; - - - id: pl-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; - - - id: pl-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Describe how the architectures are integrated into and support the enterprise architecture; and - - - id: pl-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Describe any assumptions about, and dependencies on, external systems and services; - - - id: pl-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the architectures {{ pl-8_prm_1 }} to reflect changes in the enterprise architecture; and - - - id: pl-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions. - - - id: pl-8_gdn - name: guidance - prose: - """ - The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs. - [SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews). - In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented. - PL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures. - """ - - - id: pl-10 - class: SP800-53 - title: Baseline Selection - properties: - - - name: label - value: PL-10 - - - name: sort-id - value: PL-10 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #31f3c9de-c57c-4281-929b-f9951f9640f1 - rel: reference - text: [SP 800-53B] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ee96f130-3f91-46ed-a4d8-57e5f220a623 - rel: reference - text: [CNSSI 1253] - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: pl-10_smt - name: statement - prose: Select a control baseline for the system. - - - id: pl-10_gdn - name: guidance - prose: Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments. - - - id: pl-11 - class: SP800-53 - title: Baseline Tailoring - properties: - - - name: label - value: PL-11 - - - name: sort-id - value: PL-11 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #31f3c9de-c57c-4281-929b-f9951f9640f1 - rel: reference - text: [SP 800-53B] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ee96f130-3f91-46ed-a4d8-57e5f220a623 - rel: reference - text: [CNSSI 1253] - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: pl-11_smt - name: statement - prose: Tailor the selected control baseline by applying specified tailoring actions. - - - id: pl-11_gdn - name: guidance - prose: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities. - - - id: pm - class: family - title: Program Management - controls: - - - id: pm-1 - class: SP800-53 - title: Information Security Program Plan - parameters: - - - id: pm-1_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-1 - - - name: sort-id - value: PM-01 - links: - - - href: #14958422-54f6-471f-a345-802dca594dd8 - rel: reference - text: [FISMA] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: pm-1_smt - name: statement - parts: - - - id: pm-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and disseminate an organization-wide information security program plan that: - parts: - - - id: pm-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; - - - id: pm-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; - - - id: pm-1_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Reflects the coordination among organizational entities responsible for information security; and - - - id: pm-1_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; - - - id: pm-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review the organization-wide information security program plan {{ pm-1_prm_1 }}; - - - id: pm-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and - - - id: pm-1_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect the information security program plan from unauthorized disclosure and modification. - - - id: pm-1_gdn - name: guidance - prose: - """ - An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents. - Information security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended. - Program management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization. - Common controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls. - """ - - - id: pm-2 - class: SP800-53 - title: Information Security Program Leadership Role - properties: - - - name: label - value: PM-2 - - - name: sort-id - value: PM-02 - links: - - - href: #ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3 - rel: reference - text: [OMB M-17-25] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - parts: - - - id: pm-2_smt - name: statement - prose: Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. - - - id: pm-2_gdn - name: guidance - prose: The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer. - - - id: pm-3 - class: SP800-53 - title: Information Security and Privacy Resources - properties: - - - name: label - value: PM-3 - - - name: sort-id - value: PM-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #sa-2 - rel: related - text: SA-2 - parts: - - - id: pm-3_smt - name: statement - parts: - - - id: pm-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; - - - id: pm-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and - - - id: pm-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Make available for expenditure, the planned information security and privacy resources. - - - id: pm-3_gdn - name: guidance - prose: Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process. - - - id: pm-4 - class: SP800-53 - title: Plan of Action and Milestones Process - properties: - - - name: label - value: PM-4 - - - name: sort-id - value: PM-04 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-3 - rel: related - text: PM-3 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pm-4_smt - name: statement - parts: - - - id: pm-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems: - parts: - - - id: pm-4_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are developed and maintained; - - - id: pm-4_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and - - - id: pm-4_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Are reported in accordance with established reporting requirements. - - - id: pm-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. - - - id: pm-4_gdn - name: guidance - prose: The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5. - - - id: pm-5 - class: SP800-53 - title: System Inventory - parameters: - - - id: pm-5_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-5 - - - name: sort-id - value: PM-05 - links: - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - parts: - - - id: pm-5_smt - name: statement - prose: Develop and update {{ pm-5_prm_1 }} an inventory of organizational systems. - - - id: pm-5_gdn - name: guidance - prose: [OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8. - controls: - - - id: pm-5.1 - class: SP800-53-enhancement - title: Inventory of Personally Identifiable Information - parameters: - - - id: pm-5.1_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-5(1) - - - name: sort-id - value: PM-05(01) - links: - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-12 - rel: related - text: CM-12 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pm-5.1_smt - name: statement - prose: Establish, maintain, and update {{ pm-5.1_prm_1 }} an inventory of all systems, applications, and projects that process personally identifiable information. - - - id: pm-5.1_gdn - name: guidance - prose: An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein. - - - id: pm-6 - class: SP800-53 - title: Measures of Performance - properties: - - - name: label - value: PM-6 - - - name: sort-id - value: PM-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #8ba0d54e-fa16-4f5d-baa1-763ec3e33e26 - rel: reference - text: [SP 800-55] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ca-7 - rel: related - text: CA-7 - parts: - - - id: pm-6_smt - name: statement - prose: Develop, monitor, and report on the results of information security and privacy measures of performance. - - - id: pm-6_gdn - name: guidance - prose: Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. - - - id: pm-7 - class: SP800-53 - title: Enterprise Architecture - properties: - - - name: label - value: PM-7 - - - name: sort-id - value: PM-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #au-6 - rel: related - text: AU-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-17 - rel: related - text: SA-17 - parts: - - - id: pm-7_smt - name: statement - prose: Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation. - - - id: pm-7_gdn - name: guidance - prose: The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines. - controls: - - - id: pm-7.1 - class: SP800-53-enhancement - title: Offloading - parameters: - - - id: pm-7.1_prm_1 - label: organization-defined non-essential functions or services - properties: - - - name: label - value: PM-7(1) - - - name: sort-id - value: PM-07(01) - links: - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: pm-7.1_smt - name: statement - prose: Offload {{ pm-7.1_prm_1 }} to other systems, system components, or an external provider. - - - id: pm-7.1_gdn - name: guidance - prose: Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services. - - - id: pm-8 - class: SP800-53 - title: Critical Infrastructure Plan - properties: - - - name: label - value: PM-8 - - - name: sort-id - value: PM-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #cde25174-38e0-4a00-8919-8ee3674b8088 - rel: reference - text: [HSPD 7] - - - href: #24b7b1ec-6430-41de-9353-29fdb1b488fc - rel: reference - text: [DHS NIPP] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #pe-18 - rel: related - text: PE-18 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pm-8_smt - name: statement - prose: Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. - - - id: pm-8_gdn - name: guidance - prose: Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. - - - id: pm-9 - class: SP800-53 - title: Risk Management Strategy - parameters: - - - id: pm-9_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-9 - - - name: sort-id - value: PM-09 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #at-1 - rel: related - text: AT-1 - - - href: #ca-1 - rel: related - text: CA-1 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cp-1 - rel: related - text: CP-1 - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ma-1 - rel: related - text: MA-1 - - - href: #mp-1 - rel: related - text: MP-1 - - - href: #pe-1 - rel: related - text: PE-1 - - - href: #pl-1 - rel: related - text: PL-1 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-2 - rel: related - text: PM-2 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #ps-1 - rel: related - text: PS-1 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-1 - rel: related - text: SA-1 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sc-1 - rel: related - text: SC-1 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-1 - rel: related - text: SI-1 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: pm-9_smt - name: statement - parts: - - - id: pm-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develops a comprehensive strategy to manage: - parts: - - - id: pm-9_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and - - - id: pm-9_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Privacy risk to individuals resulting from the authorized processing of personally identifiable information; - - - id: pm-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the risk management strategy consistently across the organization; and - - - id: pm-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes. - - - id: pm-9_gdn - name: guidance - prose: An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive. - - - id: pm-10 - class: SP800-53 - title: Authorization Process - properties: - - - name: label - value: PM-10 - - - name: sort-id - value: PM-10 - links: - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pl-2 - rel: related - text: PL-2 - parts: - - - id: pm-10_smt - name: statement - parts: - - - id: pm-10_smt.a - name: item - properties: - - - name: label - value: a. - prose: Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; - - - id: pm-10_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and - - - id: pm-10_smt.c - name: item - properties: - - - name: label - value: c. - prose: Integrate the authorization processes into an organization-wide risk management program. - - - id: pm-10_gdn - name: guidance - prose: Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation. - - - id: pm-11 - class: SP800-53 - title: Mission and Business Process Definition - parameters: - - - id: pm-11_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-11 - - - name: sort-id - value: PM-11 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-2 - rel: related - text: SA-2 - parts: - - - id: pm-11_smt - name: statement - parts: - - - id: pm-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and - - - id: pm-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and - - - id: pm-11_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and revise the mission and business processes {{ pm-11_prm_1 }}. - - - id: pm-11_gdn - name: guidance - prose: Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures. - - - id: pm-12 - class: SP800-53 - title: Insider Threat Program - properties: - - - name: label - value: PM-12 - - - name: sort-id - value: PM-12 - links: - - - href: #2b5e12fb-633f-49e6-8aff-81d75bf53545 - rel: reference - text: [EO 13587] - - - href: #286d42a1-efbe-49a2-9ce1-4c9bf68feb3b - rel: reference - text: [ODNI NITP] - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-16 - rel: related - text: PM-16 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #pm-14 - rel: related - text: PM-14 - parts: - - - id: pm-12_smt - name: statement - prose: Implement an insider threat program that includes a cross-discipline insider threat incident handling team. - - - id: pm-12_gdn - name: guidance - prose: - """ - Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture. - Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - """ - - - id: pm-13 - class: SP800-53 - title: Security and Privacy Workforce - properties: - - - name: label - value: PM-13 - - - name: sort-id - value: PM-13 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #f4c3f657-de83-47ae-9aec-e144de8268d1 - rel: reference - text: [SP 800-181] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - parts: - - - id: pm-13_smt - name: statement - prose: Establish a security and privacy workforce development and improvement program. - - - id: pm-13_gdn - name: guidance - prose: Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals. - - - id: pm-14 - class: SP800-53 - title: Testing, Training, and Monitoring - properties: - - - name: label - value: PM-14 - - - name: sort-id - value: PM-14 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: pm-14_smt - name: statement - parts: - - - id: pm-14_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: - parts: - - - id: pm-14_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are developed and maintained; and - - - id: pm-14_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Continue to be executed; and - - - id: pm-14_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. - - - id: pm-14_gdn - name: guidance - prose: This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. - - - id: pm-15 - class: SP800-53 - title: Security and Privacy Groups and Associations - properties: - - - name: label - value: PM-15 - - - name: sort-id - value: PM-15 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #si-5 - rel: related - text: SI-5 - parts: - - - id: pm-15_smt - name: statement - prose: Establish and institutionalize contact with selected groups and associations within the security and privacy communities: - parts: - - - id: pm-15_smt.a - name: item - properties: - - - name: label - value: a. - prose: To facilitate ongoing security and privacy education and training for organizational personnel; - - - id: pm-15_smt.b - name: item - properties: - - - name: label - value: b. - prose: To maintain currency with recommended security and privacy practices, techniques, and technologies; and - - - id: pm-15_smt.c - name: item - properties: - - - name: label - value: c. - prose: To share current security and privacy information, including threats, vulnerabilities, and incidents. - - - id: pm-15_gdn - name: guidance - prose: Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. - - - id: pm-16 - class: SP800-53 - title: Threat Awareness Program - properties: - - - name: label - value: PM-16 - - - name: sort-id - value: PM-16 - links: - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #pm-12 - rel: related - text: PM-12 - parts: - - - id: pm-16_smt - name: statement - prose: Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. - - - id: pm-16_gdn - name: guidance - prose: Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared. - controls: - - - id: pm-16.1 - class: SP800-53-enhancement - title: Automated Means for Sharing Threat Intelligence - properties: - - - name: label - value: PM-16(1) - - - name: sort-id - value: PM-16(01) - parts: - - - id: pm-16.1_smt - name: statement - prose: Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information. - - - id: pm-16.1_gdn - name: guidance - prose: To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures. - - - id: pm-17 - class: SP800-53 - title: Protecting Controlled Unclassified Information on External Systems - parameters: - - - id: pm-17_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-17 - - - name: sort-id - value: PM-17 - links: - - - href: #742b7c0e-218e-4fca-9c3d-5f264bbaf2bc - rel: reference - text: [32 CFR 2002] - - - href: #0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - rel: reference - text: [SP 800-171] - - - href: #dd87fdf0-840d-4392-9de4-220b2327e340 - rel: reference - text: [NARA CUI] - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #pm-10 - rel: related - text: PM-10 - parts: - - - id: pm-17_smt - name: statement - parts: - - - id: pm-17_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards. - - - id: pm-17_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update the policy and procedures {{ pm-17_prm_1 }}. - - - id: pm-17_gdn - name: guidance - prose: Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes. - - - id: pm-18 - class: SP800-53 - title: Privacy Program Plan - properties: - - - name: label - value: PM-18 - - - name: sort-id - value: PM-18 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-19 - rel: related - text: PM-19 - parts: - - - id: pm-18_smt - name: statement - parts: - - - id: pm-18_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: - parts: - - - id: pm-18_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; - - - id: pm-18_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements; - - - id: pm-18_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities; - - - id: pm-18_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; - - - id: pm-18_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Reflects coordination among organizational entities responsible for the different aspects of privacy; and - - - id: pm-18_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and - - - id: pm-18_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments. - - - id: pm-18_gdn - name: guidance - prose: - """ - A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents. - The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended. - Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization. - Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls. - """ - - - id: pm-19 - class: SP800-53 - title: Privacy Program Leadership Role - properties: - - - name: label - value: PM-19 - - - name: sort-id - value: PM-19 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #pm-20 - rel: related - text: PM-20 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-24 - rel: related - text: PM-24 - parts: - - - id: pm-19_smt - name: statement - prose: Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. - - - id: pm-19_gdn - name: guidance - prose: The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24). - - - id: pm-20 - class: SP800-53 - title: Dissemination of Privacy Program Information - properties: - - - name: label - value: PM-20 - - - name: sort-id - value: PM-20 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #f7d3617a-9a4f-4f1a-a688-845081b70390 - rel: reference - text: [OMB M-17-06] - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #pt-7 - rel: related - text: PT-7 - - - href: #ra-8 - rel: related - text: RA-8 - parts: - - - id: pm-20_smt - name: statement - prose: Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that: - parts: - - - id: pm-20_smt.a - name: item - properties: - - - name: label - value: a. - prose: Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; - - - id: pm-20_smt.b - name: item - properties: - - - name: label - value: b. - prose: Ensures that organizational privacy practices and reports are publicly available; and - - - id: pm-20_smt.c - name: item - properties: - - - name: label - value: c. - prose: Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. - - - id: pm-20_gdn - name: guidance - prose: Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications. - - - id: pm-21 - class: SP800-53 - title: Accounting of Disclosures - properties: - - - name: label - value: PM-21 - - - name: sort-id - value: PM-21 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #pt-2 - rel: related - text: PT-2 - parts: - - - id: pm-21_smt - name: statement - parts: - - - id: pm-21_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: - parts: - - - id: pm-21_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Date, nature, and purpose of each disclosure; and - - - id: pm-21_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Name and address, or other contact information of the person or organization to which the disclosure was made; - - - id: pm-21_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and - - - id: pm-21_smt.c - name: item - properties: - - - name: label - value: c. - prose: Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request. - - - id: pm-21_gdn - name: guidance - prose: - """ - The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision. - Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions. - """ - - - id: pm-22 - class: SP800-53 - title: Personally Identifiable Information Quality Management - properties: - - - name: label - value: PM-22 - - - name: sort-id - value: PM-22 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #eadef75e-7e4d-4554-b818-44946c1dde0e - rel: reference - text: [SP 800-188] - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pm-22_smt - name: statement - prose: Develop and document policies and procedures for: - parts: - - - id: pm-22_smt.a - name: item - properties: - - - name: label - value: a. - prose: Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle; - - - id: pm-22_smt.b - name: item - properties: - - - name: label - value: b. - prose: Correcting or deleting inaccurate or outdated personally identifiable information; - - - id: pm-22_smt.c - name: item - properties: - - - name: label - value: c. - prose: Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and - - - id: pm-22_smt.d - name: item - properties: - - - name: label - value: d. - prose: Appeals of adverse decisions on correction or deletion requests. - - - id: pm-22_gdn - name: guidance - prose: - """ - Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information. - The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations. - Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem. - """ - - - id: pm-23 - class: SP800-53 - title: Data Governance Body - parameters: - - - id: pm-23_prm_1 - label: organization-defined roles - - - id: pm-23_prm_2 - label: organization-defined responsibilities - properties: - - - name: label - value: PM-23 - - - name: sort-id - value: PM-23 - links: - - - href: #43facb7b-0afb-480f-8191-34790d5b444b - rel: reference - text: [EVIDACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #d843e915-eeb6-4bbe-8cab-ccc802088703 - rel: reference - text: [OMB M-19-23] - - - href: #eadef75e-7e4d-4554-b818-44946c1dde0e - rel: reference - text: [SP 800-188] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-19 - rel: related - text: SI-19 - parts: - - - id: pm-23_smt - name: statement - prose: Establish a Data Governance Body consisting of {{ pm-23_prm_1 }} with {{ pm-23_prm_2 }}. - - - id: pm-23_gdn - name: guidance - prose: A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23]. - - - id: pm-24 - class: SP800-53 - title: Data Integrity Board - properties: - - - name: label - value: PM-24 - - - name: sort-id - value: PM-24 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pt-8 - rel: related - text: PT-8 - parts: - - - id: pm-24_smt - name: statement - prose: Establish a Data Integrity Board to: - parts: - - - id: pm-24_smt.a - name: item - properties: - - - name: label - value: a. - prose: Review proposals to conduct or participate in a matching program; and - - - id: pm-24_smt.b - name: item - properties: - - - name: label - value: b. - prose: Conduct an annual review of all matching programs in which the agency has participated. - - - id: pm-24_gdn - name: guidance - prose: A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy. - - - id: pm-25 - class: SP800-53 - title: Minimization of Pii Used in Testing, Training, and Research - parameters: - - - id: pm-25_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-25 - - - name: sort-id - value: PM-25 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #sa-3 - rel: related - text: SA-3 - parts: - - - id: pm-25_smt - name: statement - parts: - - - id: pm-25_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; - - - id: pm-25_smt.b - name: item - properties: - - - name: label - value: b. - prose: Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; - - - id: pm-25_smt.c - name: item - properties: - - - name: label - value: c. - prose: Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and - - - id: pm-25_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review and update policies and procedures {{ pm-25_prm_1 }}. - - - id: pm-25_gdn - name: guidance - prose: The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2). - - - id: pm-26 - class: SP800-53 - title: Complaint Management - parameters: - - - id: pm-26_prm_1 - label: organization-defined time-period - - - id: pm-26_prm_2 - label: organization-defined time-period - - - id: pm-26_prm_3 - label: organization-defined time-period - properties: - - - name: label - value: PM-26 - - - name: sort-id - value: PM-26 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pm-26_smt - name: statement - prose: Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes: - parts: - - - id: pm-26_smt.a - name: item - properties: - - - name: label - value: a. - prose: Mechanisms that are easy to use and readily accessible by the public; - - - id: pm-26_smt.b - name: item - properties: - - - name: label - value: b. - prose: All information necessary for successfully filing complaints; - - - id: pm-26_smt.c - name: item - properties: - - - name: label - value: c. - prose: Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }}; - - - id: pm-26_smt.d - name: item - properties: - - - name: label - value: d. - prose: Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and - - - id: pm-26_smt.e - name: item - properties: - - - name: label - value: e. - prose: Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}. - - - id: pm-26_gdn - name: guidance - prose: Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information. - - - id: pm-27 - class: SP800-53 - title: Privacy Reporting - parameters: - - - id: pm-27_prm_1 - label: organization-defined privacy reports - - - id: pm-27_prm_2 - label: organization-defined officials - - - id: pm-27_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: PM-27 - - - name: sort-id - value: PM-27 - links: - - - href: #14958422-54f6-471f-a345-802dca594dd8 - rel: reference - text: [FISMA] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-19 - rel: related - text: PM-19 - parts: - - - id: pm-27_smt - name: statement - parts: - - - id: pm-27_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop {{ pm-27_prm_1 }} and disseminate to: - parts: - - - id: pm-27_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and - - - id: pm-27_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: - """ - - {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and - """ - - - id: pm-27_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update privacy reports {{ pm-27_prm_3 }}. - - - id: pm-27_gdn - name: guidance - prose: Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements. - - - id: pm-28 - class: SP800-53 - title: Risk Framing - parameters: - - - id: pm-28_prm_1 - label: organization-defined personnel - - - id: pm-28_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: PM-28 - - - name: sort-id - value: PM-28 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-7 - rel: related - text: RA-7 - parts: - - - id: pm-28_smt - name: statement - parts: - - - id: pm-28_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify and document: - parts: - - - id: pm-28_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Assumptions affecting risk assessments, risk responses, and risk monitoring; - - - id: pm-28_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Constraints affecting risk assessments, risk responses, and risk monitoring; - - - id: pm-28_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Priorities and trade-offs considered by the organization for managing risk; and - - - id: pm-28_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Organizational risk tolerance; and - - - id: pm-28_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute the results of risk framing activities to {{ pm-28_prm_1 }}; - - - id: pm-28_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update risk framing considerations {{ pm-28_prm_2 }}. - - - id: pm-28_gdn - name: guidance - prose: Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management. - - - id: pm-29 - class: SP800-53 - title: Risk Management Program Leadership Roles - properties: - - - name: label - value: PM-29 - - - name: sort-id - value: PM-29 - links: - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #pm-2 - rel: related - text: PM-2 - - - href: #pm-19 - rel: related - text: PM-19 - parts: - - - id: pm-29_smt - name: statement - parts: - - - id: pm-29_smt.a - name: item - properties: - - - name: label - value: a. - prose: Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and - - - id: pm-29_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization. - - - id: pm-29_gdn - name: guidance - prose: The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities. - - - id: pm-30 - class: SP800-53 - title: Supply Chain Risk Management Strategy - parameters: - - - id: pm-30_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-30 - - - name: sort-id - value: PM-30 - links: - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-7 - rel: related - text: SR-7 - - - href: #sr-8 - rel: related - text: SR-8 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: pm-30_smt - name: statement - parts: - - - id: pm-30_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; - - - id: pm-30_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the supply chain risk management strategy consistently across the organization; and - - - id: pm-30_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the supply chain risk management strategy on {{ pm-30_prm_1 }} or as required, to address organizational changes. - - - id: pm-30_gdn - name: guidance - prose: An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level. - - - id: pm-31 - class: SP800-53 - title: Continuous Monitoring Strategy - parameters: - - - id: pm-31_prm_1 - label: organization-defined metrics - - - id: pm-31_prm_2 - label: organization-defined frequencies - - - id: pm-31_prm_3 - label: organization-defined frequencies - - - id: pm-31_prm_4 - label: organization-defined personnel or roles - - - id: pm-31_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PM-31 - - - name: sort-id - value: PM-31 - links: - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pe-14 - rel: related - text: PE-14 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-6 - rel: related - text: PM-6 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: pm-31_smt - name: statement - prose: Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: - parts: - - - id: pm-31_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }}; - - - id: pm-31_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness; - - - id: pm-31_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; - - - id: pm-31_smt.d - name: item - properties: - - - name: label - value: d. - prose: Correlation and analysis of information generated by control assessments and monitoring; - - - id: pm-31_smt.e - name: item - properties: - - - name: label - value: e. - prose: Response actions to address results of the analysis of control assessment and monitoring information; and - - - id: pm-31_smt.f - name: item - properties: - - - name: label - value: f. - prose: - """ - Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }} - {{ pm-31_prm_5 }}. - """ - - - id: pm-31_gdn - name: guidance - prose: Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4. - - - id: pm-32 - class: SP800-53 - title: Purposing - parameters: - - - id: pm-32_prm_1 - label: organization-defined systems or systems components - properties: - - - name: label - value: PM-32 - - - name: sort-id - value: PM-32 - links: - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - parts: - - - id: pm-32_smt - name: statement - prose: Analyze {{ pm-32_prm_1 }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose. - - - id: pm-32_gdn - name: guidance - prose: Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures. - - - id: ps - class: family - title: Personnel Security - controls: - - - id: ps-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ps-1_prm_1 - label: organization-defined personnel or roles - - - id: ps-1_prm_2 - - - id: ps-1_prm_3 - label: organization-defined official - - - id: ps-1_prm_4 - label: organization-defined frequency - - - id: ps-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PS-1 - - - name: sort-id - value: PS-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ps-1_smt - name: statement - parts: - - - id: ps-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ps-1_prm_1 }}: - parts: - - - id: ps-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ps-1_prm_2 }} personnel security policy that: - """ - parts: - - - id: ps-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ps-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ps-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; - - - id: ps-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ps-1_prm_3 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and - - - id: ps-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current personnel security: - parts: - - - id: ps-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ps-1_prm_4 }}; and - - - id: ps-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ps-1_prm_5 }}. - - - id: ps-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ps-2 - class: SP800-53 - title: Position Risk Designation - parameters: - - - id: ps-2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PS-2 - - - name: sort-id - value: PS-02 - links: - - - href: #2383ccfd-d8a0-4e3a-bf40-21288ae1e07a - rel: reference - text: [5 CFR 731] - - - href: #ac-5 - rel: related - text: AC-5 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-21 - rel: related - text: SA-21 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ps-2_smt - name: statement - parts: - - - id: ps-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Assign a risk designation to all organizational positions; - - - id: ps-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establish screening criteria for individuals filling those positions; and - - - id: ps-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update position risk designations {{ ps-2_prm_1 }}. - - - id: ps-2_gdn - name: guidance - prose: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions. - - - id: ps-3 - class: SP800-53 - title: Personnel Screening - parameters: - - - id: ps-3_prm_1 - label: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening - properties: - - - name: label - value: PS-3 - - - name: sort-id - value: PS-03 - links: - - - href: #52a8b0c6-0c6b-424b-928d-41c50ba87838 - rel: reference - text: [EO 13526] - - - href: #2b5e12fb-633f-49e6-8aff-81d75bf53545 - rel: reference - text: [EO 13587] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #d5ef0056-c807-44c3-a7b5-6eb491538f8e - rel: reference - text: [SP 800-76-2] - - - href: #013e098f-0680-4856-a130-b768c69dab9c - rel: reference - text: [SP 800-78-4] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-21 - rel: related - text: SA-21 - parts: - - - id: ps-3_smt - name: statement - parts: - - - id: ps-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Screen individuals prior to authorizing access to the system; and - - - id: ps-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Rescreen individuals in accordance with {{ ps-3_prm_1 }}. - - - id: ps-3_gdn - name: guidance - prose: Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems. - - - id: ps-4 - class: SP800-53 - title: Personnel Termination - parameters: - - - id: ps-4_prm_1 - label: organization-defined time-period - - - id: ps-4_prm_2 - label: organization-defined information security topics - properties: - - - name: label - value: PS-4 - - - name: sort-id - value: PS-04 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - parts: - - - id: ps-4_smt - name: statement - prose: Upon termination of individual employment: - parts: - - - id: ps-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Disable system access within {{ ps-4_prm_1 }}; - - - id: ps-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Terminate or revoke any authenticators and credentials associated with the individual; - - - id: ps-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Conduct exit interviews that include a discussion of {{ ps-4_prm_2 }}; - - - id: ps-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Retrieve all security-related organizational system-related property; and - - - id: ps-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Retain access to organizational information and systems formerly controlled by terminated individual. - - - id: ps-4_gdn - name: guidance - prose: System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified. - - - id: ps-5 - class: SP800-53 - title: Personnel Transfer - parameters: - - - id: ps-5_prm_1 - label: organization-defined transfer or reassignment actions - - - id: ps-5_prm_2 - label: organization-defined time-period following the formal transfer action - - - id: ps-5_prm_3 - label: organization-defined personnel or roles - - - id: ps-5_prm_4 - label: organization-defined time-period - properties: - - - name: label - value: PS-5 - - - name: sort-id - value: PS-05 - links: - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-7 - rel: related - text: PS-7 - parts: - - - id: ps-5_smt - name: statement - parts: - - - id: ps-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; - - - id: ps-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Initiate {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }}; - - - id: ps-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and - - - id: ps-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Notify {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}. - - - id: ps-5_gdn - name: guidance - prose: Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts. - - - id: ps-6 - class: SP800-53 - title: Access Agreements - parameters: - - - id: ps-6_prm_1 - label: organization-defined frequency - - - id: ps-6_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: PS-6 - - - name: sort-id - value: PS-06 - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #pe-2 - rel: related - text: PE-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-21 - rel: related - text: SA-21 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ps-6_smt - name: statement - parts: - - - id: ps-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and document access agreements for organizational systems; - - - id: ps-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the access agreements {{ ps-6_prm_1 }}; and - - - id: ps-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Verify that individuals requiring access to organizational information and systems: - parts: - - - id: ps-6_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Sign appropriate access agreements prior to being granted access; and - - - id: ps-6_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ ps-6_prm_2 }}. - - - id: ps-6_gdn - name: guidance - prose: Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. - - - id: ps-7 - class: SP800-53 - title: External Personnel Security - parameters: - - - id: ps-7_prm_1 - label: organization-defined personnel or roles - - - id: ps-7_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: PS-7 - - - name: sort-id - value: PS-07 - links: - - - href: #ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - rel: reference - text: [SP 800-35] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-3 - rel: related - text: PS-3 - - - href: #ps-4 - rel: related - text: PS-4 - - - href: #ps-5 - rel: related - text: PS-5 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-21 - rel: related - text: SA-21 - parts: - - - id: ps-7_smt - name: statement - parts: - - - id: ps-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish personnel security requirements, including security roles and responsibilities for external providers; - - - id: ps-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Require external providers to comply with personnel security policies and procedures established by the organization; - - - id: ps-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document personnel security requirements; - - - id: ps-7_smt.d - name: item - properties: - - - name: label - value: d. - prose: Require external providers to notify {{ ps-7_prm_1 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ ps-7_prm_2 }}; and - - - id: ps-7_smt.e - name: item - properties: - - - name: label - value: e. - prose: Monitor provider compliance with personnel security requirements. - - - id: ps-7_gdn - name: guidance - prose: External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated. - - - id: ps-8 - class: SP800-53 - title: Personnel Sanctions - parameters: - - - id: ps-8_prm_1 - label: organization-defined personnel or roles - - - id: ps-8_prm_2 - label: organization-defined time-period - properties: - - - name: label - value: PS-8 - - - name: sort-id - value: PS-08 - links: - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #at-1 - rel: related - text: AT-1 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #ca-1 - rel: related - text: CA-1 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cp-1 - rel: related - text: CP-1 - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ma-1 - rel: related - text: MA-1 - - - href: #mp-1 - rel: related - text: MP-1 - - - href: #pe-1 - rel: related - text: PE-1 - - - href: #pl-1 - rel: related - text: PL-1 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #ps-1 - rel: related - text: PS-1 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #sa-1 - rel: related - text: SA-1 - - - href: #sc-1 - rel: related - text: SC-1 - - - href: #si-1 - rel: related - text: SI-1 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #pt-1 - rel: related - text: PT-1 - parts: - - - id: ps-8_smt - name: statement - parts: - - - id: ps-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and - - - id: ps-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Notify {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. - - - id: ps-8_gdn - name: guidance - prose: Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. - - - id: ra - class: family - title: Risk Assessment - controls: - - - id: ra-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ra-1_prm_1 - label: organization-defined personnel or roles - - - id: ra-1_prm_2 - - - id: ra-1_prm_3 - label: organization-defined official - - - id: ra-1_prm_4 - label: organization-defined frequency - - - id: ra-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: RA-1 - - - name: sort-id - value: RA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ra-1_smt - name: statement - parts: - - - id: ra-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ra-1_prm_1 }}: - parts: - - - id: ra-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ra-1_prm_2 }} risk assessment policy that: - """ - parts: - - - id: ra-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ra-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ra-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; - - - id: ra-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and - - - id: ra-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current risk assessment: - parts: - - - id: ra-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ra-1_prm_4 }}; and - - - id: ra-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ra-1_prm_5 }}. - - - id: ra-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ra-2 - class: SP800-53 - title: Security Categorization - properties: - - - name: label - value: RA-2 - - - name: sort-id - value: RA-02 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ra-2_smt - name: statement - parts: - - - id: ra-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Categorize the system and information it processes, stores, and transmits; - - - id: ra-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document the security categorization results, including supporting rationale, in the security plan for the system; and - - - id: ra-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. - - - id: ra-2_gdn - name: guidance - prose: - """ - Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. - Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts. - Security categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant. - """ - - - id: ra-3 - class: SP800-53 - title: Risk Assessment - parameters: - - - id: ra-3_prm_1 - - - id: ra-3_prm_2 - depends-on: ra-3_prm_1 - label: organization-defined document - - - id: ra-3_prm_3 - label: organization-defined frequency - - - id: ra-3_prm_4 - label: organization-defined personnel or roles - - - id: ra-3_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: RA-3 - - - name: sort-id - value: RA-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-18 - rel: related - text: PE-18 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ra-3_smt - name: statement - parts: - - - id: ra-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Conduct a risk assessment, including: - parts: - - - id: ra-3_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and - - - id: ra-3_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; - - - id: ra-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; - - - id: ra-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document risk assessment results in {{ ra-3_prm_1 }}; - - - id: ra-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review risk assessment results {{ ra-3_prm_3 }}; - - - id: ra-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Disseminate risk assessment results to {{ ra-3_prm_4 }}; and - - - id: ra-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. - - - id: ra-3_gdn - name: guidance - prose: - """ - Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities. - Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. - In addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination. - """ - controls: - - - id: ra-3.1 - class: SP800-53-enhancement - title: Supply Chain Risk Assessment - parameters: - - - id: ra-3.1_prm_1 - label: organization-defined systems, system components, and system services - - - id: ra-3.1_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: RA-3(1) - - - name: sort-id - value: RA-03(01) - links: - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #pm-17 - rel: related - text: PM-17 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: ra-3.1_smt - name: statement - parts: - - - id: ra-3.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Assess supply chain risks associated with {{ ra-3.1_prm_1 }}; and - - - id: ra-3.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Update the supply chain risk assessment {{ ra-3.1_prm_2 }}, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. - - - id: ra-3.1_gdn - name: guidance - prose: Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required. - - - id: ra-5 - class: SP800-53 - title: Vulnerability Monitoring and Scanning - parameters: - - - id: ra-5_prm_1 - label: organization-defined frequency and/or randomly in accordance with organization-defined process - - - id: ra-5_prm_2 - label: organization-defined response times - - - id: ra-5_prm_3 - label: organization-defined personnel or roles - properties: - - - name: label - value: RA-5 - - - name: sort-id - value: RA-05 - links: - - - href: #1126ec09-2b27-4a21-80b2-fef70b31c49d - rel: reference - text: [SP 800-40] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f - rel: reference - text: [SP 800-126] - - - href: #bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c - rel: reference - text: [IR 7788] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: ra-5_smt - name: statement - parts: - - - id: ra-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor and scan for vulnerabilities in the system and hosted applications {{ ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported; - - - id: ra-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: - parts: - - - id: ra-5_smt.b.1 - name: item - properties: - - - name: label - value: 1. - prose: Enumerating platforms, software flaws, and improper configurations; - - - id: ra-5_smt.b.2 - name: item - properties: - - - name: label - value: 2. - prose: Formatting checklists and test procedures; and - - - id: ra-5_smt.b.3 - name: item - properties: - - - name: label - value: 3. - prose: Measuring vulnerability impact; - - - id: ra-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Analyze vulnerability scan reports and results from vulnerability monitoring; - - - id: ra-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Remediate legitimate vulnerabilities {{ ra-5_prm_2 }} in accordance with an organizational assessment of risk; - - - id: ra-5_smt.e - name: item - properties: - - - name: label - value: e. - prose: Share information obtained from the vulnerability monitoring process and control assessments with {{ ra-5_prm_3 }} to help eliminate similar vulnerabilities in other systems; and - - - id: ra-5_smt.f - name: item - properties: - - - name: label - value: f. - prose: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. - - - id: ra-5_gdn - name: guidance - prose: - """ - Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers. - Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). - Vulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation. - Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points. - """ - controls: - - - id: ra-5.2 - class: SP800-53-enhancement - title: Update System Vulnerabilities - parameters: - - - id: ra-5.2_prm_1 - - - id: ra-5.2_prm_2 - depends-on: ra-5.2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: RA-5(2) - - - name: sort-id - value: RA-05(02) - links: - - - href: #si-5 - rel: related - text: SI-5 - parts: - - - id: ra-5.2_smt - name: statement - prose: Update the system vulnerabilities to be scanned {{ ra-5.2_prm_1 }}. - - - id: ra-5.2_gdn - name: guidance - prose: Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner. - - - id: ra-5.5 - class: SP800-53-enhancement - title: Privileged Access - parameters: - - - id: ra-5.5_prm_1 - label: organization-defined system components - - - id: ra-5.5_prm_2 - label: organization-defined vulnerability scanning activities - properties: - - - name: label - value: RA-5(5) - - - name: sort-id - value: RA-05(05) - parts: - - - id: ra-5.5_smt - name: statement - prose: Implement privileged access authorization to {{ ra-5.5_prm_1 }} for {{ ra-5.5_prm_2 }}. - - - id: ra-5.5_gdn - name: guidance - prose: In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning. - - - id: ra-7 - class: SP800-53 - title: Risk Response - properties: - - - name: label - value: RA-7 - - - name: sort-id - value: RA-07 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: ra-7_smt - name: statement - prose: Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. - - - id: ra-7_gdn - name: guidance - prose: Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated. - - - id: ra-9 - class: SP800-53 - title: Criticality Analysis - parameters: - - - id: ra-9_prm_1 - label: organization-defined systems, system components, or system services - - - id: ra-9_prm_2 - label: organization-defined decision points in the system development life cycle - properties: - - - name: label - value: RA-9 - - - name: sort-id - value: RA-09 - links: - - - href: #7a93e915-fd58-4147-be12-e48044c367e6 - rel: reference - text: [IR 8179] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-20 - rel: related - text: SA-20 - parts: - - - id: ra-9_smt - name: statement - prose: Identify critical system components and functions by performing a criticality analysis for {{ ra-9_prm_1 }} at {{ ra-9_prm_2 }}. - - - id: ra-9_gdn - name: guidance - prose: - """ - Not all system components, functions, or services necessarily require significant protections. Criticality analysis is a key tenet of, for example, supply chain risk management, and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders regulations, directives, policies, and standards; system functionality requirements; system and component interfaces; and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system; decomposition into the specific functions to perform those missions; and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system. - The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system containing the components and functions. Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, for example, by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2. - """ - - - id: sa - class: family - title: System and Services Acquisition - controls: - - - id: sa-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: sa-1_prm_1 - label: organization-defined personnel or roles - - - id: sa-1_prm_2 - - - id: sa-1_prm_3 - label: organization-defined official - - - id: sa-1_prm_4 - label: organization-defined frequency - - - id: sa-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SA-1 - - - name: sort-id - value: SA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: sa-1_smt - name: statement - parts: - - - id: sa-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ sa-1_prm_1 }}: - parts: - - - id: sa-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ sa-1_prm_2 }} system and services acquisition policy that: - """ - parts: - - - id: sa-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: sa-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: sa-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; - - - id: sa-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and - - - id: sa-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current system and services acquisition: - parts: - - - id: sa-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ sa-1_prm_4 }}; and - - - id: sa-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ sa-1_prm_5 }}. - - - id: sa-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: sa-2 - class: SP800-53 - title: Allocation of Resources - properties: - - - name: label - value: SA-2 - - - name: sort-id - value: SA-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #pl-7 - rel: related - text: PL-7 - - - href: #pm-3 - rel: related - text: PM-3 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-2_smt - name: statement - parts: - - - id: sa-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; - - - id: sa-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and - - - id: sa-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. - - - id: sa-2_gdn - name: guidance - prose: Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle. - - - id: sa-3 - class: SP800-53 - title: System Development Life Cycle - parameters: - - - id: sa-3_prm_1 - label: organization-defined system development life cycle - properties: - - - name: label - value: SA-3 - - - name: sort-id - value: SA-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - rel: reference - text: [SP 800-171] - - - href: #aad55f03-8ece-4b21-b09c-9ef65b5a9f55 - rel: reference - text: [SP 800-171B] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-22 - rel: related - text: SA-22 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-9 - rel: related - text: SR-9 - parts: - - - id: sa-3_smt - name: statement - parts: - - - id: sa-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Acquire, develop, and manage the system using {{ sa-3_prm_1 }} that incorporates information security and privacy considerations; - - - id: sa-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Define and document information security and privacy roles and responsibilities throughout the system development life cycle; - - - id: sa-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Identify individuals having information security and privacy roles and responsibilities; and - - - id: sa-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Integrate the organizational information security and privacy risk management process into system development life cycle activities. - - - id: sa-3_gdn - name: guidance - prose: - """ - A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities. - The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle. - """ - - - id: sa-4 - class: SP800-53 - title: Acquisition Process - parameters: - - - id: sa-4_prm_1 - - - id: sa-4_prm_2 - depends-on: sa-4_prm_1 - label: organization-defined contract language - properties: - - - name: label - value: SA-4 - - - name: sort-id - value: SA-04 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #6ddb507b-6ddb-4e15-a8d4-0854e704446e - rel: reference - text: [ISO 15408-1] - - - href: #18abb755-c10f-407d-b0ef-4f99e5ec4a49 - rel: reference - text: [ISO 15408-2] - - - href: #2ce3a8bf-7f8b-4249-bd16-808231415b14 - rel: reference - text: [ISO 15408-3] - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - rel: reference - text: [SP 800-35] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #d4779b49-8acc-45ef-b4f0-30f945e81d1b - rel: reference - text: [IR 7539] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #daf69edb-a0ef-4447-9880-8c4bf553181f - rel: reference - text: [IR 7676] - - - href: #197f7ba7-9af8-4a67-b3a4-5523d850e53b - rel: reference - text: [IR 7870] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #5dac2312-1d0d-416f-aebb-400fa9775b74 - rel: reference - text: [NIAP CCEVS] - - - href: #634dec27-df88-4c30-b1a4-b57cdfd24f20 - rel: reference - text: [NSA CSFC] - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-16 - rel: related - text: SA-16 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-21 - rel: related - text: SA-21 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-4_smt - name: statement - prose: Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service: - parts: - - - id: sa-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Security and privacy functional requirements; - - - id: sa-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Strength of mechanism requirements; - - - id: sa-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Security and privacy assurance requirements; - - - id: sa-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Controls needed to satisfy the security and privacy requirements. - - - id: sa-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Security and privacy documentation requirements; - - - id: sa-4_smt.f - name: item - properties: - - - name: label - value: f. - prose: Requirements for protecting security and privacy documentation; - - - id: sa-4_smt.g - name: item - properties: - - - name: label - value: g. - prose: Description of the system development environment and environment in which the system is intended to operate; - - - id: sa-4_smt.h - name: item - properties: - - - name: label - value: h. - prose: Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and - - - id: sa-4_smt.i - name: item - properties: - - - name: label - value: i. - prose: Acceptance criteria. - - - id: sa-4_gdn - name: guidance - prose: - """ - Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle. - Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle. - Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement. - """ - controls: - - - id: sa-4.1 - class: SP800-53-enhancement - title: Functional Properties of Controls - properties: - - - name: label - value: SA-4(1) - - - name: sort-id - value: SA-04(01) - parts: - - - id: sa-4.1_smt - name: statement - prose: Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. - - - id: sa-4.1_gdn - name: guidance - prose: Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls. - - - id: sa-4.2 - class: SP800-53-enhancement - title: Design and Implementation Information for Controls - parameters: - - - id: sa-4.2_prm_1 - - - id: sa-4.2_prm_2 - depends-on: sa-4.2_prm_1 - label: organization-defined design and implementation information - - - id: sa-4.2_prm_3 - label: organization-defined level of detail - properties: - - - name: label - value: SA-4(2) - - - name: sort-id - value: SA-04(02) - parts: - - - id: sa-4.2_smt - name: statement - prose: Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}. - - - id: sa-4.2_gdn - name: guidance - prose: Organizations may require different levels of detail in the documentation for the design and implementation for controls in organizational systems, system components, or system services based on mission and business requirements; requirements for resiliency and trustworthiness; and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system. - - - id: sa-4.9 - class: SP800-53-enhancement - title: Functions, Ports, Protocols, and Services in Use - properties: - - - name: label - value: SA-4(9) - - - name: sort-id - value: SA-04(09) - links: - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #sa-9 - rel: related - text: SA-9 - parts: - - - id: sa-4.9_smt - name: statement - prose: Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use. - - - id: sa-4.9_gdn - name: guidance - prose: The identification of functions, ports, protocols, and services early in the system development life cycle, for example, during the initial requirements definition and design stages, allows organizations to influence the design of the system, system component, or system service. This early involvement in the system life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or when requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources. - - - id: sa-4.10 - class: SP800-53-enhancement - title: Use of Approved PIV Products - properties: - - - name: label - value: SA-4(10) - - - name: sort-id - value: SA-04(10) - links: - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #pm-9 - rel: related - text: PM-9 - parts: - - - id: sa-4.10_smt - name: statement - prose: Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. - - - id: sa-4.10_gdn - name: guidance - prose: Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations. - - - id: sa-5 - class: SP800-53 - title: System Documentation - parameters: - - - id: sa-5_prm_1 - label: organization-defined actions - - - id: sa-5_prm_2 - label: organization-defined personnel or roles - properties: - - - name: label - value: SA-5 - - - name: sort-id - value: SA-05 - links: - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-16 - rel: related - text: SA-16 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-3 - rel: related - text: SR-3 - parts: - - - id: sa-5_smt - name: statement - parts: - - - id: sa-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Obtain administrator documentation for the system, system component, or system service that describes: - parts: - - - id: sa-5_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Secure configuration, installation, and operation of the system, component, or service; - - - id: sa-5_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Effective use and maintenance of security and privacy functions and mechanisms; and - - - id: sa-5_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Known vulnerabilities regarding configuration and use of administrative or privileged functions; - - - id: sa-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Obtain user documentation for the system, system component, or system service that describes: - parts: - - - id: sa-5_smt.b.1 - name: item - properties: - - - name: label - value: 1. - prose: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; - - - id: sa-5_smt.b.2 - name: item - properties: - - - name: label - value: 2. - prose: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and - - - id: sa-5_smt.b.3 - name: item - properties: - - - name: label - value: 3. - prose: User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; - - - id: sa-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes {{ sa-5_prm_1 }} in response; - - - id: sa-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect documentation as required, in accordance with the organizational risk management strategy; and - - - id: sa-5_smt.e - name: item - properties: - - - name: label - value: e. - prose: Distribute documentation to {{ sa-5_prm_2 }}. - - - id: sa-5_gdn - name: guidance - prose: System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation. - - - id: sa-8 - class: SP800-53 - title: Security and Privacy Engineering Principles - parameters: - - - id: sa-8_prm_1 - label: organization-defined systems security and privacy engineering principles - properties: - - - name: label - value: SA-8 - - - name: sort-id - value: SA-08 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-20 - rel: related - text: SA-20 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-32 - rel: related - text: SC-32 - - - href: #sc-39 - rel: related - text: SC-39 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-8_smt - name: statement - prose: Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ sa-8_prm_1 }}. - - - id: sa-8_gdn - name: guidance - prose: - """ - Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. - The application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. - Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design. - """ - - - id: sa-9 - class: SP800-53 - title: External System Services - parameters: - - - id: sa-9_prm_1 - label: organization-defined controls - - - id: sa-9_prm_2 - label: organization-defined processes, methods, and techniques - properties: - - - name: label - value: SA-9 - - - name: sort-id - value: SA-09 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - rel: reference - text: [SP 800-35] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-2 - rel: related - text: SA-2 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-9_smt - name: statement - parts: - - - id: sa-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }}; - - - id: sa-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Define and document organizational oversight and user roles and responsibilities with regard to external system services; and - - - id: sa-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}. - - - id: sa-9_gdn - name: guidance - prose: External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. - controls: - - - id: sa-9.2 - class: SP800-53-enhancement - title: Identification of Functions, Ports, Protocols, and Services - parameters: - - - id: sa-9.2_prm_1 - label: organization-defined external system services - properties: - - - name: label - value: SA-9(2) - - - name: sort-id - value: SA-09(02) - links: - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-7 - rel: related - text: CM-7 - parts: - - - id: sa-9.2_smt - name: statement - prose: Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ sa-9.2_prm_1 }}. - - - id: sa-9.2_gdn - name: guidance - prose: Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols. - - - id: sa-10 - class: SP800-53 - title: Developer Configuration Management - parameters: - - - id: sa-10_prm_1 - - - id: sa-10_prm_2 - label: organization-defined configuration items under configuration management - - - id: sa-10_prm_3 - label: organization-defined personnel - properties: - - - name: label - value: SA-10 - - - name: sort-id - value: SA-10 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - parts: - - - id: sa-10_smt - name: statement - prose: Require the developer of the system, system component, or system service to: - parts: - - - id: sa-10_smt.a - name: item - properties: - - - name: label - value: a. - prose: Perform configuration management during system, component, or service {{ sa-10_prm_1 }}; - - - id: sa-10_smt.b - name: item - properties: - - - name: label - value: b. - prose: Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }}; - - - id: sa-10_smt.c - name: item - properties: - - - name: label - value: c. - prose: Implement only organization-approved changes to the system, component, or service; - - - id: sa-10_smt.d - name: item - properties: - - - name: label - value: d. - prose: Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and - - - id: sa-10_smt.e - name: item - properties: - - - name: label - value: e. - prose: Track security flaws and flaw resolution within the system, component, or service and report findings to {{ sa-10_prm_3 }}. - - - id: sa-10_gdn - name: guidance - prose: - """ - Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting from unauthorized modification or destruction, the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes. - The configuration items that are placed under configuration management include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle. - """ - - - id: sa-11 - class: SP800-53 - title: Developer Testing and Evaluation - parameters: - - - id: sa-11_prm_1 - - - id: sa-11_prm_2 - label: organization-defined frequency - - - id: sa-11_prm_3 - label: organization-defined depth and coverage - properties: - - - name: label - value: SA-11 - - - name: sort-id - value: SA-11 - links: - - - href: #2ce3a8bf-7f8b-4249-bd16-808231415b14 - rel: reference - text: [ISO 15408-3] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #fd0f14f5-8910-45c4-b60a-0c8936e00daa - rel: reference - text: [SP 800-154] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-7 - rel: related - text: SR-7 - parts: - - - id: sa-11_smt - name: statement - prose: Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: - parts: - - - id: sa-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and implement a plan for ongoing security and privacy assessments; - - - id: sa-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Perform {{ sa-11_prm_1 }} testing/evaluation {{ sa-11_prm_2 }} at {{ sa-11_prm_3 }}; - - - id: sa-11_smt.c - name: item - properties: - - - name: label - value: c. - prose: Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; - - - id: sa-11_smt.d - name: item - properties: - - - name: label - value: d. - prose: Implement a verifiable flaw remediation process; and - - - id: sa-11_smt.e - name: item - properties: - - - name: label - value: e. - prose: Correct flaws identified during testing and evaluation. - - - id: sa-11_gdn - name: guidance - prose: - """ - Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches. - Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation. - """ - - - id: sa-15 - class: SP800-53 - title: Development Process, Standards, and Tools - parameters: - - - id: sa-15_prm_1 - label: organization-defined frequency - - - id: sa-15_prm_2 - label: organization-defined security and privacy requirements - properties: - - - name: label - value: SA-15 - - - name: sort-id - value: SA-15 - links: - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #7a93e915-fd58-4147-be12-e48044c367e6 - rel: reference - text: [IR 8179] - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-9 - rel: related - text: SR-9 - parts: - - - id: sa-15_smt - name: statement - parts: - - - id: sa-15_smt.a - name: item - properties: - - - name: label - value: a. - prose: Require the developer of the system, system component, or system service to follow a documented development process that: - parts: - - - id: sa-15_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Explicitly addresses security and privacy requirements; - - - id: sa-15_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Identifies the standards and tools used in the development process; - - - id: sa-15_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Documents the specific tool options and tool configurations used in the development process; and - - - id: sa-15_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and - - - id: sa-15_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review the development process, standards, tools, tool options, and tool configurations {{ sa-15_prm_1 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ sa-15_prm_2 }}. - - - id: sa-15_gdn - name: guidance - prose: Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes. - controls: - - - id: sa-15.3 - class: SP800-53-enhancement - title: Criticality Analysis - parameters: - - - id: sa-15.3_prm_1 - label: organization-defined decision points in the system development life cycle - - - id: sa-15.3_prm_2 - label: organization-defined breadth and depth of criticality analysis - properties: - - - name: label - value: SA-15(3) - - - name: sort-id - value: SA-15(03) - links: - - - href: #ra-9 - rel: related - text: RA-9 - parts: - - - id: sa-15.3_smt - name: statement - prose: Require the developer of the system, system component, or system service to perform a criticality analysis: - parts: - - - id: sa-15.3_smt.a - name: item - properties: - - - name: label - value: (a) - prose: At the following decision points in the system development life cycle: {{ sa-15.3_prm_1 }}; and - - - id: sa-15.3_smt.b - name: item - properties: - - - name: label - value: (b) - prose: At the following level of rigor: {{ sa-15.3_prm_2 }}. - - - id: sa-15.3_gdn - name: guidance - prose: Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, and source code and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses. - - - id: sa-22 - class: SP800-53 - title: Unsupported System Components - parameters: - - - id: sa-22_prm_1 - - - id: sa-22_prm_2 - depends-on: sa-22_prm_1 - label: organization-defined support from external providers - properties: - - - name: label - value: SA-22 - - - name: sort-id - value: SA-22 - links: - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sa-3 - rel: related - text: SA-3 - parts: - - - id: sa-22_smt - name: statement - parts: - - - id: sa-22_smt.a - name: item - properties: - - - name: label - value: a. - prose: Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or - - - id: sa-22_smt.b - name: item - properties: - - - name: label - value: b. - prose: Provide the following options for alternative sources for continued support for unsupported components {{ sa-22_prm_1 }}. - - - id: sa-22_gdn - name: guidance - prose: - """ - Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. - Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors. - """ - - - id: sc - class: family - title: System and Communications Protection - controls: - - - id: sc-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: sc-1_prm_1 - label: organization-defined personnel or roles - - - id: sc-1_prm_2 - - - id: sc-1_prm_3 - label: organization-defined official - - - id: sc-1_prm_4 - label: organization-defined frequency - - - id: sc-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SC-1 - - - name: sort-id - value: SC-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: sc-1_smt - name: statement - parts: - - - id: sc-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ sc-1_prm_1 }}: - parts: - - - id: sc-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ sc-1_prm_2 }} system and communications protection policy that: - """ - parts: - - - id: sc-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: sc-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: sc-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls; - - - id: sc-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ sc-1_prm_3 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and - - - id: sc-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current system and communications protection: - parts: - - - id: sc-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ sc-1_prm_4 }}; and - - - id: sc-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ sc-1_prm_5 }}. - - - id: sc-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: sc-2 - class: SP800-53 - title: Separation of System and User Functionality - properties: - - - name: label - value: SC-2 - - - name: sort-id - value: SC-02 - links: - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-22 - rel: related - text: SC-22 - - - href: #sc-32 - rel: related - text: SC-32 - - - href: #sc-39 - rel: related - text: SC-39 - parts: - - - id: sc-2_smt - name: statement - prose: Separate user functionality, including user interface services, from system management functionality. - - - id: sc-2_gdn - name: guidance - prose: System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations implement separation of system management functions from user functions, for example, by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18). - - - id: sc-4 - class: SP800-53 - title: Information in Shared System Resources - properties: - - - name: label - value: SC-4 - - - name: sort-id - value: SC-04 - links: - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: sc-4_smt - name: statement - prose: Prevent unauthorized and unintended information transfer via shared system resources. - - - id: sc-4_gdn - name: guidance - prose: Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This control also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. This control does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles. - - - id: sc-5 - class: SP800-53 - title: Denial of Service Protection - parameters: - - - id: sc-5_prm_1 - - - id: sc-5_prm_2 - label: organization-defined types of denial of service events - - - id: sc-5_prm_3 - label: organization-defined controls by type of denial of service event - properties: - - - name: label - value: SC-5 - - - name: sort-id - value: SC-05 - links: - - - href: #3862cd94-ff25-4631-9a9a-b92c21a0a923 - rel: reference - text: [SP 800-189] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #sc-6 - rel: related - text: SC-6 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-40 - rel: related - text: SC-40 - parts: - - - id: sc-5_smt - name: statement - parts: - - - id: sc-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: - """ - - {{ sc-5_prm_1 }} the effects of the following types of denial of service events: {{ sc-5_prm_2 }}; and - """ - - - id: sc-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ the following controls to achieve the denial of service objective: {{ sc-5_prm_3 }}. - - - id: sc-5_gdn - name: guidance - prose: Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events. - - - id: sc-7 - class: SP800-53 - title: Boundary Protection - parameters: - - - id: sc-7_prm_1 - properties: - - - name: label - value: SC-7 - - - name: sort-id - value: SC-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #db7877cf-1013-4fb1-b943-ca9361d16370 - rel: reference - text: [SP 800-41] - - - href: #8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - rel: reference - text: [SP 800-77] - - - href: #3862cd94-ff25-4631-9a9a-b92c21a0a923 - rel: reference - text: [SP 800-189] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-10 - rel: related - text: CM-10 - - - href: #cp-8 - rel: related - text: CP-8 - - - href: #cp-10 - rel: related - text: CP-10 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-32 - rel: related - text: SC-32 - - - href: #sc-43 - rel: related - text: SC-43 - parts: - - - id: sc-7_smt - name: statement - parts: - - - id: sc-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system; - - - id: sc-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks; and - - - id: sc-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. - - - id: sc-7_gdn - name: guidance - prose: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. - controls: - - - id: sc-7.3 - class: SP800-53-enhancement - title: Access Points - properties: - - - name: label - value: SC-7(3) - - - name: sort-id - value: SC-07(03) - parts: - - - id: sc-7.3_smt - name: statement - prose: Limit the number of external network connections to the system. - - - id: sc-7.3_gdn - name: guidance - prose: Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline requiring limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system. - - - id: sc-7.4 - class: SP800-53-enhancement - title: External Telecommunications Services - parameters: - - - id: sc-7.4_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: SC-7(4) - - - name: sort-id - value: SC-07(04) - links: - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #sc-8 - rel: related - text: SC-8 - parts: - - - id: sc-7.4_smt - name: statement - parts: - - - id: sc-7.4_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Implement a managed interface for each external telecommunication service; - - - id: sc-7.4_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Establish a traffic flow policy for each managed interface; - - - id: sc-7.4_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Protect the confidentiality and integrity of the information being transmitted across each interface; - - - id: sc-7.4_smt.d - name: item - properties: - - - name: label - value: (d) - prose: Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; - - - id: sc-7.4_smt.e - name: item - properties: - - - name: label - value: (e) - prose: Review exceptions to the traffic flow policy {{ sc-7.4_prm_1 }} and remove exceptions that are no longer supported by an explicit mission or business need; - - - id: sc-7.4_smt.f - name: item - properties: - - - name: label - value: (f) - prose: Prevent unauthorized exchange of control plane traffic with external networks; - - - id: sc-7.4_smt.g - name: item - properties: - - - name: label - value: (g) - prose: Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and - - - id: sc-7.4_smt.h - name: item - properties: - - - name: label - value: (h) - prose: Filter unauthorized control plane traffic from external networks. - - - id: sc-7.4_gdn - name: guidance - prose: External commercial telecommunications services may provide data or voice communications services. Examples of control plane traffic include routing, domain name system (DNS), and management. Unauthorized control plane traffic can occur for example, through a technique known as “spoofing.” - - - id: sc-7.5 - class: SP800-53-enhancement - title: Deny by Default — Allow by Exception - parameters: - - - id: sc-7.5_prm_1 - - - id: sc-7.5_prm_2 - depends-on: sc-7.5_prm_1 - label: organization-defined systems - properties: - - - name: label - value: SC-7(5) - - - name: sort-id - value: SC-07(05) - parts: - - - id: sc-7.5_smt - name: statement - prose: Deny network communications traffic by default and allow network communications traffic by exception {{ sc-7.5_prm_1 }}. - - - id: sc-7.5_gdn - name: guidance - prose: Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system. - - - id: sc-7.7 - class: SP800-53-enhancement - title: Prevent Split Tunneling for Remote Devices - properties: - - - name: label - value: SC-7(7) - - - name: sort-id - value: SC-07(07) - parts: - - - id: sc-7.7_smt - name: statement - prose: Prevent a remote device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. - - - id: sc-7.7_gdn - name: guidance - prose: Prevention of split tunneling is implemented in remote devices through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being configurable by users. Prevention of split tunneling is implemented within the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. - - - id: sc-7.8 - class: SP800-53-enhancement - title: Route Traffic to Authenticated Proxy Servers - parameters: - - - id: sc-7.8_prm_1 - label: organization-defined internal communications traffic - - - id: sc-7.8_prm_2 - label: organization-defined external networks - properties: - - - name: label - value: SC-7(8) - - - name: sort-id - value: SC-07(08) - links: - - - href: #ac-3 - rel: related - text: AC-3 - parts: - - - id: sc-7.8_smt - name: statement - prose: Route {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed interfaces. - - - id: sc-7.8_gdn - name: guidance - prose: External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers can support logging of Transmission Control Protocol sessions and blocking specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for “man-in-the-middle” attacks (depending on the implementation). - - - id: sc-8 - class: SP800-53 - title: Transmission Confidentiality and Integrity - parameters: - - - id: sc-8_prm_1 - properties: - - - name: label - value: SC-8 - - - name: sort-id - value: SC-08 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #bbc7085f-b383-444e-af74-722a55cccc0f - rel: reference - text: [FIPS 197] - - - href: #286604ec-e383-4c1d-bd8c-d88f88e54a0f - rel: reference - text: [SP 800-52] - - - href: #8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - rel: reference - text: [SP 800-77] - - - href: #93d44344-59f9-4669-845d-6cc2a5852621 - rel: reference - text: [SP 800-81-2] - - - href: #36132a58-56fd-4980-9f6c-c010d3faf52b - rel: reference - text: [SP 800-113] - - - href: #64e044e4-b2a9-490f-a079-1106407c812f - rel: reference - text: [SP 800-177] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ia-9 - rel: related - text: IA-9 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-4 - rel: related - text: PE-4 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-16 - rel: related - text: SC-16 - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-23 - rel: related - text: SC-23 - - - href: #sc-28 - rel: related - text: SC-28 - parts: - - - id: sc-8_smt - name: statement - prose: Protect the {{ sc-8_prm_1 }} of transmitted information. - - - id: sc-8_gdn - name: guidance - prose: - """ - Protecting the confidentiality and integrity of transmitted information applies to internal and external networks, and any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical means or by logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a term for wireline or fiber-optics telecommunication system that includes terminals and adequate acoustical, electrical, electromagnetic, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques. - Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services, may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunication service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls. - """ - controls: - - - id: sc-8.1 - class: SP800-53-enhancement - title: Cryptographic Protection - parameters: - - - id: sc-8.1_prm_1 - properties: - - - name: label - value: SC-8(1) - - - name: sort-id - value: SC-08(01) - links: - - - href: #sc-13 - rel: related - text: SC-13 - parts: - - - id: sc-8.1_smt - name: statement - prose: Implement cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission. - - - id: sc-8.1_gdn - name: guidance - prose: Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have application in digital signatures, checksums, and message authentication codes. SC-13 is used to specify the specific protocols, algorithms, and algorithm parameters to be implemented on each transmission path. - - - id: sc-10 - class: SP800-53 - title: Network Disconnect - parameters: - - - id: sc-10_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: SC-10 - - - name: sort-id - value: SC-10 - links: - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #sc-23 - rel: related - text: SC-23 - parts: - - - id: sc-10_smt - name: statement - prose: Terminate the network connection associated with a communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity. - - - id: sc-10_gdn - name: guidance - prose: Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time-periods by type of network access or for specific network accesses. - - - id: sc-12 - class: SP800-53 - title: Cryptographic Key Establishment and Management - parameters: - - - id: sc-12_prm_1 - label: organization-defined requirements for key generation, distribution, storage, access, and destruction - properties: - - - name: label - value: SC-12 - - - name: sort-id - value: SC-12 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #77dc1838-3664-4faa-bc6e-4e2a16e52f35 - rel: reference - text: [SP 800-56A] - - - href: #f417e4ec-cadb-47a8-a363-6006b32c28ad - rel: reference - text: [SP 800-56B] - - - href: #7c3ba335-62bd-4f03-888f-960790409b11 - rel: reference - text: [SP 800-56C] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #f437b52f-7f26-42aa-8e8f-999e7d67b2fe - rel: reference - text: [IR 7956] - - - href: #30213e10-2aca-47b3-8cdb-61303e0959f5 - rel: reference - text: [IR 7966] - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-11 - rel: related - text: SC-11 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-17 - rel: related - text: SC-17 - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #sc-40 - rel: related - text: SC-40 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: sc-12_smt - name: statement - prose: Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ sc-12_prm_1 }}. - - - id: sc-12_gdn - name: guidance - prose: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment. - - - id: sc-13 - class: SP800-53 - title: Cryptographic Protection - parameters: - - - id: sc-13_prm_1 - label: organization-defined cryptographic uses - - - id: sc-13_prm_2 - label: organization-defined types of cryptography for each specified cryptographic use - properties: - - - name: label - value: SC-13 - - - name: sort-id - value: SC-13 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-10 - rel: related - text: AU-10 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ia-7 - rel: related - text: IA-7 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-23 - rel: related - text: SC-23 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-40 - rel: related - text: SC-40 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: sc-13_smt - name: statement - parts: - - - id: sc-13_smt.a - name: item - properties: - - - name: label - value: a. - prose: Determine the {{ sc-13_prm_1 }}; and - - - id: sc-13_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the following types of cryptography required for each specified cryptographic use: {{ sc-13_prm_2 }}. - - - id: sc-13_gdn - name: guidance - prose: Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - - - id: sc-15 - class: SP800-53 - title: Collaborative Computing Devices and Applications - parameters: - - - id: sc-15_prm_1 - label: organization-defined exceptions where remote activation is to be allowed - properties: - - - name: label - value: SC-15 - - - name: sort-id - value: SC-15 - links: - - - href: #ac-21 - rel: related - text: AC-21 - - - href: #sc-42 - rel: related - text: SC-42 - parts: - - - id: sc-15_smt - name: statement - parts: - - - id: sc-15_smt.a - name: item - properties: - - - name: label - value: a. - prose: Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ sc-15_prm_1 }}; and - - - id: sc-15_smt.b - name: item - properties: - - - name: label - value: b. - prose: Provide an explicit indication of use to users physically present at the devices. - - - id: sc-15_gdn - name: guidance - prose: Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated. - - - id: sc-17 - class: SP800-53 - title: Public Key Infrastructure Certificates - parameters: - - - id: sc-17_prm_1 - label: organization-defined certificate policy - properties: - - - name: label - value: SC-17 - - - name: sort-id - value: SC-17 - links: - - - href: #b7140427-d4c4-467a-97a1-5ca9f7c6584a - rel: reference - text: [SP 800-32] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #au-10 - rel: related - text: AU-10 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #sc-12 - rel: related - text: SC-12 - parts: - - - id: sc-17_smt - name: statement - parts: - - - id: sc-17_smt.a - name: item - properties: - - - name: label - value: a. - prose: Issue public key certificates under an {{ sc-17_prm_1 }} or obtain public key certificates from an approved service provider; and - - - id: sc-17_smt.b - name: item - properties: - - - name: label - value: b. - prose: Include only approved trust anchors in trust stores or certificate stores managed by the organization. - - - id: sc-17_gdn - name: guidance - prose: This control addresses certificates with visibility external to organizational systems and certificates related to internal operations of systems, for example, application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates. - - - id: sc-18 - class: SP800-53 - title: Mobile Code - properties: - - - name: label - value: SC-18 - - - name: sort-id - value: SC-18 - links: - - - href: #8e334d74-fc06-47a9-bbb1-804fdfae0e44 - rel: reference - text: [SP 800-28] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #si-3 - rel: related - text: SI-3 - parts: - - - id: sc-18_smt - name: statement - parts: - - - id: sc-18_smt.a - name: item - properties: - - - name: label - value: a. - prose: Define acceptable and unacceptable mobile code and mobile code technologies; and - - - id: sc-18_smt.b - name: item - properties: - - - name: label - value: b. - prose: Authorize, monitor, and control the use of mobile code within the system. - - - id: sc-18_gdn - name: guidance - prose: Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java, JavaScript, Flash animations, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. - - - id: sc-20 - class: SP800-53 - title: Secure Name/address Resolution Service (authoritative Source) - properties: - - - name: label - value: SC-20 - - - name: sort-id - value: SC-20 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #93d44344-59f9-4669-845d-6cc2a5852621 - rel: reference - text: [SP 800-81-2] - - - href: #au-10 - rel: related - text: AU-10 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-21 - rel: related - text: SC-21 - - - href: #sc-22 - rel: related - text: SC-22 - parts: - - - id: sc-20_smt - name: statement - parts: - - - id: sc-20_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and - - - id: sc-20_smt.b - name: item - properties: - - - name: label - value: b. - prose: Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. - - - id: sc-20_gdn - name: guidance - prose: This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data. - - - id: sc-21 - class: SP800-53 - title: Secure Name/address Resolution Service (recursive or Caching Resolver) - properties: - - - name: label - value: SC-21 - - - name: sort-id - value: SC-21 - links: - - - href: #93d44344-59f9-4669-845d-6cc2a5852621 - rel: reference - text: [SP 800-81-2] - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-22 - rel: related - text: SC-22 - parts: - - - id: sc-21_smt - name: statement - prose: Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. - - - id: sc-21_gdn - name: guidance - prose: Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data. - - - id: sc-22 - class: SP800-53 - title: Architecture and Provisioning for Name/address Resolution Service - properties: - - - name: label - value: SC-22 - - - name: sort-id - value: SC-22 - links: - - - href: #93d44344-59f9-4669-845d-6cc2a5852621 - rel: reference - text: [SP 800-81-2] - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-20 - rel: related - text: SC-20 - - - href: #sc-21 - rel: related - text: SC-21 - - - href: #sc-24 - rel: related - text: SC-24 - parts: - - - id: sc-22_smt - name: statement - prose: Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. - - - id: sc-22_gdn - name: guidance - prose: Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists. - - - id: sc-23 - class: SP800-53 - title: Session Authenticity - properties: - - - name: label - value: SC-23 - - - name: sort-id - value: SC-23 - links: - - - href: #286604ec-e383-4c1d-bd8c-d88f88e54a0f - rel: reference - text: [SP 800-52] - - - href: #8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - rel: reference - text: [SP 800-77] - - - href: #1d91d984-0cb6-4f96-a01d-c39a3eee7d43 - rel: reference - text: [SP 800-95] - - - href: #36132a58-56fd-4980-9f6c-c010d3faf52b - rel: reference - text: [SP 800-113] - - - href: #au-10 - rel: related - text: AU-10 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-10 - rel: related - text: SC-10 - - - href: #sc-11 - rel: related - text: SC-11 - parts: - - - id: sc-23_smt - name: statement - prose: Protect the authenticity of communications sessions. - - - id: sc-23_gdn - name: guidance - prose: Protecting session authenticity addresses communications protection at the session, level; not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of information transmitted. Authenticity protection includes protecting against man-in-the-middle attacks and session hijacking, and the insertion of false information into sessions. - - - id: sc-28 - class: SP800-53 - title: Protection of Information at Rest - parameters: - - - id: sc-28_prm_1 - - - id: sc-28_prm_2 - label: organization-defined information at rest - properties: - - - name: label - value: SC-28 - - - name: sort-id - value: SC-28 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #77dc1838-3664-4faa-bc6e-4e2a16e52f35 - rel: reference - text: [SP 800-56A] - - - href: #f417e4ec-cadb-47a8-a363-6006b32c28ad - rel: reference - text: [SP 800-56B] - - - href: #7c3ba335-62bd-4f03-888f-960790409b11 - rel: reference - text: [SP 800-56C] - - - href: #770f9bdc-4023-48ef-8206-c65397f061ea - rel: reference - text: [SP 800-57-1] - - - href: #69644a9e-438a-47c3-bac9-cf28b5baf848 - rel: reference - text: [SP 800-57-2] - - - href: #9933c883-e8f3-4a83-9a9a-d1e058038080 - rel: reference - text: [SP 800-57-3] - - - href: #1b14b50f-7154-4226-958c-7dfff8276755 - rel: reference - text: [SP 800-111] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cp-9 - rel: related - text: CP-9 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-34 - rel: related - text: SC-34 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-16 - rel: related - text: SI-16 - parts: - - - id: sc-28_smt - name: statement - prose: Protect the {{ sc-28_prm_1 }} of the following information at rest: {{ sc-28_prm_2 }}. - - - id: sc-28_gdn - name: guidance - prose: Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information requiring protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure off-line storage in lieu of online storage. - controls: - - - id: sc-28.1 - class: SP800-53-enhancement - title: Cryptographic Protection - parameters: - - - id: sc-28.1_prm_1 - label: organization-defined system components or media - - - id: sc-28.1_prm_2 - label: organization-defined information - properties: - - - name: label - value: SC-28(1) - - - name: sort-id - value: SC-28(01) - links: - - - href: #ac-19 - rel: related - text: AC-19 - parts: - - - id: sc-28.1_smt - name: statement - prose: Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ sc-28.1_prm_1 }}: {{ sc-28.1_prm_2 }}. - - - id: sc-28.1_gdn - name: guidance - prose: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. Organizations using cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13). - - - id: sc-39 - class: SP800-53 - title: Process Isolation - properties: - - - name: label - value: SC-39 - - - name: sort-id - value: SC-39 - links: - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-25 - rel: related - text: AC-25 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-2 - rel: related - text: SC-2 - - - href: #sc-3 - rel: related - text: SC-3 - - - href: #si-16 - rel: related - text: SI-16 - parts: - - - id: sc-39_smt - name: statement - prose: Maintain a separate execution domain for each executing system process. - - - id: sc-39_gdn - name: guidance - prose: Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies. - - - id: si - class: family - title: System and Information Integrity - controls: - - - id: si-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: si-1_prm_1 - label: organization-defined personnel or roles - - - id: si-1_prm_2 - - - id: si-1_prm_3 - label: organization-defined official - - - id: si-1_prm_4 - label: organization-defined frequency - - - id: si-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SI-1 - - - name: sort-id - value: SI-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: si-1_smt - name: statement - parts: - - - id: si-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ si-1_prm_1 }}: - parts: - - - id: si-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ si-1_prm_2 }} system and information integrity policy that: - """ - parts: - - - id: si-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: si-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: si-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; - - - id: si-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and - - - id: si-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current system and information integrity: - parts: - - - id: si-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ si-1_prm_4 }}; and - - - id: si-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ si-1_prm_5 }}. - - - id: si-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: si-2 - class: SP800-53 - title: Flaw Remediation - parameters: - - - id: si-2_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: SI-2 - - - name: sort-id - value: SI-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #1126ec09-2b27-4a21-80b2-fef70b31c49d - rel: reference - text: [SP 800-40] - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c - rel: reference - text: [IR 7788] - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-5 - rel: related - text: SI-5 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-11 - rel: related - text: SI-11 - parts: - - - id: si-2_smt - name: statement - parts: - - - id: si-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify, report, and correct system flaws; - - - id: si-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; - - - id: si-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Install security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and - - - id: si-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Incorporate flaw remediation into the organizational configuration management process. - - - id: si-2_gdn - name: guidance - prose: - """ - The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. - Organization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. - """ - controls: - - - id: si-2.2 - class: SP800-53-enhancement - title: Automated Flaw Remediation Status - parameters: - - - id: si-2.2_prm_1 - label: organization-defined automated mechanisms - - - id: si-2.2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: SI-2(2) - - - name: sort-id - value: SI-02(02) - links: - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: si-2.2_smt - name: statement - prose: - """ - Determine if system components have applicable security-relevant software and firmware updates installed using {{ si-2.2_prm_1 }} - {{ si-2.2_prm_2 }}. - """ - - - id: si-2.2_gdn - name: guidance - prose: Automated mechanisms can track and determine the status of known flaws for system components. - - - id: si-3 - class: SP800-53 - title: Malicious Code Protection - parameters: - - - id: si-3_prm_1 - - - id: si-3_prm_2 - label: organization-defined frequency - - - id: si-3_prm_3 - - - id: si-3_prm_4 - - - id: si-3_prm_5 - depends-on: si-3_prm_4 - label: organization-defined action - - - id: si-3_prm_6 - label: organization-defined personnel or roles - properties: - - - name: label - value: SI-3 - - - name: sort-id - value: SI-03 - links: - - - href: #8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - rel: reference - text: [SP 800-83] - - - href: #c972a85c-fa75-4596-be25-a338dc7e4e46 - rel: reference - text: [SP 800-125B] - - - href: #64e044e4-b2a9-490f-a079-1106407c812f - rel: reference - text: [SP 800-177] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-23 - rel: related - text: SC-23 - - - href: #sc-26 - rel: related - text: SC-26 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-44 - rel: related - text: SC-44 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-8 - rel: related - text: SI-8 - - - href: #si-15 - rel: related - text: SI-15 - parts: - - - id: si-3_smt - name: statement - parts: - - - id: si-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement {{ si-3_prm_1 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; - - - id: si-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; - - - id: si-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Configure malicious code protection mechanisms to: - parts: - - - id: si-3_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Perform periodic scans of the system {{ si-3_prm_2 }} and real-time scans of files from external sources at {{ si-3_prm_3 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and - - - id: si-3_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: - """ - - {{ si-3_prm_4 }}; and send alert to {{ si-3_prm_6 }} in response to malicious code detection. - """ - - - id: si-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. - - - id: si-3_gdn - name: guidance - prose: - """ - System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. - Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions. - In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files. - """ - controls: - - - id: si-3.1 - class: SP800-53-enhancement - title: Central Management - properties: - - - name: label - value: SI-3(1) - - - name: sort-id - value: SI-03(01) - links: - - - href: #pl-9 - rel: related - text: PL-9 - parts: - - - id: si-3.1_smt - name: statement - prose: Centrally manage malicious code protection mechanisms. - - - id: si-3.1_gdn - name: guidance - prose: Central management addresses the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw and malicious code protection controls. - - - id: si-4 - class: SP800-53 - title: System Monitoring - parameters: - - - id: si-4_prm_1 - label: organization-defined monitoring objectives - - - id: si-4_prm_2 - label: organization-defined techniques and methods - - - id: si-4_prm_3 - label: organization-defined system monitoring information - - - id: si-4_prm_4 - label: organization-defined personnel or roles - - - id: si-4_prm_5 - - - id: si-4_prm_6 - depends-on: si-4_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SI-4 - - - name: sort-id - value: SI-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - rel: reference - text: [SP 800-83] - - - href: #02d8ec60-6197-43f8-9f47-18732127963e - rel: reference - text: [SP 800-92] - - - href: #41e2e2c6-2260-4258-85c8-09db17c43103 - rel: reference - text: [SP 800-94] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-10 - rel: related - text: IA-10 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-26 - rel: related - text: SC-26 - - - href: #sc-31 - rel: related - text: SC-31 - - - href: #sc-35 - rel: related - text: SC-35 - - - href: #sc-36 - rel: related - text: SC-36 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-6 - rel: related - text: SI-6 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-10 - rel: related - text: SR-10 - parts: - - - id: si-4_smt - name: statement - parts: - - - id: si-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Monitor the system to detect: - parts: - - - id: si-4_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ si-4_prm_1 }}; and - - - id: si-4_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Unauthorized local, network, and remote connections; - - - id: si-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Identify unauthorized use of the system through the following techniques and methods: {{ si-4_prm_2 }}; - - - id: si-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Invoke internal monitoring capabilities or deploy monitoring devices: - parts: - - - id: si-4_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Strategically within the system to collect organization-determined essential information; and - - - id: si-4_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: At ad hoc locations within the system to track specific types of transactions of interest to the organization; - - - id: si-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; - - - id: si-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; - - - id: si-4_smt.f - name: item - properties: - - - name: label - value: f. - prose: Obtain legal opinion regarding system monitoring activities; and - - - id: si-4_smt.g - name: item - properties: - - - name: label - value: g. - prose: - """ - Provide {{ si-4_prm_3 }} to {{ si-4_prm_4 }} - {{ si-4_prm_5 }}. - """ - - - id: si-4_gdn - name: guidance - prose: - """ - System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. - Depending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - """ - controls: - - - id: si-4.2 - class: SP800-53-enhancement - title: Automated Tools and Mechanisms for Real-time Analysis - properties: - - - name: label - value: SI-4(2) - - - name: sort-id - value: SI-04(02) - links: - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-25 - rel: related - text: PM-25 - parts: - - - id: si-4.2_smt - name: statement - prose: Employ automated tools and mechanisms to support near real-time analysis of events. - - - id: si-4.2_gdn - name: guidance - prose: Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or Security Information and Event Management technologies that provide real time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan. - - - id: si-4.4 - class: SP800-53-enhancement - title: Inbound and Outbound Communications Traffic - parameters: - - - id: si-4.4_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: SI-4(4) - - - name: sort-id - value: SI-04(04) - parts: - - - id: si-4.4_smt - name: statement - prose: Monitor inbound and outbound communications traffic {{ si-4.4_prm_1 }} for unusual or unauthorized activities or conditions. - - - id: si-4.4_gdn - name: guidance - prose: Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code within organizational systems or propagating among system components; the unauthorized exporting of information; or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. - - - id: si-4.5 - class: SP800-53-enhancement - title: System-generated Alerts - parameters: - - - id: si-4.5_prm_1 - label: organization-defined personnel or roles - - - id: si-4.5_prm_2 - label: organization-defined compromise indicators - properties: - - - name: label - value: SI-4(5) - - - name: sort-id - value: SI-04(05) - links: - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #pe-6 - rel: related - text: PE-6 - parts: - - - id: si-4.5_smt - name: statement - prose: Alert {{ si-4.5_prm_1 }} when the following system-generated indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}. - - - id: si-4.5_gdn - name: guidance - prose: Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. This control enhancement addresses the security alerts generated by the system. Alternatively, alerts generated by organizations in SI-4(12) focus on information sources external to the system such as suspicious activity reports and reports on potential insider threats. - - - id: si-5 - class: SP800-53 - title: Security Alerts, Advisories, and Directives - parameters: - - - id: si-5_prm_1 - label: organization-defined external organizations - - - id: si-5_prm_2 - - - id: si-5_prm_3 - depends-on: si-5_prm_2 - label: organization-defined personnel or roles - - - id: si-5_prm_4 - depends-on: si-5_prm_2 - label: organization-defined elements within the organization - - - id: si-5_prm_5 - depends-on: si-5_prm_2 - label: organization-defined external organizations - properties: - - - name: label - value: SI-5 - - - name: sort-id - value: SI-05 - links: - - - href: #1126ec09-2b27-4a21-80b2-fef70b31c49d - rel: reference - text: [SP 800-40] - - - href: #pm-15 - rel: related - text: PM-15 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #si-2 - rel: related - text: SI-2 - parts: - - - id: si-5_smt - name: statement - parts: - - - id: si-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Receive system security alerts, advisories, and directives from {{ si-5_prm_1 }} on an ongoing basis; - - - id: si-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Generate internal security alerts, advisories, and directives as deemed necessary; - - - id: si-5_smt.c - name: item - properties: - - - name: label - value: c. - prose: Disseminate security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and - - - id: si-5_smt.d - name: item - properties: - - - name: label - value: d. - prose: Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. - - - id: si-5_gdn - name: guidance - prose: The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations. - - - id: si-7 - class: SP800-53 - title: Software, Firmware, and Information Integrity - parameters: - - - id: si-7_prm_1 - label: organization-defined software, firmware, and information - - - id: si-7_prm_2 - label: organization-defined actions - properties: - - - name: label - value: SI-7 - - - name: sort-id - value: SI-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #e9224c9b-4fa5-40b7-bfbb-02bff7712d92 - rel: reference - text: [SP 800-147] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-7 - rel: related - text: CM-7 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sc-8 - rel: related - text: SC-8 - - - href: #sc-12 - rel: related - text: SC-12 - - - href: #sc-13 - rel: related - text: SC-13 - - - href: #sc-28 - rel: related - text: SC-28 - - - href: #sc-37 - rel: related - text: SC-37 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-10 - rel: related - text: SR-10 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: si-7_smt - name: statement - parts: - - - id: si-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ si-7_prm_1 }}; and - - - id: si-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ si-7_prm_2 }}. - - - id: si-7_gdn - name: guidance - prose: Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes the Basic Input Output System (BIOS). Information includes personally identifiable information and metadata containing security and privacy attributes associated with information. Integrity-checking mechanisms, including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools can automatically monitor the integrity of systems and hosted applications. - controls: - - - id: si-7.1 - class: SP800-53-enhancement - title: Integrity Checks - parameters: - - - id: si-7.1_prm_1 - label: organization-defined software, firmware, and information - - - id: si-7.1_prm_2 - - - id: si-7.1_prm_3 - depends-on: si-7.1_prm_2 - label: organization-defined transitional states or security-relevant events - - - id: si-7.1_prm_4 - depends-on: si-7.1_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: SI-7(1) - - - name: sort-id - value: SI-07(01) - parts: - - - id: si-7.1_smt - name: statement - prose: - """ - Perform an integrity check of {{ si-7.1_prm_1 }} - {{ si-7.1_prm_2 }}. - """ - - - id: si-7.1_gdn - name: guidance - prose: Security-relevant events include the identification of a new threat to which organizational systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort. - - - id: si-7.7 - class: SP800-53-enhancement - title: Integration of Detection and Response - parameters: - - - id: si-7.7_prm_1 - label: organization-defined security-relevant changes to the system - properties: - - - name: label - value: SI-7(7) - - - name: sort-id - value: SI-07(07) - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: si-7.7_smt - name: statement - prose: Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ si-7.7_prm_1 }}. - - - id: si-7.7_gdn - name: guidance - prose: This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended time-period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or unauthorized elevation of system privileges. - - - id: si-8 - class: SP800-53 - title: Spam Protection - properties: - - - name: label - value: SI-8 - - - name: sort-id - value: SI-08 - links: - - - href: #23b0a203-c020-47dd-b86c-9f8c35ecaa4e - rel: reference - text: [SP 800-45] - - - href: #64e044e4-b2a9-490f-a079-1106407c812f - rel: reference - text: [SP 800-177] - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: si-8_smt - name: statement - parts: - - - id: si-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and - - - id: si-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. - - - id: si-8_gdn - name: guidance - prose: System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions. - controls: - - - id: si-8.1 - class: SP800-53-enhancement - title: Central Management - properties: - - - name: label - value: SI-8(1) - - - name: sort-id - value: SI-08(01) - links: - - - href: #au-3 - rel: related - text: AU-3 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: si-8.1_smt - name: statement - prose: Centrally manage spam protection mechanisms. - - - id: si-8.1_gdn - name: guidance - prose: Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection controls. - - - id: si-8.2 - class: SP800-53-enhancement - title: Automatic Updates - parameters: - - - id: si-8.2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: SI-8(2) - - - name: sort-id - value: SI-08(02) - parts: - - - id: si-8.2_smt - name: statement - prose: Automatically update spam protection mechanisms {{ si-8.2_prm_1 }}. - - - id: si-8.2_gdn - name: guidance - prose: Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capability. - - - id: si-10 - class: SP800-53 - title: Information Input Validation - parameters: - - - id: si-10_prm_1 - label: organization-defined information inputs to the system - properties: - - - name: label - value: SI-10 - - - name: sort-id - value: SI-10 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - parts: - - - id: si-10_smt - name: statement - prose: Check the validity of the following information inputs: {{ si-10_prm_1 }}. - - - id: si-10_gdn - name: guidance - prose: Checking the valid syntax and semantics of system inputs, including character set, length, numerical range, and acceptable values, verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks. - - - id: si-11 - class: SP800-53 - title: Error Handling - parameters: - - - id: si-11_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: SI-11 - - - name: sort-id - value: SI-11 - links: - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #sc-31 - rel: related - text: SC-31 - - - href: #si-2 - rel: related - text: SI-2 - parts: - - - id: si-11_smt - name: statement - parts: - - - id: si-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and - - - id: si-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Reveal error messages only to {{ si-11_prm_1 }}. - - - id: si-11_gdn - name: guidance - prose: Organizations consider the structure and the content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information. - - - id: si-12 - class: SP800-53 - title: Information Management and Retention - properties: - - - name: label - value: SI-12 - - - name: sort-id - value: SI-12 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #at-1 - rel: related - text: AT-1 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #ca-1 - rel: related - text: CA-1 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cp-1 - rel: related - text: CP-1 - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ma-1 - rel: related - text: MA-1 - - - href: #mp-1 - rel: related - text: MP-1 - - - href: #pe-1 - rel: related - text: PE-1 - - - href: #pl-1 - rel: related - text: PL-1 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #ps-1 - rel: related - text: PS-1 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #sa-1 - rel: related - text: SA-1 - - - href: #sc-1 - rel: related - text: SC-1 - - - href: #si-1 - rel: related - text: SI-1 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-3 - rel: related - text: MP-3 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sr-1 - rel: related - text: SR-1 - parts: - - - id: si-12_smt - name: statement - prose: Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. - - - id: si-12_gdn - name: guidance - prose: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel. - - - id: si-16 - class: SP800-53 - title: Memory Protection - parameters: - - - id: si-16_prm_1 - label: organization-defined controls - properties: - - - name: label - value: SI-16 - - - name: sort-id - value: SI-16 - links: - - - href: #ac-25 - rel: related - text: AC-25 - - - href: #sc-3 - rel: related - text: SC-3 - parts: - - - id: si-16_smt - name: statement - prose: Implement the following controls to protect the system memory from unauthorized code execution: {{ si-16_prm_1 }}. - - - id: si-16_gdn - name: guidance - prose: Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism. - - - id: sr - class: family - title: Supply Chain Risk Management - controls: - - - id: sr-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: sr-1_prm_1 - label: organization-defined personnel or roles - - - id: sr-1_prm_2 - - - id: sr-1_prm_3 - label: organization-defined official - - - id: sr-1_prm_4 - label: organization-defined frequency - - - id: sr-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SR-1 - - - name: sort-id - value: SR-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: sr-1_smt - name: statement - parts: - - - id: sr-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ sr-1_prm_1 }}: - parts: - - - id: sr-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ sr-1_prm_2 }} supply chain risk management policy that: - """ - parts: - - - id: sr-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: sr-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: sr-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; - - - id: sr-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ sr-1_prm_3 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and - - - id: sr-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current supply chain risk management: - parts: - - - id: sr-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ sr-1_prm_4 }}; and - - - id: sr-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ sr-1_prm_5 }}. - - - id: sr-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: sr-2 - class: SP800-53 - title: Supply Chain Risk Management Plan - parameters: - - - id: sr-2_prm_1 - label: organization-defined systems, system components, or system services - - - id: sr-2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: SR-2 - - - name: sort-id - value: SR-02 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-8 - rel: related - text: SA-8 - parts: - - - id: sr-2_smt - name: statement - parts: - - - id: sr-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: {{ sr-2_prm_1 }}; - - - id: sr-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the supply chain risk management plan consistently across the organization; and - - - id: sr-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the supply chain risk management plan {{ sr-2_prm_2 }} or as required, to address threat, organizational or environmental changes. - - - id: sr-2_gdn - name: guidance - prose: - """ - The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans. - Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8). - """ - controls: - - - id: sr-2.1 - class: SP800-53-enhancement - title: Establish Scrm Team - parameters: - - - id: sr-2.1_prm_1 - label: organization-defined personnel, roles, and responsibilities - - - id: sr-2.1_prm_2 - label: organization-defined supply chain risk management activities - properties: - - - name: label - value: SR-2(1) - - - name: sort-id - value: SR-02(01) - parts: - - - id: sr-2.1_smt - name: statement - prose: Establish a supply chain risk management team consisting of {{ sr-2.1_prm_1 }} to lead and support the following SCRM activities: {{ sr-2.1_prm_2 }}. - - - id: sr-2.1_gdn - name: guidance - prose: To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team. - - - id: sr-3 - class: SP800-53 - title: Supply Chain Controls and Processes - parameters: - - - id: sr-3_prm_1 - label: organization-defined system or system component - - - id: sr-3_prm_2 - label: organization-defined supply chain personnel - - - id: sr-3_prm_3 - label: organization-defined supply chain controls - - - id: sr-3_prm_4 - - - id: sr-3_prm_5 - depends-on: sr-3_prm_4 - label: organization-defined document - properties: - - - name: label - value: SR-3 - - - name: sort-id - value: SR-03 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-6 - rel: related - text: MA-6 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #sa-2 - rel: related - text: SA-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-29 - rel: related - text: SC-29 - - - href: #sc-30 - rel: related - text: SC-30 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: sr-3_smt - name: statement - parts: - - - id: sr-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ sr-3_prm_1 }} in coordination with {{ sr-3_prm_2 }}; - - - id: sr-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ sr-3_prm_3 }}; and - - - id: sr-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document the selected and implemented supply chain processes and controls in {{ sr-3_prm_4 }}. - - - id: sr-3_gdn - name: guidance - prose: Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain. - - - id: sr-5 - class: SP800-53 - title: Acquisition Strategies, Tools, and Methods - parameters: - - - id: sr-5_prm_1 - label: organization-defined acquisition strategies, contract tools, and procurement methods - properties: - - - name: label - value: SR-5 - - - name: sort-id - value: SR-05 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #at-3 - rel: related - text: AT-3 - - - href: #sa-2 - rel: related - text: SA-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-10 - rel: related - text: SR-10 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: sr-5_smt - name: statement - prose: Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ sr-5_prm_1 }}. - - - id: sr-5_gdn - name: guidance - prose: The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements. - - - id: sr-6 - class: SP800-53 - title: Supplier Reviews - parameters: - - - id: sr-6_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: SR-6 - - - name: sort-id - value: SR-06 - links: - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - rel: reference - text: [FIPS 180-4] - - - href: #0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - rel: reference - text: [FIPS 186-4] - - - href: #11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - rel: reference - text: [FIPS 202] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sr-6_smt - name: statement - prose: Review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ sr-6_prm_1 }}. - - - id: sr-6_gdn - name: guidance - prose: A review of supplier risk includes security processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess any subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate to share review results with other organizations in accordance with any applicable inter-organizational agreements or contracts. - - - id: sr-8 - class: SP800-53 - title: Notification Agreements - parameters: - - - id: sr-8_prm_1 - - - id: sr-8_prm_2 - depends-on: sr-8_prm_1 - label: organization-defined information - properties: - - - name: label - value: SR-8 - - - name: sort-id - value: SR-08 - links: - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - parts: - - - id: sr-8_smt - name: statement - prose: Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ sr-8_prm_1 }}. - - - id: sr-8_gdn - name: guidance - prose: The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes. - - - id: sr-10 - class: SP800-53 - title: Inspection of Systems or Components - parameters: - - - id: sr-10_prm_1 - - - id: sr-10_prm_2 - depends-on: sr-10_prm_1 - label: organization-defined frequency - - - id: sr-10_prm_3 - depends-on: sr-10_prm_1 - label: organization-defined indications of need for inspection - - - id: sr-10_prm_4 - label: organization-defined systems or system components - properties: - - - name: label - value: SR-10 - - - name: sort-id - value: SR-10 - links: - - - href: #at-3 - rel: related - text: AT-3 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-4 - rel: related - text: SR-4 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: sr-10_smt - name: statement - prose: Inspect the following systems or system components {{ sr-10_prm_1 }} to detect tampering: {{ sr-10_prm_4 }}. - - - id: sr-10_gdn - name: guidance - prose: Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations. - - - id: sr-11 - class: SP800-53 - title: Component Authenticity - parameters: - - - id: sr-11_prm_1 - - - id: sr-11_prm_2 - depends-on: sr-11_prm_1 - label: organization-defined external reporting organizations - - - id: sr-11_prm_3 - depends-on: sr-11_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: SR-11 - - - name: sort-id - value: SR-11 - links: - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #sr-9 - rel: related - text: SR-9 - - - href: #sr-10 - rel: related - text: SR-10 - parts: - - - id: sr-11_smt - name: statement - parts: - - - id: sr-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and - - - id: sr-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Report counterfeit system components to {{ sr-11_prm_1 }}. - - - id: sr-11_gdn - name: guidance - prose: Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA. - controls: - - - id: sr-11.1 - class: SP800-53-enhancement - title: Anti-counterfeit Training - parameters: - - - id: sr-11.1_prm_1 - label: organization-defined personnel or roles - properties: - - - name: label - value: SR-11(1) - - - name: sort-id - value: SR-11(01) - links: - - - href: #at-3 - rel: related - text: AT-3 - parts: - - - id: sr-11.1_smt - name: statement - prose: Train {{ sr-11.1_prm_1 }} to detect counterfeit system components (including hardware, software, and firmware). - - - id: sr-11.1_gdn - name: guidance - prose: None. - - - id: sr-11.2 - class: SP800-53-enhancement - title: Configuration Control for Component Service and Repair - parameters: - - - id: sr-11.2_prm_1 - label: organization-defined system components - properties: - - - name: label - value: SR-11(2) - - - name: sort-id - value: SR-11(02) - links: - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #sa-10 - rel: related - text: SA-10 - parts: - - - id: sr-11.2_smt - name: statement - prose: Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ sr-11.2_prm_1 }}. - - - id: sr-11.2_gdn - name: guidance - prose: None. - - - id: sr-11.3 - class: SP800-53-enhancement - title: Component Disposal - parameters: - - - id: sr-11.3_prm_1 - label: organization-defined techniques and methods - properties: - - - name: label - value: SR-11(3) - - - name: sort-id - value: SR-11(03) - links: - - - href: #mp-6 - rel: related - text: MP-6 - parts: - - - id: sr-11.3_smt - name: statement - prose: Dispose of system components using the following techniques and methods: {{ sr-11.3_prm_1 }}. - - - id: sr-11.3_gdn - name: guidance - prose: Proper disposal of system components helps to prevent such components from entering the gray market. - back-matter: - resources: - - - uuid: a7dfa526-b81f-41d7-9875-c8b0faafe74b - title: [PRIVACT] - citation: - text: Privacy Act (P.L. 93-579), December 1974. - rlinks: - - - href: https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf - - - uuid: 43facb7b-0afb-480f-8191-34790d5b444b - title: [EVIDACT] - citation: - text: Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019. - rlinks: - - - href: https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf - - - uuid: 52a8b0c6-0c6b-424b-928d-41c50ba87838 - title: [EO 13526] - citation: - text: Executive Order 13526, *Classified National Security Information*, December 2009. - rlinks: - - - href: https://www.archives.gov/isoo/policy-documents/cnsi-eo.html - - - uuid: 14958422-54f6-471f-a345-802dca594dd8 - title: [FISMA] - citation: - text: Federal Information Security Modernization Act (P.L. 113-283), December 2014. - rlinks: - - - href: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf - - - uuid: 2b5e12fb-633f-49e6-8aff-81d75bf53545 - title: [EO 13587] - citation: - text: Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information*, October 2011. - rlinks: - - - href: https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net - - - uuid: cde25174-38e0-4a00-8919-8ee3674b8088 - title: [HSPD 7] - citation: - text: Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003. - rlinks: - - - href: https://www.dhs.gov/homeland-security-presidential-directive-7 - - - uuid: 2383ccfd-d8a0-4e3a-bf40-21288ae1e07a - title: [5 CFR 731] - citation: - text: Code of Federal Regulations, Title 5, *Administrative Personnel*, Section 731.106, *Designation of Public Trust Positions and Investigative Requirements*(5 C.F.R. 731.106). - rlinks: - - - href: https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf - - - uuid: 742b7c0e-218e-4fca-9c3d-5f264bbaf2bc - title: [32 CFR 2002] - citation: - text: Code of Federal Regulations, Title 32, *Controlled Unclassified Information*(32 C.F.R 2002). - rlinks: - - - href: https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information - - - uuid: 286d42a1-efbe-49a2-9ce1-4c9bf68feb3b - title: [ODNI NITP] - citation: - text: - """ - Office of the Director National Intelligence, *National Insider Threat Policy* - - """ - rlinks: - - - href: https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf - - - uuid: 395f6bb9-bcc2-41fc-977f-04372f4a6a82 - title: [OMB A-108] - citation: - text: - """ - Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf - - - uuid: a646d45d-775f-4887-86d3-5a00ffbc4090 - title: [OMB A-130] - citation: - text: Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016. - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf - - - uuid: f7d3617a-9a4f-4f1a-a688-845081b70390 - title: [OMB M-17-06] - citation: - text: - """ - Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf - - - uuid: 389fe193-866e-46b1-bf1d-38904b56aa7b - title: [OMB M-17-12] - citation: - text: - """ - Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. ** - - """ - rlinks: - - - href: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf - - - uuid: ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3 - title: [OMB M-17-25] - citation: - text: - """ - Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure*, May 2017. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf - - - uuid: d843e915-eeb6-4bbe-8cab-ccc802088703 - title: [OMB M-19-23] - citation: - text: - """ - Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance*, July 2019. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf - - - uuid: ee96f130-3f91-46ed-a4d8-57e5f220a623 - title: [CNSSI 1253] - citation: - text: Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems*, March 2014. - rlinks: - - - href: https://www.cnss.gov/CNSS/issuances/Instructions.cfm - - - uuid: 24b7b1ec-6430-41de-9353-29fdb1b488fc - title: [DHS NIPP] - citation: - text: Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009. - rlinks: - - - href: https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf - - - uuid: 6ddb507b-6ddb-4e15-a8d4-0854e704446e - title: [ISO 15408-1] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf - - - uuid: 18abb755-c10f-407d-b0ef-4f99e5ec4a49 - title: [ISO 15408-2] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf - - - uuid: 2ce3a8bf-7f8b-4249-bd16-808231415b14 - title: [ISO 15408-3] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf - - - uuid: aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - title: [FIPS 140-3] - citation: - text: National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.140-3 - - - uuid: d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd - title: [FIPS 180-4] - citation: - text: National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.180-4 - - - uuid: 0b9fe06d-1b89-4dba-b9f8-3baf51504b17 - title: [FIPS 186-4] - citation: - text: National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.186-4 - - - uuid: bbc7085f-b383-444e-af74-722a55cccc0f - title: [FIPS 197] - citation: - text: National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.197 - - - uuid: b3e26423-0687-47c7-ba9a-a96870d58a27 - title: [FIPS 199] - citation: - text: National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.199 - - - uuid: f2163084-3287-45e2-9ee7-95f020415495 - title: [FIPS 200] - citation: - text: National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.200 - - - uuid: ab414c48-b7a2-4ffe-b74d-4d8b8120adce - title: [FIPS 201-2] - citation: - text: National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.201-2 - - - uuid: 11b9fa15-bc4e-4669-ab65-a2bf74daa9fa - title: [FIPS 202] - citation: - text: National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.202 - - - uuid: 12702585-0c72-43c9-9185-a76a59f74233 - title: [SP 800-12] - citation: - text: - """ - Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-12r1 - - - uuid: ae962073-f9bb-4210-b1ad-53ef6f6afad6 - title: [SP 800-18] - citation: - text: - """ - Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-18r1 - - - uuid: 8e334d74-fc06-47a9-bbb1-804fdfae0e44 - title: [SP 800-28] - citation: - text: - """ - Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-28ver2 - - - uuid: 1d9f757b-00d5-4db1-b15b-0ad641c6df7c - title: [SP 800-30] - citation: - text: Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-30r1 - - - uuid: b7140427-d4c4-467a-97a1-5ca9f7c6584a - title: [SP 800-32] - citation: - text: Kuhn R, Hu VC, Polk T, Chang S-jH (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-32 - - - uuid: 65774382-fcc6-4bbc-89fc-9d35aab19952 - title: [SP 800-34] - citation: - text: Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-34r1 - - - uuid: ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - title: [SP 800-35] - citation: - text: Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-35 - - - uuid: e07d73ea-96b9-4330-aff2-e0215f455343 - title: [SP 800-37] - citation: - text: Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-37r2 - - - uuid: 451e9636-402e-4c27-b3f5-e0e50f957f27 - title: [SP 800-39] - citation: - text: Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-39 - - - uuid: 1126ec09-2b27-4a21-80b2-fef70b31c49d - title: [SP 800-40] - citation: - text: Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-40r3 - - - uuid: db7877cf-1013-4fb1-b943-ca9361d16370 - title: [SP 800-41] - citation: - text: Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-41r1 - - - uuid: 23b0a203-c020-47dd-b86c-9f8c35ecaa4e - title: [SP 800-45] - citation: - text: Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-45ver2 - - - uuid: 7768c184-088d-4ee8-a316-f9286b52df7f - title: [SP 800-46] - citation: - text: Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-46r2 - - - uuid: 2e66c31a-190e-49ad-8e00-f306f8a0df17 - title: [SP 800-47] - citation: - text: Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-47 - - - uuid: 2e29c363-d5be-47ba-92f5-f8a58a69b65e - title: [SP 800-50] - citation: - text: Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-50 - - - uuid: 286604ec-e383-4c1d-bd8c-d88f88e54a0f - title: [SP 800-52] - citation: - text: McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-52r2 - - - uuid: 5db6dfe4-788e-4183-93b9-f6fb29d75e41 - title: [SP 800-53A] - citation: - text: Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-53Ar4 - - - uuid: 31f3c9de-c57c-4281-929b-f9951f9640f1 - title: [SP 800-53B] - citation: - text: National Institute of Standards and Technology Special Publication 800-53B, *Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations*. Projected for publication in 2020. - - - uuid: 8ba0d54e-fa16-4f5d-baa1-763ec3e33e26 - title: [SP 800-55] - citation: - text: Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-55r1 - - - uuid: 77dc1838-3664-4faa-bc6e-4e2a16e52f35 - title: [SP 800-56A] - citation: - text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-56Ar3 - - - uuid: f417e4ec-cadb-47a8-a363-6006b32c28ad - title: [SP 800-56B] - citation: - text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-56Br2 - - - uuid: 7c3ba335-62bd-4f03-888f-960790409b11 - title: [SP 800-56C] - citation: - text: Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-56Cr1 - - - uuid: 770f9bdc-4023-48ef-8206-c65397f061ea - title: [SP 800-57-1] - citation: - text: Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-57pt1r4 - - - uuid: 69644a9e-438a-47c3-bac9-cf28b5baf848 - title: [SP 800-57-2] - citation: - text: Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-57pt2r1 - - - uuid: 9933c883-e8f3-4a83-9a9a-d1e058038080 - title: [SP 800-57-3] - citation: - text: Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-57pt3r1 - - - uuid: 68949f14-9cf5-4116-91d8-e820b9df3ffd - title: [SP 800-60 v1] - citation: - text: Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-60v1r1 - - - uuid: e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - title: [SP 800-60 v2] - citation: - text: Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-60v2r1 - - - uuid: 7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - title: [SP 800-61] - citation: - text: Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-61r2 - - - uuid: 549993c0-9bdd-4d49-875c-f56950cc5f30 - title: [SP 800-63-3] - citation: - text: Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-63-3 - - - uuid: 3c50fa31-7f4d-4d30-91d7-27ee87cd5f75 - title: [SP 800-63A] - citation: - text: Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-63a - - - uuid: 14a7d982-9747-48e0-a877-3e8fbf6ae381 - title: [SP 800-70] - citation: - text: Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-70r4 - - - uuid: 3d6b3a16-94e7-4a43-8648-8bdeaadb271b - title: [SP 800-73-4] - citation: - text: Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-73-4 - - - uuid: d5ef0056-c807-44c3-a7b5-6eb491538f8e - title: [SP 800-76-2] - citation: - text: - """ - Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-76-2 - - - uuid: 8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa - title: [SP 800-77] - citation: - text: Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-77 - - - uuid: 013e098f-0680-4856-a130-b768c69dab9c - title: [SP 800-78-4] - citation: - text: - """ - Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-78-4 - - - uuid: bb55e71a-e059-4263-8dd8-bc96fd3f063d - title: [SP 800-79-2] - citation: - text: - """ - Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-79-2 - - - uuid: 93d44344-59f9-4669-845d-6cc2a5852621 - title: [SP 800-81-2] - citation: - text: - """ - Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-81-2 - - - uuid: 8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - title: [SP 800-83] - citation: - text: Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-83r1 - - - uuid: 20bf433b-074c-47a0-8fca-cd591772ccd6 - title: [SP 800-84] - citation: - text: Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-84 - - - uuid: 35dfd59f-eef2-4f71-bdb5-6d878267456a - title: [SP 800-86] - citation: - text: Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-86 - - - uuid: fed6a3b5-2b74-499f-9172-46671f7c24c8 - title: [SP 800-88] - citation: - text: Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-88r1 - - - uuid: 02d8ec60-6197-43f8-9f47-18732127963e - title: [SP 800-92] - citation: - text: Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-92 - - - uuid: 41e2e2c6-2260-4258-85c8-09db17c43103 - title: [SP 800-94] - citation: - text: Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-94 - - - uuid: 1d91d984-0cb6-4f96-a01d-c39a3eee7d43 - title: [SP 800-95] - citation: - text: Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-95 - - - uuid: 6bed1550-cd5d-4e80-8d83-4e597c1514fe - title: [SP 800-97] - citation: - text: Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-97 - - - uuid: 9183bd83-170e-4701-b32c-97e08ef8bedb - title: [SP 800-100] - citation: - text: Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-100 - - - uuid: 1e2c475a-84ae-4c60-b420-8fb2ea552b71 - title: [SP 800-101] - citation: - text: - """ - Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-101r1 - - - uuid: 1b14b50f-7154-4226-958c-7dfff8276755 - title: [SP 800-111] - citation: - text: - """ - Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-111 - - - uuid: 36132a58-56fd-4980-9f6c-c010d3faf52b - title: [SP 800-113] - citation: - text: Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-113 - - - uuid: 49fa1ee1-aaf7-4270-bb5a-a86497f717dc - title: [SP 800-114] - citation: - text: Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-114r1 - - - uuid: a6b97214-55d4-4b86-a3a4-53d5911d96f7 - title: [SP 800-115] - citation: - text: Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-115 - - - uuid: ad7d575f-b5fe-489b-8d48-36a93d964a5f - title: [SP 800-116] - citation: - text: Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-116r1 - - - uuid: 60b24979-65b8-4ca5-a442-11b74339fab5 - title: [SP 800-121] - citation: - text: Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-121r2 - - - uuid: 18c6942b-95f8-414c-b548-c8e6b8d8a172 - title: [SP 800-124] - citation: - text: Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-124r1 - - - uuid: c972a85c-fa75-4596-be25-a338dc7e4e46 - title: [SP 800-125B] - citation: - text: Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-125B - - - uuid: 0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f - title: [SP 800-126] - citation: - text: Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-126r3 - - - uuid: a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - title: [SP 800-128] - citation: - text: Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-128 - - - uuid: ae412317-c2b4-47bb-b47b-c329ce0d7a0b - title: [SP 800-130] - citation: - text: Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-130 - - - uuid: c3b34083-77b2-4dab-a980-73068f8933bd - title: [SP 800-137] - citation: - text: Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-137 - - - uuid: e9224c9b-4fa5-40b7-bfbb-02bff7712d92 - title: [SP 800-147] - citation: - text: Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-147 - - - uuid: ad3e8f21-07c6-4968-b002-00b64dfa70ae - title: [SP 800-150] - citation: - text: Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-150 - - - uuid: 38dbdf55-9a14-446f-b563-c48e4e3d37fb - title: [SP 800-152] - citation: - text: Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-152 - - - uuid: fd0f14f5-8910-45c4-b60a-0c8936e00daa - title: [SP 800-154] - citation: - text: Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154. - rlinks: - - - href: https://csrc.nist.gov/publications/detail/sp/800-154/draft - - - uuid: f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa - title: [SP 800-156] - citation: - text: Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-156 - - - uuid: 8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - title: [SP 800-160 v1] - citation: - text: Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-160v1 - - - uuid: 8411e6e8-09bd-431d-bbcb-3423d36ad880 - title: [SP 800-160 v2] - citation: - text: Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-160v2 - - - uuid: 66476e76-46b4-47fb-be19-d13e6f3840df - title: [SP 800-161] - citation: - text: Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-161 - - - uuid: 359f960c-2598-454c-ba3b-a30c553e498f - title: [SP 800-162] - citation: - text: Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-162 - - - uuid: a8f55663-86c5-415b-aabe-d2a126981d65 - title: [SP 800-166] - citation: - text: Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-166 - - - uuid: 893d1736-324c-41d6-a5f4-d526b5ca981a - title: [SP 800-167] - citation: - text: Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-167 - - - uuid: 0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a - title: [SP 800-171] - citation: - text: Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-171r2 - - - uuid: aad55f03-8ece-4b21-b09c-9ef65b5a9f55 - title: [SP 800-171B] - citation: - text: Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B. - rlinks: - - - href: https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf - - - uuid: 64e044e4-b2a9-490f-a079-1106407c812f - title: [SP 800-177] - citation: - text: Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-177r1 - - - uuid: 223b23a9-baea-4a50-8058-63cf7967b61f - title: [SP 800-178] - citation: - text: Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-178 - - - uuid: f4c3f657-de83-47ae-9aec-e144de8268d1 - title: [SP 800-181] - citation: - text: Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-181 - - - uuid: 08f518f7-f9b9-4bee-8986-860214f46b16 - title: [SP 800-184] - citation: - text: Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-184 - - - uuid: eadef75e-7e4d-4554-b818-44946c1dde0e - title: [SP 800-188] - citation: - text: Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188. - rlinks: - - - href: https://csrc.nist.gov/publications/detail/sp/800-188/draft - - - uuid: 3862cd94-ff25-4631-9a9a-b92c21a0a923 - title: [SP 800-189] - citation: - text: Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-189 - - - uuid: 06d3c11a-4a00-42d9-ad75-e6a777ffae5e - title: [SP 800-192] - citation: - text: Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-192 - - - uuid: d4779b49-8acc-45ef-b4f0-30f945e81d1b - title: [IR 7539] - citation: - text: Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7539 - - - uuid: 09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - title: [IR 7559] - citation: - text: Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7559 - - - uuid: 7b03adec-4405-4aac-94a0-6a9eb3f42e31 - title: [IR 7622] - citation: - text: Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7622 - - - uuid: daf69edb-a0ef-4447-9880-8c4bf553181f - title: [IR 7676] - citation: - text: Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7676 - - - uuid: bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c - title: [IR 7788] - citation: - text: Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7788 - - - uuid: a49f67fc-827c-40e6-9a37-2b1cbe8142fd - title: [IR 7817] - citation: - text: Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7817 - - - uuid: 972c10bd-aedf-485f-b0db-f46a402127e2 - title: [IR 7849] - citation: - text: Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7849 - - - uuid: 197f7ba7-9af8-4a67-b3a4-5523d850e53b - title: [IR 7870] - citation: - text: Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7870 - - - uuid: bb22d510-54a9-4588-b725-00d37576562b - title: [IR 7874] - citation: - text: Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7874 - - - uuid: f437b52f-7f26-42aa-8e8f-999e7d67b2fe - title: [IR 7956] - citation: - text: Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7956 - - - uuid: 30213e10-2aca-47b3-8cdb-61303e0959f5 - title: [IR 7966] - citation: - text: Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7966 - - - uuid: 851b5ba4-6aa0-4583-857c-4c360cbdf2a0 - title: [IR 8011 v1] - citation: - text: Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8011-1 - - - uuid: 7e7538d7-9c3a-4e5f-bbb4-638cec975415 - title: [IR 8023] - citation: - text: Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8023 - - - uuid: 24738ee6-b3f3-4e37-825b-58775846bdbc - title: [IR 8040] - citation: - text: Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8040 - - - uuid: 817b4227-5857-494d-9032-915980b32f15 - title: [IR 8062] - citation: - text: Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8062 - - - uuid: 7a93e915-fd58-4147-be12-e48044c367e6 - title: [IR 8179] - citation: - text: Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8179 - - - uuid: 294eed19-7471-4517-9480-2ec73e7c6a78 - title: [DOD STIG] - citation: - text: Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*. - rlinks: - - - href: https://iase.disa.mil/stigs/Pages/index.aspx - - - uuid: 17ca9481-ea11-4ef2-81c1-885fd37d4be5 - title: [IETF 5905] - citation: - text: - - - uuid: dd87fdf0-840d-4392-9de4-220b2327e340 - title: [NARA CUI] - citation: - text: National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. - rlinks: - - - href: https://www.archives.gov/cui - - - uuid: 5dac2312-1d0d-416f-aebb-400fa9775b74 - title: [NIAP CCEVS] - citation: - text: National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*. - rlinks: - - - href: https://www.niap-ccevs.org/ - - - uuid: 5cc04a1c-5489-4751-a493-746a9639067b - title: [NCPR] - citation: - text: National Institute of Standards and Technology (2020) *National Checklist Program Repository*. Available at - rlinks: - - - href: https://nvd.nist.gov/ncp/repository - - - uuid: 634dec27-df88-4c30-b1a4-b57cdfd24f20 - title: [NSA CSFC] - citation: - text: National Security Agency, *Commercial Solutions for Classified Program (CSfC)*. - rlinks: - - - href: https://www.nsa.gov/resources/everyone/csfc - - - uuid: a52271dc-11b5-423a-8b6f-14867bd94259 - title: [NSA MEDIA] - citation: - text: National Security Agency, *Media Destruction Guidance*. - rlinks: - - - href: https://www.nsa.gov/resources/everyone/media-destruction - - - uuid: 06842bea-64c9-4e20-807a-b8fc003fa737 - title: [USGCB] - citation: - text: National Institute of Standards and Technology (2020) *United States Government Configuration Baseline*. Available at - rlinks: - - - href: https://csrc.nist.gov/projects/united-states-government-configuration-baseline diff --git a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.yaml b/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.yaml deleted file mode 100644 index aed1c59f4d..0000000000 --- a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.yaml +++ /dev/null @@ -1,684 +0,0 @@ -profile: - uuid: 0976da03-108c-4f01-81a6-ad9ed63354fe - metadata: - title: SP800-53 MODERATE IMPACT BASELINE - last-modified: 2020-08-26T16:28:37.775-04:00 - version: FPD - oscal-version: 1.0.0-milestone3 - roles: - - - id: creator - title: Document Creator - - - id: contact - title: Contact - parties: - - - uuid: 2ef7cfec-cb8e-4571-a7a2-a5c609b4767a - type: organization - party-name: Joint Task Force, Transformation Initiative - addresses: - - - postal-address: National Institute of Standards and Technology,Attn: Computer Security Division,Information Technology Laboratory,100 Bureau Drive (Mail Stop 8930) - city: Gaithersburg - state: MD - postal-code: 20899-8930 - email-addresses: sec-cert@nist.gov - responsible-parties: - creator: - party-uuids: 2ef7cfec-cb8e-4571-a7a2-a5c609b4767a - contact: - party-uuids: 2ef7cfec-cb8e-4571-a7a2-a5c609b4767a - imports: - - - href: NIST_SP-800-53_rev5-FPD_catalog.xml - include: - id-selectors: - - - control-id: ac-1 - - - control-id: ac-2 - - - control-id: ac-2.1 - - - control-id: ac-2.2 - - - control-id: ac-2.3 - - - control-id: ac-2.4 - - - control-id: ac-2.5 - - - control-id: ac-2.13 - - - control-id: ac-3 - - - control-id: ac-4 - - - control-id: ac-5 - - - control-id: ac-6 - - - control-id: ac-6.1 - - - control-id: ac-6.2 - - - control-id: ac-6.5 - - - control-id: ac-6.7 - - - control-id: ac-6.9 - - - control-id: ac-6.10 - - - control-id: ac-7 - - - control-id: ac-8 - - - control-id: ac-11 - - - control-id: ac-11.1 - - - control-id: ac-12 - - - control-id: ac-14 - - - control-id: ac-17 - - - control-id: ac-17.1 - - - control-id: ac-17.2 - - - control-id: ac-17.3 - - - control-id: ac-17.4 - - - control-id: ac-18 - - - control-id: ac-18.1 - - - control-id: ac-18.3 - - - control-id: ac-19 - - - control-id: ac-19.5 - - - control-id: ac-20 - - - control-id: ac-20.1 - - - control-id: ac-20.2 - - - control-id: ac-21 - - - control-id: ac-22 - - - control-id: at-1 - - - control-id: at-2 - - - control-id: at-2.2 - - - control-id: at-2.3 - - - control-id: at-3 - - - control-id: at-4 - - - control-id: au-1 - - - control-id: au-2 - - - control-id: au-3 - - - control-id: au-3.1 - - - control-id: au-4 - - - control-id: au-5 - - - control-id: au-6 - - - control-id: au-6.1 - - - control-id: au-6.3 - - - control-id: au-7 - - - control-id: au-7.1 - - - control-id: au-8 - - - control-id: au-8.1 - - - control-id: au-9 - - - control-id: au-9.4 - - - control-id: au-11 - - - control-id: au-12 - - - control-id: ca-1 - - - control-id: ca-2 - - - control-id: ca-2.1 - - - control-id: ca-3 - - - control-id: ca-5 - - - control-id: ca-6 - - - control-id: ca-7 - - - control-id: ca-7.1 - - - control-id: ca-7.4 - - - control-id: ca-9 - - - control-id: cm-1 - - - control-id: cm-2 - - - control-id: cm-2.2 - - - control-id: cm-2.3 - - - control-id: cm-2.7 - - - control-id: cm-3 - - - control-id: cm-3.2 - - - control-id: cm-3.4 - - - control-id: cm-4 - - - control-id: cm-4.2 - - - control-id: cm-5 - - - control-id: cm-6 - - - control-id: cm-7 - - - control-id: cm-7.1 - - - control-id: cm-7.2 - - - control-id: cm-7.5 - - - control-id: cm-8 - - - control-id: cm-8.1 - - - control-id: cm-8.3 - - - control-id: cm-9 - - - control-id: cm-10 - - - control-id: cm-11 - - - control-id: cm-12 - - - control-id: cm-12.1 - - - control-id: cp-1 - - - control-id: cp-2 - - - control-id: cp-2.1 - - - control-id: cp-2.3 - - - control-id: cp-2.8 - - - control-id: cp-3 - - - control-id: cp-4 - - - control-id: cp-4.1 - - - control-id: cp-6 - - - control-id: cp-6.1 - - - control-id: cp-6.3 - - - control-id: cp-7 - - - control-id: cp-7.1 - - - control-id: cp-7.2 - - - control-id: cp-7.3 - - - control-id: cp-8 - - - control-id: cp-8.1 - - - control-id: cp-8.2 - - - control-id: cp-9 - - - control-id: cp-9.1 - - - control-id: cp-9.8 - - - control-id: cp-10 - - - control-id: cp-10.2 - - - control-id: ia-1 - - - control-id: ia-2 - - - control-id: ia-2.1 - - - control-id: ia-2.2 - - - control-id: ia-2.8 - - - control-id: ia-2.12 - - - control-id: ia-3 - - - control-id: ia-4 - - - control-id: ia-4.4 - - - control-id: ia-5 - - - control-id: ia-5.1 - - - control-id: ia-5.2 - - - control-id: ia-5.6 - - - control-id: ia-6 - - - control-id: ia-7 - - - control-id: ia-8 - - - control-id: ia-8.1 - - - control-id: ia-8.2 - - - control-id: ia-8.4 - - - control-id: ia-11 - - - control-id: ia-12 - - - control-id: ia-12.2 - - - control-id: ia-12.3 - - - control-id: ia-12.5 - - - control-id: ir-1 - - - control-id: ir-2 - - - control-id: ir-3 - - - control-id: ir-3.2 - - - control-id: ir-4 - - - control-id: ir-4.1 - - - control-id: ir-5 - - - control-id: ir-6 - - - control-id: ir-6.1 - - - control-id: ir-6.3 - - - control-id: ir-7 - - - control-id: ir-7.1 - - - control-id: ir-8 - - - control-id: ma-1 - - - control-id: ma-2 - - - control-id: ma-3 - - - control-id: ma-3.1 - - - control-id: ma-3.2 - - - control-id: ma-3.3 - - - control-id: ma-4 - - - control-id: ma-5 - - - control-id: ma-6 - - - control-id: mp-1 - - - control-id: mp-2 - - - control-id: mp-3 - - - control-id: mp-4 - - - control-id: mp-5 - - - control-id: mp-6 - - - control-id: mp-7 - - - control-id: pe-1 - - - control-id: pe-2 - - - control-id: pe-3 - - - control-id: pe-4 - - - control-id: pe-5 - - - control-id: pe-6 - - - control-id: pe-6.1 - - - control-id: pe-8 - - - control-id: pe-9 - - - control-id: pe-10 - - - control-id: pe-11 - - - control-id: pe-12 - - - control-id: pe-13 - - - control-id: pe-13.1 - - - control-id: pe-14 - - - control-id: pe-15 - - - control-id: pe-16 - - - control-id: pe-17 - - - control-id: pl-1 - - - control-id: pl-2 - - - control-id: pl-4 - - - control-id: pl-4.1 - - - control-id: pl-8 - - - control-id: pl-10 - - - control-id: pl-11 - - - control-id: pm-1 - - - control-id: pm-2 - - - control-id: pm-3 - - - control-id: pm-4 - - - control-id: pm-5 - - - control-id: pm-5.1 - - - control-id: pm-6 - - - control-id: pm-7 - - - control-id: pm-7.1 - - - control-id: pm-8 - - - control-id: pm-9 - - - control-id: pm-10 - - - control-id: pm-11 - - - control-id: pm-12 - - - control-id: pm-13 - - - control-id: pm-14 - - - control-id: pm-15 - - - control-id: pm-16 - - - control-id: pm-16.1 - - - control-id: pm-17 - - - control-id: pm-18 - - - control-id: pm-19 - - - control-id: pm-20 - - - control-id: pm-21 - - - control-id: pm-22 - - - control-id: pm-23 - - - control-id: pm-24 - - - control-id: pm-25 - - - control-id: pm-26 - - - control-id: pm-27 - - - control-id: pm-28 - - - control-id: pm-29 - - - control-id: pm-30 - - - control-id: pm-31 - - - control-id: pm-32 - - - control-id: ps-1 - - - control-id: ps-2 - - - control-id: ps-3 - - - control-id: ps-4 - - - control-id: ps-5 - - - control-id: ps-6 - - - control-id: ps-7 - - - control-id: ps-8 - - - control-id: ra-1 - - - control-id: ra-2 - - - control-id: ra-3 - - - control-id: ra-3.1 - - - control-id: ra-5 - - - control-id: ra-5.2 - - - control-id: ra-5.5 - - - control-id: ra-7 - - - control-id: ra-9 - - - control-id: sa-1 - - - control-id: sa-2 - - - control-id: sa-3 - - - control-id: sa-4 - - - control-id: sa-4.1 - - - control-id: sa-4.2 - - - control-id: sa-4.9 - - - control-id: sa-4.10 - - - control-id: sa-5 - - - control-id: sa-8 - - - control-id: sa-9 - - - control-id: sa-9.2 - - - control-id: sa-10 - - - control-id: sa-11 - - - control-id: sa-15 - - - control-id: sa-15.3 - - - control-id: sa-22 - - - control-id: sc-1 - - - control-id: sc-2 - - - control-id: sc-4 - - - control-id: sc-5 - - - control-id: sc-7 - - - control-id: sc-7.3 - - - control-id: sc-7.4 - - - control-id: sc-7.5 - - - control-id: sc-7.7 - - - control-id: sc-7.8 - - - control-id: sc-8 - - - control-id: sc-8.1 - - - control-id: sc-10 - - - control-id: sc-12 - - - control-id: sc-13 - - - control-id: sc-15 - - - control-id: sc-17 - - - control-id: sc-18 - - - control-id: sc-20 - - - control-id: sc-21 - - - control-id: sc-22 - - - control-id: sc-23 - - - control-id: sc-28 - - - control-id: sc-28.1 - - - control-id: sc-39 - - - control-id: si-1 - - - control-id: si-2 - - - control-id: si-2.2 - - - control-id: si-3 - - - control-id: si-3.1 - - - control-id: si-4 - - - control-id: si-4.2 - - - control-id: si-4.4 - - - control-id: si-4.5 - - - control-id: si-5 - - - control-id: si-7 - - - control-id: si-7.1 - - - control-id: si-7.7 - - - control-id: si-8 - - - control-id: si-8.1 - - - control-id: si-8.2 - - - control-id: si-10 - - - control-id: si-11 - - - control-id: si-12 - - - control-id: si-16 - - - control-id: sr-1 - - - control-id: sr-2 - - - control-id: sr-2.1 - - - control-id: sr-3 - - - control-id: sr-5 - - - control-id: sr-6 - - - control-id: sr-8 - - - control-id: sr-10 - - - control-id: sr-11 - - - control-id: sr-11.1 - - - control-id: sr-11.2 - - - control-id: sr-11.3 - merge: - as-is: true diff --git a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.yaml b/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.yaml deleted file mode 100644 index 401afee91a..0000000000 --- a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline-resolved-profile_catalog.yaml +++ /dev/null @@ -1,9692 +0,0 @@ -catalog: - uuid: 9c407281-40f0-4c8b-9e99-7cee1529b5b1 - metadata: - title: SP800-53 PRIVACY BASELINE - last-modified: 2020-08-26T16:28:37.032-04:00 - version: FPD - oscal-version: 1.0.0-milestone3 - properties: - - - name: resolution-timestamp - value: 2020-08-31T17:39:57.58205Z - links: - - - href: NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml - rel: resolution-source - text: SP800-53 PRIVACY BASELINE - roles: - - - id: creator - title: Document Creator - - - id: contact - title: Contact - parties: - - - uuid: d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696 - type: organization - party-name: Joint Task Force, Transformation Initiative - addresses: - - - postal-address: National Institute of Standards and Technology,Attn: Computer Security Division,Information Technology Laboratory,100 Bureau Drive (Mail Stop 8930) - city: Gaithersburg - state: MD - postal-code: 20899-8930 - email-addresses: sec-cert@nist.gov - responsible-parties: - creator: - party-uuids: d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696 - contact: - party-uuids: d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696 - groups: - - - id: ac - class: family - title: Access Control - controls: - - - id: ac-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ac-1_prm_1 - label: organization-defined personnel or roles - - - id: ac-1_prm_2 - - - id: ac-1_prm_3 - label: organization-defined official - - - id: ac-1_prm_4 - label: organization-defined frequency - - - id: ac-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AC-1 - - - name: sort-id - value: AC-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #bb22d510-54a9-4588-b725-00d37576562b - rel: reference - text: [IR 7874] - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ac-1_smt - name: statement - parts: - - - id: ac-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ac-1_prm_1 }}: - parts: - - - id: ac-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ac-1_prm_2 }} access control policy that: - """ - parts: - - - id: ac-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ac-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ac-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the access control policy and the associated access controls; - - - id: ac-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and - - - id: ac-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current access control: - parts: - - - id: ac-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ac-1_prm_4 }}; and - - - id: ac-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ac-1_prm_5 }}. - - - id: ac-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: at - class: family - title: Awareness and Training - controls: - - - id: at-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: at-1_prm_1 - label: organization-defined personnel or roles - - - id: at-1_prm_2 - - - id: at-1_prm_3 - label: organization-defined official - - - id: at-1_prm_4 - label: organization-defined frequency - - - id: at-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AT-1 - - - name: sort-id - value: AT-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: at-1_smt - name: statement - parts: - - - id: at-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ at-1_prm_1 }}: - parts: - - - id: at-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ at-1_prm_2 }} awareness and training policy that: - """ - parts: - - - id: at-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: at-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: at-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; - - - id: at-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ at-1_prm_3 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and - - - id: at-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current awareness and training: - parts: - - - id: at-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ at-1_prm_4 }}; and - - - id: at-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ at-1_prm_5 }}. - - - id: at-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: at-2 - class: SP800-53 - title: Awareness Training - parameters: - - - id: at-2_prm_1 - label: organization-defined frequency - - - id: at-2_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: AT-2 - - - name: sort-id - value: AT-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-13 - rel: related - text: PM-13 - - - href: #pm-21 - rel: related - text: PM-21 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-16 - rel: related - text: SA-16 - parts: - - - id: at-2_smt - name: statement - parts: - - - id: at-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide security and privacy awareness training to system users (including managers, senior executives, and contractors): - parts: - - - id: at-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: As part of initial training for new users and {{ at-2_prm_1 }} thereafter; and - - - id: at-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: When required by system changes; and - - - id: at-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update awareness training {{ at-2_prm_2 }}. - - - id: at-2_gdn - name: guidance - prose: - """ - Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information. - Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective. - """ - controls: - - - id: at-2.5 - class: SP800-53-enhancement - title: Breach - properties: - - - name: label - value: AT-2(5) - - - name: sort-id - value: AT-02(05) - links: - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ir-2 - rel: related - text: IR-2 - parts: - - - id: at-2.5_smt - name: statement - prose: Provide awareness training on how to identify and respond to a breach, including the organization’s process for reporting a breach. - - - id: at-2.5_gdn - name: guidance - prose: A breach is a type of incident that involves personally identifiable information. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The awareness training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Awareness training includes tabletop exercises that simulate a breach. - - - id: at-3 - class: SP800-53 - title: Role-based Training - parameters: - - - id: at-3_prm_1 - label: organization-defined roles and responsibilities - - - id: at-3_prm_2 - label: organization-defined frequency - - - id: at-3_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: AT-3 - - - name: sort-id - value: AT-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #ir-10 - rel: related - text: IR-10 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-13 - rel: related - text: PM-13 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-16 - rel: related - text: SA-16 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: at-3_smt - name: statement - parts: - - - id: at-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ at-3_prm_1 }}: - parts: - - - id: at-3_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Before authorizing access to the system, information, or performing assigned duties, and {{ at-3_prm_2 }} thereafter; and - - - id: at-3_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: When required by system changes; and - - - id: at-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update role-based training {{ at-3_prm_3 }}. - - - id: at-3_gdn - name: guidance - prose: - """ - Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information. - Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective. - """ - controls: - - - id: at-3.5 - class: SP800-53-enhancement - title: Accessing Personally Identifiable Information - parameters: - - - id: at-3.5_prm_1 - label: organization-defined personnel or roles - - - id: at-3.5_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: AT-3(5) - - - name: sort-id - value: AT-03(05) - parts: - - - id: at-3.5_smt - name: statement - prose: Provide {{ at-3.5_prm_1 }} with initial and {{ at-3.5_prm_2 }} training on: - parts: - - - id: at-3.5_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Organizational authority for collecting personally identifiable information; - - - id: at-3.5_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Authorized uses of personally identifiable information; - - - id: at-3.5_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Identifying, reporting, and responding to a suspected or confirmed breach; - - - id: at-3.5_smt.d - name: item - properties: - - - name: label - value: (d) - prose: Content of system of records notices, computer matching agreements, and privacy impact assessments; - - - id: at-3.5_smt.e - name: item - properties: - - - name: label - value: (e) - prose: Authorized sharing of personally identifiable information with external parties; and - - - id: at-3.5_smt.f - name: item - properties: - - - name: label - value: (f) - prose: Rules of behavior and the consequences for unauthorized collection, use, or sharing of personally identifiable information. - - - id: at-3.5_gdn - name: guidance - prose: Role-based training addresses the responsibility of individuals when accessing personally identifiable information; the organization’s established rules of behavior when accessing personally identifiable information; the consequences for violating the rules of behavior; and how to respond to a breach. Role-based training helps ensure personnel comply with applicable privacy requirements and is necessary to manage privacy risks. - - - id: at-4 - class: SP800-53 - title: Training Records - parameters: - - - id: at-4_prm_1 - label: organization-defined time-period - properties: - - - name: label - value: AT-4 - - - name: sort-id - value: AT-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: at-4_smt - name: statement - parts: - - - id: at-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and - - - id: at-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain individual training records for {{ at-4_prm_1 }}. - - - id: at-4_gdn - name: guidance - prose: Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies. - - - id: au - class: family - title: Audit and Accountability - controls: - - - id: au-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: au-1_prm_1 - label: organization-defined personnel or roles - - - id: au-1_prm_2 - - - id: au-1_prm_3 - label: organization-defined official - - - id: au-1_prm_4 - label: organization-defined frequency - - - id: au-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: AU-1 - - - name: sort-id - value: AU-01 - links: - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: au-1_smt - name: statement - parts: - - - id: au-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ au-1_prm_1 }}: - parts: - - - id: au-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ au-1_prm_2 }} audit and accountability policy that: - """ - parts: - - - id: au-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: au-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: au-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; - - - id: au-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ au-1_prm_3 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and - - - id: au-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current audit and accountability: - parts: - - - id: au-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ au-1_prm_4 }}; and - - - id: au-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ au-1_prm_5 }}. - - - id: au-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: au-2 - class: SP800-53 - title: Event Logging - parameters: - - - id: au-2_prm_1 - label: organization-defined event types that the system is capable of logging - - - id: au-2_prm_2 - label: organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type - - - id: au-2_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: AU-2 - - - name: sort-id - value: AU-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #02d8ec60-6197-43f8-9f47-18732127963e - rel: reference - text: [SP 800-92] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #au-3 - rel: related - text: AU-3 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #au-12 - rel: related - text: AU-12 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #ia-3 - rel: related - text: IA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pm-21 - rel: related - text: PM-21 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - - - href: #si-10 - rel: related - text: SI-10 - - - href: #si-11 - rel: related - text: SI-11 - parts: - - - id: au-2_smt - name: statement - parts: - - - id: au-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify the types of events that the system is capable of logging in support of the audit function: {{ au-2_prm_1 }}; - - - id: au-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; - - - id: au-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Specify the following event types for logging within the system: {{ au-2_prm_2 }}; - - - id: au-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and - - - id: au-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Review and update the event types selected for logging {{ au-2_prm_3 }}. - - - id: au-2_gdn - name: guidance - prose: - """ - An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. - To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage. - Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures. - """ - - - id: au-11 - class: SP800-53 - title: Audit Record Retention - parameters: - - - id: au-11_prm_1 - label: organization-defined time-period consistent with records retention policy - properties: - - - name: label - value: AU-11 - - - name: sort-id - value: AU-11 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #au-4 - rel: related - text: AU-4 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-9 - rel: related - text: AU-9 - - - href: #au-14 - rel: related - text: AU-14 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: au-11_smt - name: statement - prose: Retain audit records for {{ au-11_prm_1 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. - - - id: au-11_gdn - name: guidance - prose: Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. - - - id: ca - class: family - title: Assessment, Authorization, and Monitoring - controls: - - - id: ca-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ca-1_prm_1 - label: organization-defined personnel or roles - - - id: ca-1_prm_2 - - - id: ca-1_prm_3 - label: organization-defined official - - - id: ca-1_prm_4 - label: organization-defined frequency - - - id: ca-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CA-1 - - - name: sort-id - value: CA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-1_smt - name: statement - parts: - - - id: ca-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ca-1_prm_1 }}: - parts: - - - id: ca-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ca-1_prm_2 }} assessment, authorization, and monitoring policy that: - """ - parts: - - - id: ca-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ca-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ca-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; - - - id: ca-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ca-1_prm_3 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and - - - id: ca-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current assessment, authorization, and monitoring: - parts: - - - id: ca-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ca-1_prm_4 }}; and - - - id: ca-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ca-1_prm_5 }}. - - - id: ca-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ca-2 - class: SP800-53 - title: Control Assessments - parameters: - - - id: ca-2_prm_1 - label: organization-defined frequency - - - id: ca-2_prm_2 - label: organization-defined individuals or roles - properties: - - - name: label - value: CA-2 - - - name: sort-id - value: CA-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-3 - rel: related - text: SR-3 - parts: - - - id: ca-2_smt - name: statement - parts: - - - id: ca-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a control assessment plan that describes the scope of the assessment including: - parts: - - - id: ca-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Controls and control enhancements under assessment; - - - id: ca-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Assessment procedures to be used to determine control effectiveness; and - - - id: ca-2_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Assessment environment, assessment team, and assessment roles and responsibilities; - - - id: ca-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; - - - id: ca-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Assess the controls in the system and its environment of operation {{ ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; - - - id: ca-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Produce a control assessment report that document the results of the assessment; and - - - id: ca-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Provide the results of the control assessment to {{ ca-2_prm_2 }}. - - - id: ca-2_gdn - name: guidance - prose: - """ - Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes. - Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs. - Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives. - To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control. - """ - - - id: ca-5 - class: SP800-53 - title: Plan of Action and Milestones - parameters: - - - id: ca-5_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: CA-5 - - - name: sort-id - value: CA-05 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-5_smt - name: statement - parts: - - - id: ca-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and - - - id: ca-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update existing plan of action and milestones {{ ca-5_prm_1 }} based on the findings from control assessments, audits, and continuous monitoring activities. - - - id: ca-5_gdn - name: guidance - prose: Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB. - - - id: ca-6 - class: SP800-53 - title: Authorization - parameters: - - - id: ca-6_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: CA-6 - - - name: sort-id - value: CA-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ca-6_smt - name: statement - parts: - - - id: ca-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Assign a senior official as the authorizing official for the system; - - - id: ca-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; - - - id: ca-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ensure that the authorizing official for the system, before commencing operations: - parts: - - - id: ca-6_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Accepts the use of common controls inherited by the system; and - - - id: ca-6_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Authorizes the system to operate; - - - id: ca-6_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; - - - id: ca-6_smt.e - name: item - properties: - - - name: label - value: e. - prose: Update the authorizations {{ ca-6_prm_1 }}. - - - id: ca-6_gdn - name: guidance - prose: - """ - Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. - Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. - """ - - - id: ca-7 - class: SP800-53 - title: Continuous Monitoring - parameters: - - - id: ca-7_prm_1 - label: organization-defined system-level metrics - - - id: ca-7_prm_2 - label: organization-defined frequencies - - - id: ca-7_prm_3 - label: organization-defined frequencies - - - id: ca-7_prm_4 - label: organization-defined personnel or roles - - - id: ca-7_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CA-7 - - - name: sort-id - value: CA-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #851b5ba4-6aa0-4583-857c-4c360cbdf2a0 - rel: reference - text: [IR 8011 v1] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pe-14 - rel: related - text: PE-14 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-6 - rel: related - text: PM-6 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #pm-31 - rel: related - text: PM-31 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-6 - rel: related - text: SR-6 - parts: - - - id: ca-7_smt - name: statement - prose: Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: - parts: - - - id: ca-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establishing the following system-level metrics to be monitored: {{ ca-7_prm_1 }}; - - - id: ca-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishing {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessment of control effectiveness; - - - id: ca-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ongoing control assessments in accordance with the continuous monitoring strategy; - - - id: ca-7_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; - - - id: ca-7_smt.e - name: item - properties: - - - name: label - value: e. - prose: Correlation and analysis of information generated by control assessments and monitoring; - - - id: ca-7_smt.f - name: item - properties: - - - name: label - value: f. - prose: Response actions to address results of the analysis of control assessment and monitoring information; and - - - id: ca-7_smt.g - name: item - properties: - - - name: label - value: g. - prose: - """ - Reporting the security and privacy status of the system to {{ ca-7_prm_4 }} - {{ ca-7_prm_5 }}. - """ - - - id: ca-7_gdn - name: guidance - prose: - """ - Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. - Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4. - """ - controls: - - - id: ca-7.4 - class: SP800-53-enhancement - title: Risk Monitoring - properties: - - - name: label - value: CA-7(4) - - - name: sort-id - value: CA-07(04) - parts: - - - id: ca-7.4_smt - name: statement - prose: Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: - parts: - - - id: ca-7.4_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Effectiveness monitoring; - - - id: ca-7.4_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Compliance monitoring; and - - - id: ca-7.4_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Change monitoring. - - - id: ca-7.4_gdn - name: guidance - prose: Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk. - - - id: cm - class: family - title: Configuration Management - controls: - - - id: cm-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: cm-1_prm_1 - label: organization-defined personnel or roles - - - id: cm-1_prm_2 - - - id: cm-1_prm_3 - label: organization-defined official - - - id: cm-1_prm_4 - label: organization-defined frequency - - - id: cm-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: CM-1 - - - name: sort-id - value: CM-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: cm-1_smt - name: statement - parts: - - - id: cm-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ cm-1_prm_1 }}: - parts: - - - id: cm-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ cm-1_prm_2 }} configuration management policy that: - """ - parts: - - - id: cm-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: cm-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: cm-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; - - - id: cm-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ cm-1_prm_3 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and - - - id: cm-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current configuration management: - parts: - - - id: cm-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ cm-1_prm_4 }}; and - - - id: cm-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ cm-1_prm_5 }}. - - - id: cm-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: cm-4 - class: SP800-53 - title: Impact Analyses - properties: - - - name: label - value: CM-4 - - - name: sort-id - value: CM-04 - links: - - - href: #a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - rel: reference - text: [SP 800-128] - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-10 - rel: related - text: SA-10 - - - href: #si-2 - rel: related - text: SI-2 - parts: - - - id: cm-4_smt - name: statement - prose: Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. - - - id: cm-4_gdn - name: guidance - prose: Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required. - - - id: ir - class: family - title: Incident Response - controls: - - - id: ir-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ir-1_prm_1 - label: organization-defined personnel or roles - - - id: ir-1_prm_2 - - - id: ir-1_prm_3 - label: organization-defined official - - - id: ir-1_prm_4 - label: organization-defined frequency - - - id: ir-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: IR-1 - - - name: sort-id - value: IR-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #2e29c363-d5be-47ba-92f5-f8a58a69b65e - rel: reference - text: [SP 800-50] - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - rel: reference - text: [SP 800-83] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ir-1_smt - name: statement - parts: - - - id: ir-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ir-1_prm_1 }}: - parts: - - - id: ir-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ir-1_prm_2 }} incident response policy that: - """ - parts: - - - id: ir-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ir-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ir-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; - - - id: ir-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ir-1_prm_3 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and - - - id: ir-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current incident response: - parts: - - - id: ir-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ir-1_prm_4 }}; and - - - id: ir-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ir-1_prm_5 }}. - - - id: ir-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ir-3 - class: SP800-53 - title: Incident Response Testing - parameters: - - - id: ir-3_prm_1 - label: organization-defined frequency - - - id: ir-3_prm_2 - label: organization-defined tests - properties: - - - name: label - value: IR-3 - - - name: sort-id - value: IR-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #20bf433b-074c-47a0-8fca-cd591772ccd6 - rel: reference - text: [SP 800-84] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pm-14 - rel: related - text: PM-14 - parts: - - - id: ir-3_smt - name: statement - prose: Test the effectiveness of the incident response capability for the system {{ ir-3_prm_1 }} using the following tests: {{ ir-3_prm_2 }}. - - - id: ir-3_gdn - name: guidance - prose: Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes. - - - id: ir-4 - class: SP800-53 - title: Incident Handling - properties: - - - name: label - value: IR-4 - - - name: sort-id - value: IR-04 - links: - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #35dfd59f-eef2-4f71-bdb5-6d878267456a - rel: reference - text: [SP 800-86] - - - href: #1e2c475a-84ae-4c60-b420-8fb2ea552b71 - rel: reference - text: [SP 800-101] - - - href: #ad3e8f21-07c6-4968-b002-00b64dfa70ae - rel: reference - text: [SP 800-150] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #08f518f7-f9b9-4bee-8986-860214f46b16 - rel: reference - text: [SP 800-184] - - - href: #09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - rel: reference - text: [IR 7559] - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-7 - rel: related - text: AU-7 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-3 - rel: related - text: CP-3 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-2 - rel: related - text: IR-2 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-10 - rel: related - text: IR-10 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-7 - rel: related - text: SI-7 - parts: - - - id: ir-4_smt - name: statement - parts: - - - id: ir-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; - - - id: ir-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Coordinate incident handling activities with contingency planning activities; - - - id: ir-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and - - - id: ir-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. - - - id: ir-4_gdn - name: guidance - prose: Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk. - - - id: ir-6 - class: SP800-53 - title: Incident Reporting - parameters: - - - id: ir-6_prm_1 - label: organization-defined time-period - - - id: ir-6_prm_2 - label: organization-defined authorities - properties: - - - name: label - value: IR-6 - - - name: sort-id - value: IR-06 - links: - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ir-9 - rel: related - text: IR-9 - parts: - - - id: ir-6_smt - name: statement - parts: - - - id: ir-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within {{ ir-6_prm_1 }}; and - - - id: ir-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Report security, privacy, and supply chain incident information to {{ ir-6_prm_2 }}. - - - id: ir-6_gdn - name: guidance - prose: The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - - - id: ir-7 - class: SP800-53 - title: Incident Response Assistance - properties: - - - name: label - value: IR-7 - - - name: sort-id - value: IR-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - rel: reference - text: [IR 7559] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-6 - rel: related - text: IR-6 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pm-26 - rel: related - text: PM-26 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: ir-7_smt - name: statement - prose: Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents. - - - id: ir-7_gdn - name: guidance - prose: Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required. - - - id: ir-8 - class: SP800-53 - title: Incident Response Plan - parameters: - - - id: ir-8_prm_1 - label: organization-defined personnel or roles - - - id: ir-8_prm_2 - label: organization-defined frequency - - - id: ir-8_prm_3 - label: organization-defined entities, personnel, or roles - - - id: ir-8_prm_4 - label: organization-defined incident response personnel (identified by name and/or by role) and organizational elements - - - id: ir-8_prm_5 - label: organization-defined incident response personnel (identified by name and/or by role) and organizational elements - properties: - - - name: label - value: IR-8 - - - name: sort-id - value: IR-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - rel: reference - text: [SP 800-61] - - - href: #389fe193-866e-46b1-bf1d-38904b56aa7b - rel: reference - text: [OMB M-17-12] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-8 - rel: related - text: SR-8 - parts: - - - id: ir-8_smt - name: statement - parts: - - - id: ir-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop an incident response plan that: - parts: - - - id: ir-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Provides the organization with a roadmap for implementing its incident response capability; - - - id: ir-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Describes the structure and organization of the incident response capability; - - - id: ir-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Provides a high-level approach for how the incident response capability fits into the overall organization; - - - id: ir-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; - - - id: ir-8_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Defines reportable incidents; - - - id: ir-8_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Provides metrics for measuring the incident response capability within the organization; - - - id: ir-8_smt.a.7 - name: item - properties: - - - name: label - value: 7. - prose: Defines the resources and management support needed to effectively maintain and mature an incident response capability; - - - id: ir-8_smt.a.8 - name: item - properties: - - - name: label - value: 8. - prose: - """ - Is reviewed and approved by {{ ir-8_prm_1 }} - {{ ir-8_prm_2 }}; and - """ - - - id: ir-8_smt.a.9 - name: item - properties: - - - name: label - value: 9. - prose: Explicitly designates responsibility for incident response to {{ ir-8_prm_3 }}. - - - id: ir-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute copies of the incident response plan to {{ ir-8_prm_4 }}; - - - id: ir-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; - - - id: ir-8_smt.d - name: item - properties: - - - name: label - value: d. - prose: Communicate incident response plan changes to {{ ir-8_prm_5 }}; and - - - id: ir-8_smt.e - name: item - properties: - - - name: label - value: e. - prose: Protect the incident response plan from unauthorized disclosure and modification. - - - id: ir-8_gdn - name: guidance - prose: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly. - controls: - - - id: ir-8.1 - class: SP800-53-enhancement - title: Privacy Breaches - properties: - - - name: label - value: IR-8(1) - - - name: sort-id - value: IR-08(01) - links: - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #pt-5 - rel: related - text: PT-5 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #pt-8 - rel: related - text: PT-8 - parts: - - - id: ir-8.1_smt - name: statement - prose: Include the following in the Incident Response Plan for breaches involving personally identifiable information: - parts: - - - id: ir-8.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: A process to determine if notice to individuals or other organizations, including oversight organizations, is needed; - - - id: ir-8.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and - - - id: ir-8.1_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Identification of applicable privacy requirements. - - - id: ir-8.1_gdn - name: guidance - prose: Organizations may be required by law, regulation, or policy to follow specific procedures relating to privacy breaches, including notice to individuals, affected organizations, and oversight bodies, standards of harm, and mitigation or other specific requirements. - - - id: mp - class: family - title: Media Protection - controls: - - - id: mp-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: mp-1_prm_1 - label: organization-defined personnel or roles - - - id: mp-1_prm_2 - - - id: mp-1_prm_3 - label: organization-defined official - - - id: mp-1_prm_4 - label: organization-defined frequency - - - id: mp-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: MP-1 - - - name: sort-id - value: MP-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: mp-1_smt - name: statement - parts: - - - id: mp-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ mp-1_prm_1 }}: - parts: - - - id: mp-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ mp-1_prm_2 }} media protection policy that: - """ - parts: - - - id: mp-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: mp-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: mp-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; - - - id: mp-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ mp-1_prm_3 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and - - - id: mp-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current media protection: - parts: - - - id: mp-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ mp-1_prm_4 }}; and - - - id: mp-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ mp-1_prm_5 }}. - - - id: mp-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: mp-6 - class: SP800-53 - title: Media Sanitization - parameters: - - - id: mp-6_prm_1 - label: organization-defined system media - - - id: mp-6_prm_2 - label: organization-defined sanitization techniques and procedures - properties: - - - name: label - value: MP-6 - - - name: sort-id - value: MP-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #fed6a3b5-2b74-499f-9172-46671f7c24c8 - rel: reference - text: [SP 800-88] - - - href: #18c6942b-95f8-414c-b548-c8e6b8d8a172 - rel: reference - text: [SP 800-124] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #a52271dc-11b5-423a-8b6f-14867bd94259 - rel: reference - text: [NSA MEDIA] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #ac-7 - rel: related - text: AC-7 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #si-18 - rel: related - text: SI-18 - - - href: #si-19 - rel: related - text: SI-19 - - - href: #sr-11 - rel: related - text: SR-11 - parts: - - - id: mp-6_smt - name: statement - parts: - - - id: mp-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Sanitize {{ mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ mp-6_prm_2 }}; and - - - id: mp-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. - - - id: mp-6_gdn - name: guidance - prose: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information. - - - id: pl - class: family - title: Planning - controls: - - - id: pl-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: pl-1_prm_1 - label: organization-defined personnel or roles - - - id: pl-1_prm_2 - - - id: pl-1_prm_3 - label: organization-defined official - - - id: pl-1_prm_4 - label: organization-defined frequency - - - id: pl-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PL-1 - - - name: sort-id - value: PL-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pl-1_smt - name: statement - parts: - - - id: pl-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ pl-1_prm_1 }}: - parts: - - - id: pl-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ pl-1_prm_2 }} planning policy that: - """ - parts: - - - id: pl-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: pl-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: pl-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the planning policy and the associated planning controls; - - - id: pl-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ pl-1_prm_3 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and - - - id: pl-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current planning: - parts: - - - id: pl-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ pl-1_prm_4 }}; and - - - id: pl-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ pl-1_prm_5 }}. - - - id: pl-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: pl-2 - class: SP800-53 - title: System Security and Privacy Plans - parameters: - - - id: pl-2_prm_1 - label: organization-defined individuals or groups - - - id: pl-2_prm_2 - label: organization-defined personnel or roles - - - id: pl-2_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: PL-2 - - - name: sort-id - value: PL-02 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-14 - rel: related - text: AC-14 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-5 - rel: related - text: MP-5 - - - href: #pl-7 - rel: related - text: PL-7 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-22 - rel: related - text: SA-22 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: pl-2_smt - name: statement - parts: - - - id: pl-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop security and privacy plans for the system that: - parts: - - - id: pl-2_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are consistent with the organization’s enterprise architecture; - - - id: pl-2_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Explicitly define the constituent system components; - - - id: pl-2_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Describe the operational context of the system in terms of missions and business processes; - - - id: pl-2_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Provide the security categorization of the system, including supporting rationale; - - - id: pl-2_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Describe any specific threats to the system that are of concern to the organization; - - - id: pl-2_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Provide the results of a privacy risk assessment for systems processing personally identifiable information; - - - id: pl-2_smt.a.7 - name: item - properties: - - - name: label - value: 7. - prose: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; - - - id: pl-2_smt.a.8 - name: item - properties: - - - name: label - value: 8. - prose: Provide an overview of the security and privacy requirements for the system; - - - id: pl-2_smt.a.9 - name: item - properties: - - - name: label - value: 9. - prose: Identify any relevant control baselines or overlays, if applicable; - - - id: pl-2_smt.a.10 - name: item - properties: - - - name: label - value: 10. - prose: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; - - - id: pl-2_smt.a.11 - name: item - properties: - - - name: label - value: 11. - prose: Include risk determinations for security and privacy architecture and design decisions; - - - id: pl-2_smt.a.12 - name: item - properties: - - - name: label - value: 12. - prose: Include security- and privacy-related activities affecting the system that require planning and coordination with {{ pl-2_prm_1 }}; and - - - id: pl-2_smt.a.13 - name: item - properties: - - - name: label - value: 13. - prose: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. - - - id: pl-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Distribute copies of the plans and communicate subsequent changes to the plans to {{ pl-2_prm_2 }}; - - - id: pl-2_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review the plans {{ pl-2_prm_3 }}; - - - id: pl-2_smt.d - name: item - properties: - - - name: label - value: d. - prose: Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and - - - id: pl-2_smt.e - name: item - properties: - - - name: label - value: e. - prose: Protect the plans from unauthorized disclosure and modification. - - - id: pl-2_gdn - name: guidance - prose: - """ - System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls. - Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation. - Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. - Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate. - """ - - - id: pl-4 - class: SP800-53 - title: Rules of Behavior - parameters: - - - id: pl-4_prm_1 - label: organization-defined frequency - - - id: pl-4_prm_2 - - - id: pl-4_prm_3 - depends-on: pl-4_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: PL-4 - - - name: sort-id - value: PL-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ae962073-f9bb-4210-b1ad-53ef6f6afad6 - rel: reference - text: [SP 800-18] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-8 - rel: related - text: AC-8 - - - href: #ac-9 - rel: related - text: AC-9 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #ac-18 - rel: related - text: AC-18 - - - href: #ac-19 - rel: related - text: AC-19 - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-2 - rel: related - text: IA-2 - - - href: #ia-4 - rel: related - text: IA-4 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #mp-7 - rel: related - text: MP-7 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pl-4_smt - name: statement - parts: - - - id: pl-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; - - - id: pl-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; - - - id: pl-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the rules of behavior {{ pl-4_prm_1 }}; and - - - id: pl-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ pl-4_prm_2 }}. - - - id: pl-4_gdn - name: guidance - prose: Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons. - controls: - - - id: pl-4.1 - class: SP800-53-enhancement - title: Social Media and External Site/application Usage Restrictions - properties: - - - name: label - value: PL-4(1) - - - name: sort-id - value: PL-04(01) - links: - - - href: #ac-22 - rel: related - text: AC-22 - - - href: #au-13 - rel: related - text: AU-13 - parts: - - - id: pl-4.1_smt - name: statement - prose: Include in the rules of behavior, restrictions on: - parts: - - - id: pl-4.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Use of social media, social networking sites, and external sites/applications; - - - id: pl-4.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Posting organizational information on public websites; and - - - id: pl-4.1_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications. - - - id: pl-4.1_gdn - name: guidance - prose: Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information. - - - id: pl-8 - class: SP800-53 - title: Security and Privacy Architectures - parameters: - - - id: pl-8_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PL-8 - - - name: sort-id - value: PL-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #cm-2 - rel: related - text: CM-2 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-7 - rel: related - text: PL-7 - - - href: #pl-9 - rel: related - text: PL-9 - - - href: #pm-5 - rel: related - text: PM-5 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-17 - rel: related - text: SA-17 - parts: - - - id: pl-8_smt - name: statement - parts: - - - id: pl-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop security and privacy architectures for the system that: - parts: - - - id: pl-8_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; - - - id: pl-8_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; - - - id: pl-8_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Describe how the architectures are integrated into and support the enterprise architecture; and - - - id: pl-8_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Describe any assumptions about, and dependencies on, external systems and services; - - - id: pl-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update the architectures {{ pl-8_prm_1 }} to reflect changes in the enterprise architecture; and - - - id: pl-8_smt.c - name: item - properties: - - - name: label - value: c. - prose: Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions. - - - id: pl-8_gdn - name: guidance - prose: - """ - The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs. - [SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews). - In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented. - PL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures. - """ - - - id: pl-9 - class: SP800-53 - title: Central Management - parameters: - - - id: pl-9_prm_1 - label: organization-defined controls and related processes - properties: - - - name: label - value: PL-9 - - - name: sort-id - value: PL-09 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-9 - rel: related - text: PM-9 - parts: - - - id: pl-9_smt - name: statement - prose: Centrally manage {{ pl-9_prm_1 }}. - - - id: pl-9_gdn - name: guidance - prose: - """ - Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and judicious use of organizational resources. Centrally-managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring. - As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include, but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-17(1), AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1), AT-3(2), AT-3(3), AT-4, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11, AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM-3(1), CM-3(4), CM-4, CM-6(1), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-43, SI-2, SI-3, SI-7, SI-8. - """ - - - id: pm - class: family - title: Program Management - controls: - - - id: pm-3 - class: SP800-53 - title: Information Security and Privacy Resources - properties: - - - name: label - value: PM-3 - - - name: sort-id - value: PM-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #sa-2 - rel: related - text: SA-2 - parts: - - - id: pm-3_smt - name: statement - parts: - - - id: pm-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; - - - id: pm-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and - - - id: pm-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Make available for expenditure, the planned information security and privacy resources. - - - id: pm-3_gdn - name: guidance - prose: Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process. - - - id: pm-4 - class: SP800-53 - title: Plan of Action and Milestones Process - properties: - - - name: label - value: PM-4 - - - name: sort-id - value: PM-04 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pm-3 - rel: related - text: PM-3 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pm-4_smt - name: statement - parts: - - - id: pm-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems: - parts: - - - id: pm-4_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are developed and maintained; - - - id: pm-4_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and - - - id: pm-4_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Are reported in accordance with established reporting requirements. - - - id: pm-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. - - - id: pm-4_gdn - name: guidance - prose: The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5. - - - id: pm-6 - class: SP800-53 - title: Measures of Performance - properties: - - - name: label - value: PM-6 - - - name: sort-id - value: PM-06 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #8ba0d54e-fa16-4f5d-baa1-763ec3e33e26 - rel: reference - text: [SP 800-55] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ca-7 - rel: related - text: CA-7 - parts: - - - id: pm-6_smt - name: statement - prose: Develop, monitor, and report on the results of information security and privacy measures of performance. - - - id: pm-6_gdn - name: guidance - prose: Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. - - - id: pm-7 - class: SP800-53 - title: Enterprise Architecture - properties: - - - name: label - value: PM-7 - - - name: sort-id - value: PM-07 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #8411e6e8-09bd-431d-bbcb-3423d36ad880 - rel: reference - text: [SP 800-160 v2] - - - href: #au-6 - rel: related - text: AU-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-8 - rel: related - text: PL-8 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-17 - rel: related - text: SA-17 - parts: - - - id: pm-7_smt - name: statement - prose: Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation. - - - id: pm-7_gdn - name: guidance - prose: The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines. - - - id: pm-8 - class: SP800-53 - title: Critical Infrastructure Plan - properties: - - - name: label - value: PM-8 - - - name: sort-id - value: PM-08 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #cde25174-38e0-4a00-8919-8ee3674b8088 - rel: reference - text: [HSPD 7] - - - href: #24b7b1ec-6430-41de-9353-29fdb1b488fc - rel: reference - text: [DHS NIPP] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #pe-18 - rel: related - text: PE-18 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-11 - rel: related - text: PM-11 - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pm-8_smt - name: statement - prose: Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. - - - id: pm-8_gdn - name: guidance - prose: Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. - - - id: pm-9 - class: SP800-53 - title: Risk Management Strategy - parameters: - - - id: pm-9_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-9 - - - name: sort-id - value: PM-09 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #at-1 - rel: related - text: AT-1 - - - href: #ca-1 - rel: related - text: CA-1 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cp-1 - rel: related - text: CP-1 - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ma-1 - rel: related - text: MA-1 - - - href: #mp-1 - rel: related - text: MP-1 - - - href: #pe-1 - rel: related - text: PE-1 - - - href: #pl-1 - rel: related - text: PL-1 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-2 - rel: related - text: PM-2 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #pm-30 - rel: related - text: PM-30 - - - href: #ps-1 - rel: related - text: PS-1 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-9 - rel: related - text: RA-9 - - - href: #sa-1 - rel: related - text: SA-1 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sc-1 - rel: related - text: SC-1 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-1 - rel: related - text: SI-1 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: pm-9_smt - name: statement - parts: - - - id: pm-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develops a comprehensive strategy to manage: - parts: - - - id: pm-9_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and - - - id: pm-9_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Privacy risk to individuals resulting from the authorized processing of personally identifiable information; - - - id: pm-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Implement the risk management strategy consistently across the organization; and - - - id: pm-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes. - - - id: pm-9_gdn - name: guidance - prose: An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive. - - - id: pm-10 - class: SP800-53 - title: Authorization Process - properties: - - - name: label - value: PM-10 - - - name: sort-id - value: PM-10 - links: - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #pl-2 - rel: related - text: PL-2 - parts: - - - id: pm-10_smt - name: statement - parts: - - - id: pm-10_smt.a - name: item - properties: - - - name: label - value: a. - prose: Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; - - - id: pm-10_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and - - - id: pm-10_smt.c - name: item - properties: - - - name: label - value: c. - prose: Integrate the authorization processes into an organization-wide risk management program. - - - id: pm-10_gdn - name: guidance - prose: Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation. - - - id: pm-11 - class: SP800-53 - title: Mission and Business Process Definition - parameters: - - - id: pm-11_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-11 - - - name: sort-id - value: PM-11 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #68949f14-9cf5-4116-91d8-e820b9df3ffd - rel: reference - text: [SP 800-60 v1] - - - href: #e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - rel: reference - text: [SP 800-60 v2] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-7 - rel: related - text: PM-7 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-2 - rel: related - text: SA-2 - parts: - - - id: pm-11_smt - name: statement - parts: - - - id: pm-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and - - - id: pm-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and - - - id: pm-11_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and revise the mission and business processes {{ pm-11_prm_1 }}. - - - id: pm-11_gdn - name: guidance - prose: Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures. - - - id: pm-13 - class: SP800-53 - title: Security and Privacy Workforce - properties: - - - name: label - value: PM-13 - - - name: sort-id - value: PM-13 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #f4c3f657-de83-47ae-9aec-e144de8268d1 - rel: reference - text: [SP 800-181] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - parts: - - - id: pm-13_smt - name: statement - prose: Establish a security and privacy workforce development and improvement program. - - - id: pm-13_gdn - name: guidance - prose: Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals. - - - id: pm-14 - class: SP800-53 - title: Testing, Training, and Monitoring - properties: - - - name: label - value: PM-14 - - - name: sort-id - value: PM-14 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #a6b97214-55d4-4b86-a3a4-53d5911d96f7 - rel: reference - text: [SP 800-115] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #at-2 - rel: related - text: AT-2 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cp-4 - rel: related - text: CP-4 - - - href: #ir-3 - rel: related - text: IR-3 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: pm-14_smt - name: statement - parts: - - - id: pm-14_smt.a - name: item - properties: - - - name: label - value: a. - prose: Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: - parts: - - - id: pm-14_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Are developed and maintained; and - - - id: pm-14_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Continue to be executed; and - - - id: pm-14_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. - - - id: pm-14_gdn - name: guidance - prose: This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. - - - id: pm-18 - class: SP800-53 - title: Privacy Program Plan - properties: - - - name: label - value: PM-18 - - - name: sort-id - value: PM-18 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-19 - rel: related - text: PM-19 - parts: - - - id: pm-18_smt - name: statement - parts: - - - id: pm-18_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: - parts: - - - id: pm-18_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; - - - id: pm-18_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements; - - - id: pm-18_smt.a.3 - name: item - properties: - - - name: label - value: 3. - prose: Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities; - - - id: pm-18_smt.a.4 - name: item - properties: - - - name: label - value: 4. - prose: Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; - - - id: pm-18_smt.a.5 - name: item - properties: - - - name: label - value: 5. - prose: Reflects coordination among organizational entities responsible for the different aspects of privacy; and - - - id: pm-18_smt.a.6 - name: item - properties: - - - name: label - value: 6. - prose: Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and - - - id: pm-18_smt.b - name: item - properties: - - - name: label - value: b. - prose: Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments. - - - id: pm-18_gdn - name: guidance - prose: - """ - A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents. - The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended. - Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization. - Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls. - """ - - - id: pm-19 - class: SP800-53 - title: Privacy Program Leadership Role - properties: - - - name: label - value: PM-19 - - - name: sort-id - value: PM-19 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-18 - rel: related - text: PM-18 - - - href: #pm-20 - rel: related - text: PM-20 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-24 - rel: related - text: PM-24 - parts: - - - id: pm-19_smt - name: statement - prose: Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. - - - id: pm-19_gdn - name: guidance - prose: The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24). - - - id: pm-20 - class: SP800-53 - title: Dissemination of Privacy Program Information - properties: - - - name: label - value: PM-20 - - - name: sort-id - value: PM-20 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #f7d3617a-9a4f-4f1a-a688-845081b70390 - rel: reference - text: [OMB M-17-06] - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #pt-7 - rel: related - text: PT-7 - - - href: #ra-8 - rel: related - text: RA-8 - parts: - - - id: pm-20_smt - name: statement - prose: Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that: - parts: - - - id: pm-20_smt.a - name: item - properties: - - - name: label - value: a. - prose: Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; - - - id: pm-20_smt.b - name: item - properties: - - - name: label - value: b. - prose: Ensures that organizational privacy practices and reports are publicly available; and - - - id: pm-20_smt.c - name: item - properties: - - - name: label - value: c. - prose: Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. - - - id: pm-20_gdn - name: guidance - prose: Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications. - - - id: pm-21 - class: SP800-53 - title: Accounting of Disclosures - properties: - - - name: label - value: PM-21 - - - name: sort-id - value: PM-21 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #au-2 - rel: related - text: AU-2 - - - href: #pt-2 - rel: related - text: PT-2 - parts: - - - id: pm-21_smt - name: statement - parts: - - - id: pm-21_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: - parts: - - - id: pm-21_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: Date, nature, and purpose of each disclosure; and - - - id: pm-21_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Name and address, or other contact information of the person or organization to which the disclosure was made; - - - id: pm-21_smt.b - name: item - properties: - - - name: label - value: b. - prose: Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and - - - id: pm-21_smt.c - name: item - properties: - - - name: label - value: c. - prose: Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request. - - - id: pm-21_gdn - name: guidance - prose: - """ - The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision. - Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions. - """ - - - id: pm-22 - class: SP800-53 - title: Personally Identifiable Information Quality Management - properties: - - - name: label - value: PM-22 - - - name: sort-id - value: PM-22 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #eadef75e-7e4d-4554-b818-44946c1dde0e - rel: reference - text: [SP 800-188] - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pm-22_smt - name: statement - prose: Develop and document policies and procedures for: - parts: - - - id: pm-22_smt.a - name: item - properties: - - - name: label - value: a. - prose: Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle; - - - id: pm-22_smt.b - name: item - properties: - - - name: label - value: b. - prose: Correcting or deleting inaccurate or outdated personally identifiable information; - - - id: pm-22_smt.c - name: item - properties: - - - name: label - value: c. - prose: Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and - - - id: pm-22_smt.d - name: item - properties: - - - name: label - value: d. - prose: Appeals of adverse decisions on correction or deletion requests. - - - id: pm-22_gdn - name: guidance - prose: - """ - Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information. - The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations. - Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem. - """ - - - id: pm-24 - class: SP800-53 - title: Data Integrity Board - properties: - - - name: label - value: PM-24 - - - name: sort-id - value: PM-24 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #ac-4 - rel: related - text: AC-4 - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pt-8 - rel: related - text: PT-8 - parts: - - - id: pm-24_smt - name: statement - prose: Establish a Data Integrity Board to: - parts: - - - id: pm-24_smt.a - name: item - properties: - - - name: label - value: a. - prose: Review proposals to conduct or participate in a matching program; and - - - id: pm-24_smt.b - name: item - properties: - - - name: label - value: b. - prose: Conduct an annual review of all matching programs in which the agency has participated. - - - id: pm-24_gdn - name: guidance - prose: A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy. - - - id: pm-25 - class: SP800-53 - title: Minimization of Pii Used in Testing, Training, and Research - parameters: - - - id: pm-25_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PM-25 - - - name: sort-id - value: PM-25 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #sa-3 - rel: related - text: SA-3 - parts: - - - id: pm-25_smt - name: statement - parts: - - - id: pm-25_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; - - - id: pm-25_smt.b - name: item - properties: - - - name: label - value: b. - prose: Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; - - - id: pm-25_smt.c - name: item - properties: - - - name: label - value: c. - prose: Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and - - - id: pm-25_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review and update policies and procedures {{ pm-25_prm_1 }}. - - - id: pm-25_gdn - name: guidance - prose: The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2). - - - id: pm-26 - class: SP800-53 - title: Complaint Management - parameters: - - - id: pm-26_prm_1 - label: organization-defined time-period - - - id: pm-26_prm_2 - label: organization-defined time-period - - - id: pm-26_prm_3 - label: organization-defined time-period - properties: - - - name: label - value: PM-26 - - - name: sort-id - value: PM-26 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pm-26_smt - name: statement - prose: Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes: - parts: - - - id: pm-26_smt.a - name: item - properties: - - - name: label - value: a. - prose: Mechanisms that are easy to use and readily accessible by the public; - - - id: pm-26_smt.b - name: item - properties: - - - name: label - value: b. - prose: All information necessary for successfully filing complaints; - - - id: pm-26_smt.c - name: item - properties: - - - name: label - value: c. - prose: Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ pm-26_prm_1 }}; - - - id: pm-26_smt.d - name: item - properties: - - - name: label - value: d. - prose: Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ pm-26_prm_2 }}; and - - - id: pm-26_smt.e - name: item - properties: - - - name: label - value: e. - prose: Response to complaints, concerns, or questions from individuals within {{ pm-26_prm_3 }}. - - - id: pm-26_gdn - name: guidance - prose: Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information. - - - id: pm-27 - class: SP800-53 - title: Privacy Reporting - parameters: - - - id: pm-27_prm_1 - label: organization-defined privacy reports - - - id: pm-27_prm_2 - label: organization-defined officials - - - id: pm-27_prm_3 - label: organization-defined frequency - properties: - - - name: label - value: PM-27 - - - name: sort-id - value: PM-27 - links: - - - href: #14958422-54f6-471f-a345-802dca594dd8 - rel: reference - text: [FISMA] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-19 - rel: related - text: PM-19 - parts: - - - id: pm-27_smt - name: statement - parts: - - - id: pm-27_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop {{ pm-27_prm_1 }} and disseminate to: - parts: - - - id: pm-27_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and - - - id: pm-27_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: - """ - - {{ pm-27_prm_2 }} and other personnel with responsibility for monitoring privacy program compliance; and - """ - - - id: pm-27_smt.b - name: item - properties: - - - name: label - value: b. - prose: Review and update privacy reports {{ pm-27_prm_3 }}. - - - id: pm-27_gdn - name: guidance - prose: Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements. - - - id: pm-31 - class: SP800-53 - title: Continuous Monitoring Strategy - parameters: - - - id: pm-31_prm_1 - label: organization-defined metrics - - - id: pm-31_prm_2 - label: organization-defined frequencies - - - id: pm-31_prm_3 - label: organization-defined frequencies - - - id: pm-31_prm_4 - label: organization-defined personnel or roles - - - id: pm-31_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PM-31 - - - name: sort-id - value: PM-31 - links: - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #ac-2 - rel: related - text: AC-2 - - - href: #ac-6 - rel: related - text: AC-6 - - - href: #ac-17 - rel: related - text: AC-17 - - - href: #at-4 - rel: related - text: AT-4 - - - href: #au-6 - rel: related - text: AU-6 - - - href: #au-13 - rel: related - text: AU-13 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-3 - rel: related - text: CM-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-11 - rel: related - text: CM-11 - - - href: #ia-5 - rel: related - text: IA-5 - - - href: #ir-5 - rel: related - text: IR-5 - - - href: #ma-2 - rel: related - text: MA-2 - - - href: #ma-3 - rel: related - text: MA-3 - - - href: #ma-4 - rel: related - text: MA-4 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-6 - rel: related - text: PE-6 - - - href: #pe-14 - rel: related - text: PE-14 - - - href: #pe-16 - rel: related - text: PE-16 - - - href: #pe-20 - rel: related - text: PE-20 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-6 - rel: related - text: PM-6 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-10 - rel: related - text: PM-10 - - - href: #pm-12 - rel: related - text: PM-12 - - - href: #pm-14 - rel: related - text: PM-14 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sc-5 - rel: related - text: SC-5 - - - href: #sc-7 - rel: related - text: SC-7 - - - href: #sc-18 - rel: related - text: SC-18 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-3 - rel: related - text: SI-3 - - - href: #si-4 - rel: related - text: SI-4 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #sr-2 - rel: related - text: SR-2 - - - href: #sr-4 - rel: related - text: SR-4 - parts: - - - id: pm-31_smt - name: statement - prose: Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: - parts: - - - id: pm-31_smt.a - name: item - properties: - - - name: label - value: a. - prose: Establishing the following organization-wide metrics to be monitored: {{ pm-31_prm_1 }}; - - - id: pm-31_smt.b - name: item - properties: - - - name: label - value: b. - prose: Establishing {{ pm-31_prm_2 }} for monitoring and {{ pm-31_prm_3 }} for assessment of control effectiveness; - - - id: pm-31_smt.c - name: item - properties: - - - name: label - value: c. - prose: Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; - - - id: pm-31_smt.d - name: item - properties: - - - name: label - value: d. - prose: Correlation and analysis of information generated by control assessments and monitoring; - - - id: pm-31_smt.e - name: item - properties: - - - name: label - value: e. - prose: Response actions to address results of the analysis of control assessment and monitoring information; and - - - id: pm-31_smt.f - name: item - properties: - - - name: label - value: f. - prose: - """ - Reporting the security and privacy status of organizational systems to {{ pm-31_prm_4 }} - {{ pm-31_prm_5 }}. - """ - - - id: pm-31_gdn - name: guidance - prose: Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4. - - - id: pm-33 - class: SP800-53 - title: Privacy Policies on Websites, Applications, and Digital Services - properties: - - - name: label - value: PM-33 - - - name: sort-id - value: PM-33 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-19 - rel: related - text: PM-19 - - - href: #pm-20 - rel: related - text: PM-20 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #pt-7 - rel: related - text: PT-7 - - - href: #ra-8 - rel: related - text: RA-8 - parts: - - - id: pm-33_smt - name: statement - prose: Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: - parts: - - - id: pm-33_smt.a - name: item - properties: - - - name: label - value: a. - prose: Are written in plain language and organized in a way that is easy to understand and navigate; - - - id: pm-33_smt.b - name: item - properties: - - - name: label - value: b. - prose: Provide useful information that the public would need to make an informed decision about whether and how to interact with the organization; and - - - id: pm-33_smt.c - name: item - properties: - - - name: label - value: c. - prose: Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes. - - - id: pm-33_gdn - name: guidance - prose: Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations should post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations should provide a link to the privacy policy on any webpage that collects personally identifiable information. - - - id: pt - class: family - title: Personally Identifiable Information Processing and Transparency - controls: - - - id: pt-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: pt-1_prm_1 - label: organization-defined personnel or roles - - - id: pt-1_prm_2 - - - id: pt-1_prm_3 - label: organization-defined official - - - id: pt-1_prm_4 - label: organization-defined frequency - - - id: pt-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: PT-1 - - - name: sort-id - value: PT-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - parts: - - - id: pt-1_smt - name: statement - parts: - - - id: pt-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ pt-1_prm_1 }}: - parts: - - - id: pt-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ pt-1_prm_2 }} personally identifiable information processing and transparency policy that: - """ - parts: - - - id: pt-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: pt-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: pt-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; - - - id: pt-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ pt-1_prm_3 }} to manage the development, documentation, and dissemination of the incident personally identifiable information processing and transparency policy and procedures; and - - - id: pt-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current personally identifiable information processing and transparency: - parts: - - - id: pt-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ pt-1_prm_4 }}; and - - - id: pt-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ pt-1_prm_5 }}. - - - id: pt-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the PT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: pt-2 - class: SP800-53 - title: Authority to Process Personally Identifiable Information - parameters: - - - id: pt-2_prm_1 - label: organization-defined authority - - - id: pt-2_prm_2 - label: organization-defined processing - - - id: pt-2_prm_3 - label: organization-defined processing - properties: - - - name: label - value: PT-2 - - - name: sort-id - value: PT-02 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #pt-7 - rel: related - text: PT-7 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pt-2_smt - name: statement - parts: - - - id: pt-2_smt.a - name: item - properties: - - - name: label - value: a. - prose: Determine and document the {{ pt-2_prm_1 }} that permits the {{ pt-2_prm_2 }} of personally identifiable information; and - - - id: pt-2_smt.b - name: item - properties: - - - name: label - value: b. - prose: Restrict the {{ pt-2_prm_3 }} of personally identifiable information to only that which is authorized. - - - id: pt-2_gdn - name: guidance - prose: - """ - Processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes, but is not limited to, creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining. - Organizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organizations’ policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise from its processing. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks. - Organizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, [PRIVACT] statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and/or other documentation. - Organizations take steps to ensure that personally identifiable information is processed only for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information. - """ - - - id: pt-3 - class: SP800-53 - title: Personally Identifiable Information Processing Purposes - parameters: - - - id: pt-3_prm_1 - label: Assignment organization-defined purpose(s) - - - id: pt-3_prm_2 - label: organization-defined processing - - - id: pt-3_prm_3 - label: organization-defined mechanisms - - - id: pt-3_prm_4 - label: organization-defined requirements - properties: - - - name: label - value: PT-3 - - - name: sort-id - value: PT-03 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #ac-3 - rel: related - text: AC-3 - - - href: #at-3 - rel: related - text: AT-3 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-25 - rel: related - text: PM-25 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #pt-7 - rel: related - text: PT-7 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-8 - rel: related - text: RA-8 - - - href: #sc-43 - rel: related - text: SC-43 - - - href: #si-12 - rel: related - text: SI-12 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pt-3_smt - name: statement - parts: - - - id: pt-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Identify and document the {{ pt-3_prm_1 }} for processing personally identifiable information; - - - id: pt-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Describe the purpose(s) in the public privacy notices and policies of the organization; - - - id: pt-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Restrict the {{ pt-3_prm_2 }} of personally identifiable information to only that which is compatible with the identified purpose(s); and - - - id: pt-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Monitor changes in processing personally identifiable information and implement {{ pt-3_prm_3 }} to ensure that any changes are made in accordance with {{ pt-3_prm_4 }}. - - - id: pt-3_gdn - name: guidance - prose: - """ - Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term process includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system, and individuals whose information is processed by the system, to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations, and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, [PRIVACT] statements, computer matching notices, and other applicable Federal Register notices. - Organizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information. - Organizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes arising from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks arising from changes in personally identifiable information processing purposes. - """ - - - id: pt-4 - class: SP800-53 - title: Minimization - parameters: - - - id: pt-4_prm_1 - label: organization-defined processes - properties: - - - name: label - value: PT-4 - - - name: sort-id - value: PT-04 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #pm-25 - rel: related - text: PM-25 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sc-42 - rel: related - text: SC-42 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: pt-4_smt - name: statement - prose: Implement the privacy principle of minimization using {{ pt-4_prm_1 }}. - - - id: pt-4_gdn - name: guidance - prose: The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose, and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization. - - - id: pt-5 - class: SP800-53 - title: Consent - parameters: - - - id: pt-5_prm_1 - label: organization-defined tools or mechanisms - properties: - - - name: label - value: PT-5 - - - name: sort-id - value: PT-05 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #549993c0-9bdd-4d49-875c-f56950cc5f30 - rel: reference - text: [SP 800-63-3] - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #pt-6 - rel: related - text: PT-6 - parts: - - - id: pt-5_smt - name: statement - prose: Implement {{ pt-5_prm_1 }} for individuals to consent to the processing of their personally identifiable information prior to its collection that: - parts: - - - id: pt-5_smt.a - name: item - properties: - - - name: label - value: a. - prose: Facilitate individuals’ informed decision-making; and - - - id: pt-5_smt.b - name: item - properties: - - - name: label - value: b. - prose: Provide a means for individuals to decline consent. - - - id: pt-5_gdn - name: guidance - prose: Consent allows individuals to participate in the decision-making about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting this control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks arising from their authorization. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the data actions carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon. - - - id: pt-6 - class: SP800-53 - title: Privacy Notice - parameters: - - - id: pt-6_prm_1 - label: organization-defined frequency - - - id: pt-6_prm_2 - label: organization-defined information - properties: - - - name: label - value: PT-6 - - - name: sort-id - value: PT-06 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #pm-20 - rel: related - text: PM-20 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #pt-5 - rel: related - text: PT-5 - - - href: #pt-8 - rel: related - text: PT-8 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #si-18 - rel: related - text: SI-18 - parts: - - - id: pt-6_smt - name: statement - prose: Provide notice to individuals about the processing of personally identifiable information that: - parts: - - - id: pt-6_smt.a - name: item - properties: - - - name: label - value: a. - prose: Is available to individuals upon first interacting with an organization, and subsequently at {{ pt-6_prm_1 }}; - - - id: pt-6_smt.b - name: item - properties: - - - name: label - value: b. - prose: Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language; - - - id: pt-6_smt.c - name: item - properties: - - - name: label - value: c. - prose: Identifies the authority that authorizes the processing of personally identifiable information; - - - id: pt-6_smt.d - name: item - properties: - - - name: label - value: d. - prose: Identifies the purposes for which personally identifiable information is to be processed; and - - - id: pt-6_smt.e - name: item - properties: - - - name: label - value: e. - prose: Includes {{ pt-6_prm_2 }}. - - - id: pt-6_gdn - name: guidance - prose: - """ - Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and, other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices. - Privacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon. - """ - controls: - - - id: pt-6.2 - class: SP800-53-enhancement - title: Privacy Act Statements - properties: - - - name: label - value: PT-6(2) - - - name: sort-id - value: PT-06(02) - links: - - - href: #pt-7 - rel: related - text: PT-7 - parts: - - - id: pt-6.2_smt - name: statement - prose: Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals. - - - id: pt-6.2_gdn - name: guidance - prose: - """ - If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a [PRIVACT] statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a [PRIVACT] statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond. - [PRIVACT] statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the [PRIVACT]. - """ - - - id: pt-7 - class: SP800-53 - title: System of Records Notice - properties: - - - name: label - value: PT-7 - - - name: sort-id - value: PT-07 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #pm-20 - rel: related - text: PM-20 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #pt-6 - rel: related - text: PT-6 - parts: - - - id: pt-7_smt - name: statement - prose: For systems that process information that will be maintained in a Privacy Act system of records: - parts: - - - id: pt-7_smt.a - name: item - properties: - - - name: label - value: a. - prose: Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review; - - - id: pt-7_smt.b - name: item - properties: - - - name: label - value: b. - prose: Publish system of records notices in the Federal Register; and - - - id: pt-7_smt.c - name: item - properties: - - - name: label - value: c. - prose: Keep system of records notices accurate, up-to-date, and scoped in accordance with policy. - - - id: pt-7_gdn - name: guidance - prose: The [PRIVACT] requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and/or modification of a [PRIVACT] system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system, and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in [OMB A-108]. - controls: - - - id: pt-7.1 - class: SP800-53-enhancement - title: Routine Uses - parameters: - - - id: pt-7.1_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PT-7(1) - - - name: sort-id - value: PT-07(01) - parts: - - - id: pt-7.1_smt - name: statement - prose: Review all routine uses published in the system of records notice at {{ pt-7.1_prm_1 }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected. - - - id: pt-7.1_gdn - name: guidance - prose: A [PRIVACT] routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the [PRIVACT] prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The [PRIVACT] requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice. - - - id: pt-7.2 - class: SP800-53-enhancement - title: Exemption Rules - parameters: - - - id: pt-7.2_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: PT-7(2) - - - name: sort-id - value: PT-07(02) - parts: - - - id: pt-7.2_smt - name: statement - prose: Review all Privacy Act exemptions claimed for the system of records at {{ pt-7.2_prm_1 }} to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice. - - - id: pt-7.2_gdn - name: guidance - prose: The [PRIVACT] includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. These provisions allow agencies in certain circumstances to promulgate regulations to exempt a system of records from select provisions of the [PRIVACT]. At a minimum, organizations’ [PRIVACT] exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the [PRIVACT] from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate. - - - id: pt-8 - class: SP800-53 - title: Specific Categories of Personally Identifiable Information - parameters: - - - id: pt-8_prm_1 - label: organization-defined processing conditions - properties: - - - name: label - value: PT-8 - - - name: sort-id - value: PT-08 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - parts: - - - id: pt-8_smt - name: statement - prose: Apply {{ pt-8_prm_1 }} for specific categories of personally identifiable information. - - - id: pt-8_gdn - name: guidance - prose: Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from organizational policies and determinations when an organization has determined that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary. - controls: - - - id: pt-8.1 - class: SP800-53-enhancement - title: Social Security Numbers - properties: - - - name: label - value: PT-8(1) - - - name: sort-id - value: PT-08(01) - parts: - - - id: pt-8.1_smt - name: statement - prose: When a system processes Social Security numbers: - parts: - - - id: pt-8.1_smt.a - name: item - properties: - - - name: label - value: (a) - prose: Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier; - - - id: pt-8.1_smt.b - name: item - properties: - - - name: label - value: (b) - prose: Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and - - - id: pt-8.1_smt.c - name: item - properties: - - - name: label - value: (c) - prose: Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it. - - - id: pt-8.1_gdn - name: guidance - prose: Federal law and policy establish specific requirements for organizations’ processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information, and observe any particular requirements that apply. - - - id: pt-8.2 - class: SP800-53-enhancement - title: First Amendment Information - properties: - - - name: label - value: PT-8(2) - - - name: sort-id - value: PT-08(02) - parts: - - - id: pt-8.2_smt - name: statement - prose: Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity. - - - id: pt-8.2_gdn - name: guidance - prose: - """ - None. - Related Controls: The [PRIVACT] limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements. - """ - - - id: pt-9 - class: SP800-53 - title: Computer Matching Requirements - properties: - - - name: label - value: PT-9 - - - name: sort-id - value: PT-09 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #395f6bb9-bcc2-41fc-977f-04372f4a6a82 - rel: reference - text: [OMB A-108] - - - href: #pm-24 - rel: related - text: PM-24 - parts: - - - id: pt-9_smt - name: statement - prose: When a system or organization processes information for the purpose of conducting a matching program: - parts: - - - id: pt-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Obtain approval from the Data Integrity Board to conduct the matching program; - - - id: pt-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Develop and enter into a computer matching agreement; - - - id: pt-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Publish a matching notice in the Federal Register; - - - id: pt-9_smt.d - name: item - properties: - - - name: label - value: d. - prose: Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and - - - id: pt-9_smt.e - name: item - properties: - - - name: label - value: e. - prose: Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual. - - - id: pt-9_gdn - name: guidance - prose: The [PRIVACT] establishes a set of requirements for federal and non-federal agencies when they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. A Federal benefit match is performed for purposes of determining or verifying eligibility for payments under Federal benefit programs, or recouping payments or delinquent debts under Federal benefit programs. A matching program involves not just the matching activity itself, but also the investigative follow-up and ultimate action, if any. - - - id: ra - class: family - title: Risk Assessment - controls: - - - id: ra-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: ra-1_prm_1 - label: organization-defined personnel or roles - - - id: ra-1_prm_2 - - - id: ra-1_prm_3 - label: organization-defined official - - - id: ra-1_prm_4 - label: organization-defined frequency - - - id: ra-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: RA-1 - - - name: sort-id - value: RA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ra-1_smt - name: statement - parts: - - - id: ra-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ ra-1_prm_1 }}: - parts: - - - id: ra-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ ra-1_prm_2 }} risk assessment policy that: - """ - parts: - - - id: ra-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: ra-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: ra-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; - - - id: ra-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ ra-1_prm_3 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and - - - id: ra-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current risk assessment: - parts: - - - id: ra-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ ra-1_prm_4 }}; and - - - id: ra-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ ra-1_prm_5 }}. - - - id: ra-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: ra-3 - class: SP800-53 - title: Risk Assessment - parameters: - - - id: ra-3_prm_1 - - - id: ra-3_prm_2 - depends-on: ra-3_prm_1 - label: organization-defined document - - - id: ra-3_prm_3 - label: organization-defined frequency - - - id: ra-3_prm_4 - label: organization-defined personnel or roles - - - id: ra-3_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: RA-3 - - - name: sort-id - value: RA-03 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #7e7538d7-9c3a-4e5f-bbb4-638cec975415 - rel: reference - text: [IR 8023] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #cp-6 - rel: related - text: CP-6 - - - href: #cp-7 - rel: related - text: CP-7 - - - href: #ia-8 - rel: related - text: IA-8 - - - href: #ma-5 - rel: related - text: MA-5 - - - href: #pe-3 - rel: related - text: PE-3 - - - href: #pe-18 - rel: related - text: PE-18 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-5 - rel: related - text: RA-5 - - - href: #ra-7 - rel: related - text: RA-7 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-9 - rel: related - text: SA-9 - - - href: #sc-38 - rel: related - text: SC-38 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: ra-3_smt - name: statement - parts: - - - id: ra-3_smt.a - name: item - properties: - - - name: label - value: a. - prose: Conduct a risk assessment, including: - parts: - - - id: ra-3_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and - - - id: ra-3_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; - - - id: ra-3_smt.b - name: item - properties: - - - name: label - value: b. - prose: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; - - - id: ra-3_smt.c - name: item - properties: - - - name: label - value: c. - prose: Document risk assessment results in {{ ra-3_prm_1 }}; - - - id: ra-3_smt.d - name: item - properties: - - - name: label - value: d. - prose: Review risk assessment results {{ ra-3_prm_3 }}; - - - id: ra-3_smt.e - name: item - properties: - - - name: label - value: e. - prose: Disseminate risk assessment results to {{ ra-3_prm_4 }}; and - - - id: ra-3_smt.f - name: item - properties: - - - name: label - value: f. - prose: Update the risk assessment {{ ra-3_prm_5 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. - - - id: ra-3_gdn - name: guidance - prose: - """ - Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities. - Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. - In addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination. - """ - - - id: ra-7 - class: SP800-53 - title: Risk Response - properties: - - - name: label - value: RA-7 - - - name: sort-id - value: RA-07 - links: - - - href: #b3e26423-0687-47c7-ba9a-a96870d58a27 - rel: reference - text: [FIPS 199] - - - href: #f2163084-3287-45e2-9ee7-95f020415495 - rel: reference - text: [FIPS 200] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ir-9 - rel: related - text: IR-9 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-28 - rel: related - text: PM-28 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sr-2 - rel: related - text: SR-2 - parts: - - - id: ra-7_smt - name: statement - prose: Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. - - - id: ra-7_gdn - name: guidance - prose: Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated. - - - id: ra-8 - class: SP800-53 - title: Privacy Impact Assessments - properties: - - - name: label - value: RA-8 - - - name: sort-id - value: RA-08 - links: - - - href: #bc2bf069-c3a5-48a4-a274-684d997be0c2 - rel: reference - text: [EGOV] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #cm-13 - rel: related - text: CM-13 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #pt-6 - rel: related - text: PT-6 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #ra-7 - rel: related - text: RA-7 - parts: - - - id: ra-8_smt - name: statement - prose: Conduct privacy impact assessments for systems, programs, or other activities before: - parts: - - - id: ra-8_smt.a - name: item - properties: - - - name: label - value: a. - prose: Developing or procuring information technology that processes personally identifiable information; and - - - id: ra-8_smt.b - name: item - properties: - - - name: label - value: b. - prose: Initiating a new collection of personally identifiable information that: - parts: - - - id: ra-8_smt.b.1 - name: item - properties: - - - name: label - value: 1. - prose: Will be processed using information technology; and - - - id: ra-8_smt.b.2 - name: item - properties: - - - name: label - value: 2. - prose: Includes personally identifiable information permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more persons, other than agencies, instrumentalities, or employees of the federal government. - - - id: ra-8_gdn - name: guidance - prose: - """ - A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document detailing the process and the outcome of the analysis. - Organizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology. - To conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes which may have different labels, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by [EGOV]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision. - """ - - - id: sa - class: family - title: System and Services Acquisition - controls: - - - id: sa-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: sa-1_prm_1 - label: organization-defined personnel or roles - - - id: sa-1_prm_2 - - - id: sa-1_prm_3 - label: organization-defined official - - - id: sa-1_prm_4 - label: organization-defined frequency - - - id: sa-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SA-1 - - - name: sort-id - value: SA-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #451e9636-402e-4c27-b3f5-e0e50f957f27 - rel: reference - text: [SP 800-39] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: sa-1_smt - name: statement - parts: - - - id: sa-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ sa-1_prm_1 }}: - parts: - - - id: sa-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ sa-1_prm_2 }} system and services acquisition policy that: - """ - parts: - - - id: sa-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: sa-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: sa-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; - - - id: sa-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ sa-1_prm_3 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and - - - id: sa-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current system and services acquisition: - parts: - - - id: sa-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ sa-1_prm_4 }}; and - - - id: sa-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ sa-1_prm_5 }}. - - - id: sa-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: sa-4 - class: SP800-53 - title: Acquisition Process - parameters: - - - id: sa-4_prm_1 - - - id: sa-4_prm_2 - depends-on: sa-4_prm_1 - label: organization-defined contract language - properties: - - - name: label - value: SA-4 - - - name: sort-id - value: SA-04 - links: - - - href: #a7dfa526-b81f-41d7-9875-c8b0faafe74b - rel: reference - text: [PRIVACT] - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #6ddb507b-6ddb-4e15-a8d4-0854e704446e - rel: reference - text: [ISO 15408-1] - - - href: #18abb755-c10f-407d-b0ef-4f99e5ec4a49 - rel: reference - text: [ISO 15408-2] - - - href: #2ce3a8bf-7f8b-4249-bd16-808231415b14 - rel: reference - text: [ISO 15408-3] - - - href: #aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - rel: reference - text: [FIPS 140-3] - - - href: #ab414c48-b7a2-4ffe-b74d-4d8b8120adce - rel: reference - text: [FIPS 201-2] - - - href: #ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - rel: reference - text: [SP 800-35] - - - href: #e07d73ea-96b9-4330-aff2-e0215f455343 - rel: reference - text: [SP 800-37] - - - href: #14a7d982-9747-48e0-a877-3e8fbf6ae381 - rel: reference - text: [SP 800-70] - - - href: #3d6b3a16-94e7-4a43-8648-8bdeaadb271b - rel: reference - text: [SP 800-73-4] - - - href: #c3b34083-77b2-4dab-a980-73068f8933bd - rel: reference - text: [SP 800-137] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #d4779b49-8acc-45ef-b4f0-30f945e81d1b - rel: reference - text: [IR 7539] - - - href: #7b03adec-4405-4aac-94a0-6a9eb3f42e31 - rel: reference - text: [IR 7622] - - - href: #daf69edb-a0ef-4447-9880-8c4bf553181f - rel: reference - text: [IR 7676] - - - href: #197f7ba7-9af8-4a67-b3a4-5523d850e53b - rel: reference - text: [IR 7870] - - - href: #817b4227-5857-494d-9032-915980b32f15 - rel: reference - text: [IR 8062] - - - href: #5dac2312-1d0d-416f-aebb-400fa9775b74 - rel: reference - text: [NIAP CCEVS] - - - href: #634dec27-df88-4c30-b1a4-b57cdfd24f20 - rel: reference - text: [NSA CSFC] - - - href: #cm-6 - rel: related - text: CM-6 - - - href: #cm-8 - rel: related - text: CM-8 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-11 - rel: related - text: SA-11 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-16 - rel: related - text: SA-16 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #sa-21 - rel: related - text: SA-21 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-4_smt - name: statement - prose: Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ sa-4_prm_1 }} in the acquisition contract for the system, system component, or system service: - parts: - - - id: sa-4_smt.a - name: item - properties: - - - name: label - value: a. - prose: Security and privacy functional requirements; - - - id: sa-4_smt.b - name: item - properties: - - - name: label - value: b. - prose: Strength of mechanism requirements; - - - id: sa-4_smt.c - name: item - properties: - - - name: label - value: c. - prose: Security and privacy assurance requirements; - - - id: sa-4_smt.d - name: item - properties: - - - name: label - value: d. - prose: Controls needed to satisfy the security and privacy requirements. - - - id: sa-4_smt.e - name: item - properties: - - - name: label - value: e. - prose: Security and privacy documentation requirements; - - - id: sa-4_smt.f - name: item - properties: - - - name: label - value: f. - prose: Requirements for protecting security and privacy documentation; - - - id: sa-4_smt.g - name: item - properties: - - - name: label - value: g. - prose: Description of the system development environment and environment in which the system is intended to operate; - - - id: sa-4_smt.h - name: item - properties: - - - name: label - value: h. - prose: Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and - - - id: sa-4_smt.i - name: item - properties: - - - name: label - value: i. - prose: Acceptance criteria. - - - id: sa-4_gdn - name: guidance - prose: - """ - Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle. - Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle. - Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement. - """ - - - id: sa-9 - class: SP800-53 - title: External System Services - parameters: - - - id: sa-9_prm_1 - label: organization-defined controls - - - id: sa-9_prm_2 - label: organization-defined processes, methods, and techniques - properties: - - - name: label - value: SA-9 - - - name: sort-id - value: SA-09 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - rel: reference - text: [SP 800-35] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #66476e76-46b4-47fb-be19-d13e6f3840df - rel: reference - text: [SP 800-161] - - - href: #ac-20 - rel: related - text: AC-20 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-4 - rel: related - text: IR-4 - - - href: #ir-7 - rel: related - text: IR-7 - - - href: #pl-10 - rel: related - text: PL-10 - - - href: #pl-11 - rel: related - text: PL-11 - - - href: #ps-7 - rel: related - text: PS-7 - - - href: #sa-2 - rel: related - text: SA-2 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sr-3 - rel: related - text: SR-3 - - - href: #sr-5 - rel: related - text: SR-5 - parts: - - - id: sa-9_smt - name: statement - parts: - - - id: sa-9_smt.a - name: item - properties: - - - name: label - value: a. - prose: Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ sa-9_prm_1 }}; - - - id: sa-9_smt.b - name: item - properties: - - - name: label - value: b. - prose: Define and document organizational oversight and user roles and responsibilities with regard to external system services; and - - - id: sa-9_smt.c - name: item - properties: - - - name: label - value: c. - prose: Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ sa-9_prm_2 }}. - - - id: sa-9_gdn - name: guidance - prose: External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. - - - id: sa-11 - class: SP800-53 - title: Developer Testing and Evaluation - parameters: - - - id: sa-11_prm_1 - - - id: sa-11_prm_2 - label: organization-defined frequency - - - id: sa-11_prm_3 - label: organization-defined depth and coverage - properties: - - - name: label - value: SA-11 - - - name: sort-id - value: SA-11 - links: - - - href: #2ce3a8bf-7f8b-4249-bd16-808231415b14 - rel: reference - text: [ISO 15408-3] - - - href: #1d9f757b-00d5-4db1-b15b-0ad641c6df7c - rel: reference - text: [SP 800-30] - - - href: #5db6dfe4-788e-4183-93b9-f6fb29d75e41 - rel: reference - text: [SP 800-53A] - - - href: #fd0f14f5-8910-45c4-b60a-0c8936e00daa - rel: reference - text: [SP 800-154] - - - href: #8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - rel: reference - text: [SP 800-160 v1] - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #cm-4 - rel: related - text: CM-4 - - - href: #sa-3 - rel: related - text: SA-3 - - - href: #sa-4 - rel: related - text: SA-4 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #sa-15 - rel: related - text: SA-15 - - - href: #sa-17 - rel: related - text: SA-17 - - - href: #si-2 - rel: related - text: SI-2 - - - href: #sr-5 - rel: related - text: SR-5 - - - href: #sr-6 - rel: related - text: SR-6 - - - href: #sr-7 - rel: related - text: SR-7 - parts: - - - id: sa-11_smt - name: statement - prose: Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: - parts: - - - id: sa-11_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop and implement a plan for ongoing security and privacy assessments; - - - id: sa-11_smt.b - name: item - properties: - - - name: label - value: b. - prose: Perform {{ sa-11_prm_1 }} testing/evaluation {{ sa-11_prm_2 }} at {{ sa-11_prm_3 }}; - - - id: sa-11_smt.c - name: item - properties: - - - name: label - value: c. - prose: Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; - - - id: sa-11_smt.d - name: item - properties: - - - name: label - value: d. - prose: Implement a verifiable flaw remediation process; and - - - id: sa-11_smt.e - name: item - properties: - - - name: label - value: e. - prose: Correct flaws identified during testing and evaluation. - - - id: sa-11_gdn - name: guidance - prose: - """ - Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches. - Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation. - """ - - - id: si - class: family - title: System and Information Integrity - controls: - - - id: si-1 - class: SP800-53 - title: Policy and Procedures - parameters: - - - id: si-1_prm_1 - label: organization-defined personnel or roles - - - id: si-1_prm_2 - - - id: si-1_prm_3 - label: organization-defined official - - - id: si-1_prm_4 - label: organization-defined frequency - - - id: si-1_prm_5 - label: organization-defined frequency - properties: - - - name: label - value: SI-1 - - - name: sort-id - value: SI-01 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130] - - - href: #12702585-0c72-43c9-9185-a76a59f74233 - rel: reference - text: [SP 800-12] - - - href: #9183bd83-170e-4701-b32c-97e08ef8bedb - rel: reference - text: [SP 800-100] - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-8 - rel: related - text: PS-8 - - - href: #sa-8 - rel: related - text: SA-8 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: si-1_smt - name: statement - parts: - - - id: si-1_smt.a - name: item - properties: - - - name: label - value: a. - prose: Develop, document, and disseminate to {{ si-1_prm_1 }}: - parts: - - - id: si-1_smt.a.1 - name: item - properties: - - - name: label - value: 1. - prose: - """ - - {{ si-1_prm_2 }} system and information integrity policy that: - """ - parts: - - - id: si-1_smt.a.1.a - name: item - properties: - - - name: label - value: (a) - prose: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - - - id: si-1_smt.a.1.b - name: item - properties: - - - name: label - value: (b) - prose: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - - - id: si-1_smt.a.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; - - - id: si-1_smt.b - name: item - properties: - - - name: label - value: b. - prose: Designate an {{ si-1_prm_3 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and - - - id: si-1_smt.c - name: item - properties: - - - name: label - value: c. - prose: Review and update the current system and information integrity: - parts: - - - id: si-1_smt.c.1 - name: item - properties: - - - name: label - value: 1. - prose: Policy {{ si-1_prm_4 }}; and - - - id: si-1_smt.c.2 - name: item - properties: - - - name: label - value: 2. - prose: Procedures {{ si-1_prm_5 }}. - - - id: si-1_gdn - name: guidance - prose: This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure. - - - id: si-12 - class: SP800-53 - title: Information Management and Retention - properties: - - - name: label - value: SI-12 - - - name: sort-id - value: SI-12 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #ac-1 - rel: related - text: AC-1 - - - href: #at-1 - rel: related - text: AT-1 - - - href: #au-1 - rel: related - text: AU-1 - - - href: #ca-1 - rel: related - text: CA-1 - - - href: #cm-1 - rel: related - text: CM-1 - - - href: #cp-1 - rel: related - text: CP-1 - - - href: #ia-1 - rel: related - text: IA-1 - - - href: #ir-1 - rel: related - text: IR-1 - - - href: #ma-1 - rel: related - text: MA-1 - - - href: #mp-1 - rel: related - text: MP-1 - - - href: #pe-1 - rel: related - text: PE-1 - - - href: #pl-1 - rel: related - text: PL-1 - - - href: #pm-1 - rel: related - text: PM-1 - - - href: #ps-1 - rel: related - text: PS-1 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #ra-1 - rel: related - text: RA-1 - - - href: #sa-1 - rel: related - text: SA-1 - - - href: #sc-1 - rel: related - text: SC-1 - - - href: #si-1 - rel: related - text: SI-1 - - - href: #sr-1 - rel: related - text: SR-1 - - - href: #ac-16 - rel: related - text: AC-16 - - - href: #au-5 - rel: related - text: AU-5 - - - href: #au-11 - rel: related - text: AU-11 - - - href: #ca-2 - rel: related - text: CA-2 - - - href: #ca-3 - rel: related - text: CA-3 - - - href: #ca-5 - rel: related - text: CA-5 - - - href: #ca-6 - rel: related - text: CA-6 - - - href: #ca-7 - rel: related - text: CA-7 - - - href: #ca-9 - rel: related - text: CA-9 - - - href: #cm-5 - rel: related - text: CM-5 - - - href: #cm-9 - rel: related - text: CM-9 - - - href: #cp-2 - rel: related - text: CP-2 - - - href: #ir-8 - rel: related - text: IR-8 - - - href: #mp-2 - rel: related - text: MP-2 - - - href: #mp-3 - rel: related - text: MP-3 - - - href: #mp-4 - rel: related - text: MP-4 - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pl-2 - rel: related - text: PL-2 - - - href: #pl-4 - rel: related - text: PL-4 - - - href: #pm-4 - rel: related - text: PM-4 - - - href: #pm-8 - rel: related - text: PM-8 - - - href: #pm-9 - rel: related - text: PM-9 - - - href: #ps-2 - rel: related - text: PS-2 - - - href: #ps-6 - rel: related - text: PS-6 - - - href: #pt-1 - rel: related - text: PT-1 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #ra-3 - rel: related - text: RA-3 - - - href: #sa-5 - rel: related - text: SA-5 - - - href: #sr-1 - rel: related - text: SR-1 - parts: - - - id: si-12_smt - name: statement - prose: Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. - - - id: si-12_gdn - name: guidance - prose: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel. - controls: - - - id: si-12.1 - class: SP800-53-enhancement - title: Limit Personally Identifiable Information Elements - parameters: - - - id: si-12.1_prm_1 - label: organization-defined elements of personally identifiable information - properties: - - - name: label - value: SI-12(1) - - - name: sort-id - value: SI-12(01) - links: - - - href: #pm-25 - rel: related - text: PM-25 - - - href: #pt-2 - rel: related - text: PT-2 - - - href: #pt-3 - rel: related - text: PT-3 - - - href: #ra-3 - rel: related - text: RA-3 - parts: - - - id: si-12.1_smt - name: statement - prose: Limit personally identifiable information being processed in the information life cycle to the following elements of PII: {{ si-12.1_prm_1 }}. - - - id: si-12.1_gdn - name: guidance - prose: Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk. - - - id: si-12.2 - class: SP800-53-enhancement - title: Minimize Personally Identifiable Information in Testing, Training, and Research - parameters: - - - id: si-12.2_prm_1 - label: organization-defined techniques - properties: - - - name: label - value: SI-12(2) - - - name: sort-id - value: SI-12(02) - links: - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pm-25 - rel: related - text: PM-25 - - - href: #si-19 - rel: related - text: SI-19 - parts: - - - id: si-12.2_smt - name: statement - prose: Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: {{ si-12.2_prm_1 }}. - - - id: si-12.2_gdn - name: guidance - prose: Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them. - - - id: si-12.3 - class: SP800-53-enhancement - title: Information Disposal - parameters: - - - id: si-12.3_prm_1 - label: organization-defined techniques - properties: - - - name: label - value: SI-12(3) - - - name: sort-id - value: SI-12(03) - links: - - - href: #mp-6 - rel: related - text: MP-6 - parts: - - - id: si-12.3_smt - name: statement - prose: Use the following techniques to dispose of, destroy, or erase information following the retention period: {{ si-12.3_prm_1 }}. - - - id: si-12.3_gdn - name: guidance - prose: Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. Disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information. - - - id: si-18 - class: SP800-53 - title: Personally Identifiable Information Quality Operations - parameters: - - - id: si-18_prm_1 - label: organization-defined frequency - properties: - - - name: label - value: SI-18 - - - name: sort-id - value: SI-18 - links: - - - href: #eadef75e-7e4d-4554-b818-44946c1dde0e - rel: reference - text: [SP 800-188] - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #si-4 - rel: related - text: SI-4 - parts: - - - id: si-18_smt - name: statement - parts: - - - id: si-18_smt.a - name: item - properties: - - - name: label - value: a. - prose: Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle {{ si-18_prm_1 }}; and - - - id: si-18_smt.b - name: item - properties: - - - name: label - value: b. - prose: Correct or delete inaccurate or outdated personally identifiable information. - - - id: si-18_gdn - name: guidance - prose: Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes. - controls: - - - id: si-18.4 - class: SP800-53-enhancement - title: Individual Requests - properties: - - - name: label - value: SI-18(4) - - - name: sort-id - value: SI-18(04) - links: - - - href: #pm-22 - rel: related - text: PM-22 - parts: - - - id: si-18.4_smt - name: statement - prose: Correct or delete personally identifiable information upon request by individuals or their designated representatives. - - - id: si-18.4_gdn - name: guidance - prose: Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion in determining if personally identifiable information is to be corrected or deleted, based on the scope of requests, the changes sought, the impact of the changes, and applicable laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion. - - - id: si-19 - class: SP800-53 - title: De-identification - parameters: - - - id: si-19_prm_1 - label: organization-defined elements of personally identifiable information - - - id: si-19_prm_2 - label: organization-defined frequency - properties: - - - name: label - value: SI-19 - - - name: sort-id - value: SI-19 - links: - - - href: #a646d45d-775f-4887-86d3-5a00ffbc4090 - rel: reference - text: [OMB A-130, Appendix II] - - - href: #eadef75e-7e4d-4554-b818-44946c1dde0e - rel: reference - text: [SP 800-188] - - - href: #mp-6 - rel: related - text: MP-6 - - - href: #pm-22 - rel: related - text: PM-22 - - - href: #pm-23 - rel: related - text: PM-23 - - - href: #pm-24 - rel: related - text: PM-24 - - - href: #ra-2 - rel: related - text: RA-2 - - - href: #si-12 - rel: related - text: SI-12 - parts: - - - id: si-19_smt - name: statement - parts: - - - id: si-19_smt.a - name: item - properties: - - - name: label - value: a. - prose: Remove the following elements of personally identifiable information from datasets: {{ si-19_prm_1 }}; and - - - id: si-19_smt.b - name: item - properties: - - - name: label - value: b. - prose: Evaluate {{ si-19_prm_2 }} for effectiveness of de-identification. - - - id: si-19_gdn - name: guidance - prose: De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection, since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time supports management of this residual risk. - back-matter: - resources: - - - uuid: a7dfa526-b81f-41d7-9875-c8b0faafe74b - title: [PRIVACT] - citation: - text: Privacy Act (P.L. 93-579), December 1974. - rlinks: - - - href: https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf - - - uuid: bc2bf069-c3a5-48a4-a274-684d997be0c2 - title: [EGOV] - citation: - text: E-Government Act [includes FISMA] (P.L. 107-347), December 2002. - rlinks: - - - href: https://www.congress.gov/107/plaws/publ347/PLAW-107publ347.pdf - - - uuid: 14958422-54f6-471f-a345-802dca594dd8 - title: [FISMA] - citation: - text: Federal Information Security Modernization Act (P.L. 113-283), December 2014. - rlinks: - - - href: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf - - - uuid: cde25174-38e0-4a00-8919-8ee3674b8088 - title: [HSPD 7] - citation: - text: Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection*, December 2003. - rlinks: - - - href: https://www.dhs.gov/homeland-security-presidential-directive-7 - - - uuid: 395f6bb9-bcc2-41fc-977f-04372f4a6a82 - title: [OMB A-108] - citation: - text: - """ - Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act*, December 2016. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf - - - uuid: a646d45d-775f-4887-86d3-5a00ffbc4090 - title: [OMB A-130] - citation: - text: Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource*, July 2016. - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf - - - uuid: f7d3617a-9a4f-4f1a-a688-845081b70390 - title: [OMB M-17-06] - citation: - text: - """ - Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services*, November 2016. ** - - """ - rlinks: - - - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf - - - uuid: 389fe193-866e-46b1-bf1d-38904b56aa7b - title: [OMB M-17-12] - citation: - text: - """ - Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information*, January 2017. ** - - """ - rlinks: - - - href: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf - - - uuid: 24b7b1ec-6430-41de-9353-29fdb1b488fc - title: [DHS NIPP] - citation: - text: Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)*, 2009. - rlinks: - - - href: https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf - - - uuid: 6ddb507b-6ddb-4e15-a8d4-0854e704446e - title: [ISO 15408-1] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf - - - uuid: 18abb755-c10f-407d-b0ef-4f99e5ec4a49 - title: [ISO 15408-2] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf - - - uuid: 2ce3a8bf-7f8b-4249-bd16-808231415b14 - title: [ISO 15408-3] - citation: - text: - """ - International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements*, April 2017. ** - - """ - rlinks: - - - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf - - - uuid: aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b - title: [FIPS 140-3] - citation: - text: National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.140-3 - - - uuid: b3e26423-0687-47c7-ba9a-a96870d58a27 - title: [FIPS 199] - citation: - text: National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.199 - - - uuid: f2163084-3287-45e2-9ee7-95f020415495 - title: [FIPS 200] - citation: - text: National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.200 - - - uuid: ab414c48-b7a2-4ffe-b74d-4d8b8120adce - title: [FIPS 201-2] - citation: - text: National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. - rlinks: - - - href: https://doi.org/10.6028/NIST.FIPS.201-2 - - - uuid: 12702585-0c72-43c9-9185-a76a59f74233 - title: [SP 800-12] - citation: - text: - """ - Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-12r1 - - - uuid: ae962073-f9bb-4210-b1ad-53ef6f6afad6 - title: [SP 800-18] - citation: - text: - """ - Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-18r1 - - - uuid: 1d9f757b-00d5-4db1-b15b-0ad641c6df7c - title: [SP 800-30] - citation: - text: Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-30r1 - - - uuid: ed919d0d-8e21-4df6-801d-3fbc4cb8a505 - title: [SP 800-35] - citation: - text: Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-35 - - - uuid: e07d73ea-96b9-4330-aff2-e0215f455343 - title: [SP 800-37] - citation: - text: Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-37r2 - - - uuid: 451e9636-402e-4c27-b3f5-e0e50f957f27 - title: [SP 800-39] - citation: - text: Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-39 - - - uuid: 2e29c363-d5be-47ba-92f5-f8a58a69b65e - title: [SP 800-50] - citation: - text: Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-50 - - - uuid: 5db6dfe4-788e-4183-93b9-f6fb29d75e41 - title: [SP 800-53A] - citation: - text: Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-53Ar4 - - - uuid: 8ba0d54e-fa16-4f5d-baa1-763ec3e33e26 - title: [SP 800-55] - citation: - text: Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-55r1 - - - uuid: 68949f14-9cf5-4116-91d8-e820b9df3ffd - title: [SP 800-60 v1] - citation: - text: Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-60v1r1 - - - uuid: e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc - title: [SP 800-60 v2] - citation: - text: Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-60v2r1 - - - uuid: 7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b - title: [SP 800-61] - citation: - text: Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-61r2 - - - uuid: 549993c0-9bdd-4d49-875c-f56950cc5f30 - title: [SP 800-63-3] - citation: - text: Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-63-3 - - - uuid: 14a7d982-9747-48e0-a877-3e8fbf6ae381 - title: [SP 800-70] - citation: - text: Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-70r4 - - - uuid: 3d6b3a16-94e7-4a43-8648-8bdeaadb271b - title: [SP 800-73-4] - citation: - text: Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-73-4 - - - uuid: 8b0f8559-1185-45f9-b0a9-876d7b3c1c7b - title: [SP 800-83] - citation: - text: Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-83r1 - - - uuid: 20bf433b-074c-47a0-8fca-cd591772ccd6 - title: [SP 800-84] - citation: - text: Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-84 - - - uuid: 35dfd59f-eef2-4f71-bdb5-6d878267456a - title: [SP 800-86] - citation: - text: Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-86 - - - uuid: fed6a3b5-2b74-499f-9172-46671f7c24c8 - title: [SP 800-88] - citation: - text: Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-88r1 - - - uuid: 02d8ec60-6197-43f8-9f47-18732127963e - title: [SP 800-92] - citation: - text: Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-92 - - - uuid: 9183bd83-170e-4701-b32c-97e08ef8bedb - title: [SP 800-100] - citation: - text: Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-100 - - - uuid: 1e2c475a-84ae-4c60-b420-8fb2ea552b71 - title: [SP 800-101] - citation: - text: - """ - Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. ** - - """ - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-101r1 - - - uuid: a6b97214-55d4-4b86-a3a4-53d5911d96f7 - title: [SP 800-115] - citation: - text: Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-115 - - - uuid: 18c6942b-95f8-414c-b548-c8e6b8d8a172 - title: [SP 800-124] - citation: - text: Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-124r1 - - - uuid: a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4 - title: [SP 800-128] - citation: - text: Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-128 - - - uuid: c3b34083-77b2-4dab-a980-73068f8933bd - title: [SP 800-137] - citation: - text: Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-137 - - - uuid: ad3e8f21-07c6-4968-b002-00b64dfa70ae - title: [SP 800-150] - citation: - text: Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-150 - - - uuid: fd0f14f5-8910-45c4-b60a-0c8936e00daa - title: [SP 800-154] - citation: - text: Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154. - rlinks: - - - href: https://csrc.nist.gov/publications/detail/sp/800-154/draft - - - uuid: 8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e - title: [SP 800-160 v1] - citation: - text: Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-160v1 - - - uuid: 8411e6e8-09bd-431d-bbcb-3423d36ad880 - title: [SP 800-160 v2] - citation: - text: Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-160v2 - - - uuid: 66476e76-46b4-47fb-be19-d13e6f3840df - title: [SP 800-161] - citation: - text: Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-161 - - - uuid: f4c3f657-de83-47ae-9aec-e144de8268d1 - title: [SP 800-181] - citation: - text: Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-181 - - - uuid: 08f518f7-f9b9-4bee-8986-860214f46b16 - title: [SP 800-184] - citation: - text: Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. - rlinks: - - - href: https://doi.org/10.6028/NIST.SP.800-184 - - - uuid: eadef75e-7e4d-4554-b818-44946c1dde0e - title: [SP 800-188] - citation: - text: Garfinkel S (2016) De-Identifying Government Datasets. **(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188. - rlinks: - - - href: https://csrc.nist.gov/publications/detail/sp/800-188/draft - - - uuid: d4779b49-8acc-45ef-b4f0-30f945e81d1b - title: [IR 7539] - citation: - text: Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7539 - - - uuid: 09ac1fdb-36a9-483f-a04c-5c1e1bf104fb - title: [IR 7559] - citation: - text: Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7559 - - - uuid: 7b03adec-4405-4aac-94a0-6a9eb3f42e31 - title: [IR 7622] - citation: - text: Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7622 - - - uuid: daf69edb-a0ef-4447-9880-8c4bf553181f - title: [IR 7676] - citation: - text: Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7676 - - - uuid: 197f7ba7-9af8-4a67-b3a4-5523d850e53b - title: [IR 7870] - citation: - text: Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7870 - - - uuid: bb22d510-54a9-4588-b725-00d37576562b - title: [IR 7874] - citation: - text: Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.7874 - - - uuid: 851b5ba4-6aa0-4583-857c-4c360cbdf2a0 - title: [IR 8011 v1] - citation: - text: Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8011-1 - - - uuid: 7e7538d7-9c3a-4e5f-bbb4-638cec975415 - title: [IR 8023] - citation: - text: Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8023 - - - uuid: 817b4227-5857-494d-9032-915980b32f15 - title: [IR 8062] - citation: - text: Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. **(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. - rlinks: - - - href: https://doi.org/10.6028/NIST.IR.8062 - - - uuid: 5dac2312-1d0d-416f-aebb-400fa9775b74 - title: [NIAP CCEVS] - citation: - text: National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*. - rlinks: - - - href: https://www.niap-ccevs.org/ - - - uuid: 634dec27-df88-4c30-b1a4-b57cdfd24f20 - title: [NSA CSFC] - citation: - text: National Security Agency, *Commercial Solutions for Classified Program (CSfC)*. - rlinks: - - - href: https://www.nsa.gov/resources/everyone/csfc - - - uuid: a52271dc-11b5-423a-8b6f-14867bd94259 - title: [NSA MEDIA] - citation: - text: National Security Agency, *Media Destruction Guidance*. - rlinks: - - - href: https://www.nsa.gov/resources/everyone/media-destruction diff --git a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.yaml b/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.yaml deleted file mode 100644 index 238c33ec75..0000000000 --- a/content/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.yaml +++ /dev/null @@ -1,210 +0,0 @@ -profile: - uuid: fcd0e29e-74e3-4f59-9834-f72a98fa2519 - metadata: - title: SP800-53 PRIVACY BASELINE - last-modified: 2020-08-26T16:28:37.032-04:00 - version: FPD - oscal-version: 1.0.0-milestone3 - roles: - - - id: creator - title: Document Creator - - - id: contact - title: Contact - parties: - - - uuid: d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696 - type: organization - party-name: Joint Task Force, Transformation Initiative - addresses: - - - postal-address: National Institute of Standards and Technology,Attn: Computer Security Division,Information Technology Laboratory,100 Bureau Drive (Mail Stop 8930) - city: Gaithersburg - state: MD - postal-code: 20899-8930 - email-addresses: sec-cert@nist.gov - responsible-parties: - creator: - party-uuids: d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696 - contact: - party-uuids: d8bc8fc4-0f2e-4bfd-983f-e2ec9dc64696 - imports: - - - href: NIST_SP-800-53_rev5-FPD_catalog.xml - include: - id-selectors: - - - control-id: ac-1 - - - control-id: ac-3.14 - - - control-id: at-1 - - - control-id: at-2 - - - control-id: at-2.5 - - - control-id: at-3 - - - control-id: at-3.5 - - - control-id: at-4 - - - control-id: au-1 - - - control-id: au-2 - - - control-id: au-11 - - - control-id: ca-1 - - - control-id: ca-2 - - - control-id: ca-5 - - - control-id: ca-6 - - - control-id: ca-7 - - - control-id: ca-7.4 - - - control-id: cm-1 - - - control-id: cm-4 - - - control-id: ir-1 - - - control-id: ir-3 - - - control-id: ir-4 - - - control-id: ir-6 - - - control-id: ir-7 - - - control-id: ir-8 - - - control-id: ir-8.1 - - - control-id: mp-1 - - - control-id: mp-6 - - - control-id: pl-1 - - - control-id: pl-2 - - - control-id: pl-4 - - - control-id: pl-4.1 - - - control-id: pl-8 - - - control-id: pl-9 - - - control-id: pm-3 - - - control-id: pm-4 - - - control-id: pm-5.1 - - - control-id: pm-6 - - - control-id: pm-7 - - - control-id: pm-8 - - - control-id: pm-9 - - - control-id: pm-10 - - - control-id: pm-11 - - - control-id: pm-13 - - - control-id: pm-14 - - - control-id: pm-18 - - - control-id: pm-19 - - - control-id: pm-20 - - - control-id: pm-21 - - - control-id: pm-22 - - - control-id: pm-24 - - - control-id: pm-25 - - - control-id: pm-26 - - - control-id: pm-27 - - - control-id: pm-31 - - - control-id: pm-33 - - - control-id: pt-1 - - - control-id: pt-2 - - - control-id: pt-3 - - - control-id: pt-4 - - - control-id: pt-5 - - - control-id: pt-6 - - - control-id: pt-6.2 - - - control-id: pt-7 - - - control-id: pt-7.1 - - - control-id: pt-7.2 - - - control-id: pt-8 - - - control-id: pt-8.1 - - - control-id: pt-8.2 - - - control-id: pt-9 - - - control-id: ra-1 - - - control-id: ra-3 - - - control-id: ra-7 - - - control-id: ra-8 - - - control-id: sa-1 - - - control-id: sa-4 - - - control-id: sa-9 - - - control-id: sa-11 - - - control-id: si-1 - - - control-id: si-12 - - - control-id: si-12.1 - - - control-id: si-12.2 - - - control-id: si-12.3 - - - control-id: si-18 - - - control-id: si-18.4 - - - control-id: si-19 - merge: - as-is: true